How to use a Notary client to access IBM Cloud notary server - ibm-cloud

I got the following error when trying to use a Notary client to get the digest of a signed image in my IBM Container Registry. Can anyone advise how to solve it?
# notary -s https://us.icr.io:4443 lookup us.icr.io/securek8s/hello-world latest
* fatal: unauthorized: The login credentials are not valid, or your IBM Cloud account is not active.
BTW, I built the Notary client from https://github.com/theupdateframework/notary

Notary uses your credentials from your Docker login cache. The error message that you received suggests that your login to us.icr.io isn't valid. This usually means that your credentials have expired.
If you have the ibmcloud CLI and the container-registry plugin installed, you can refresh your login by making sure that you're targeting the US South registry (ibmcloud cr region-set us.icr.io) and then logging in with ibmcloud cr login.
If you don't have the CLI plugin installed, you can log in using Docker commands directly. For more information, see Automating access to IBM Cloud Container Registry
in the IBM Cloud docs.

Related

Will gcloud using my SSH key to login or I will always need to login via the web?

I am trying to perform a very basic command like:
gcloud compute machine-types list
And I get this error:
ERROR: (gcloud.compute.machine-types.list) There was a problem
refreshing your current auth tokens: invalid_grant: Bad Request Please
run:
It tells me to login using 'gcloud auth login' which opens up the browser.
Is it possible to use a ssh key to skip this authentication process or I have to do this always? ssh keys are for accessing compute instances only?
Just trying to understand what SSH keys are used for and how this web based authorization fits into the picture here.
Generally, you authenticate to gcloud (and GCP services) using credentials from a Google (often Gmail) account. Such accounts use 3-legged (O)Auth and this requires the browser prompt for the human to confirm the scopes etc.
If you haven't, you should confirm the prompt, copy the token provided and paste that back into gcloud so that auth will occur transparently.
This process is different than SSH'ing to Compute Engine instances.
When you run gcloud compute machine-types list, you're authenticating (and being authorized) by Google Cloud Platform to invoke (meta)services.
When you run gcloud compute ssh ..., the command uses ssh to connect you to the (Linux) instance.
NOTE gcloud auth login --no-launch-browser is available too (link). This requires you to separately launch a browser and complete the process but it doesn't launch the browser directly from the command.
If you are trying to automate some sort of service, that runs cloud commands on-demand, without operator/browser involved - your best bet would be to create a Service Account for that task, get the key for that account and activate it, using
gcloud auth activate-service-account --key-file=my-service-account-key-file.json
If this service runs on Google Cloud platform - you don't even need to deal with the key. Just associate the service account with an instance you are running.
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances

IBM Cloud API Connect Secure Gateway

Recently, I started seeing an issue when trying to setup secure gateway within API Connect on IBM Cloud, I previously had it working but looks like they changed this wizard interface and its broken since then
here is what I did to recreate the issue:
Setup new APIC instance on IBM Cloud
API connect Manager UI > Admin > Secure Gateways > Add (name & save)
once created, in Secure Gateway Clients section, click on +Set Up
I see no ID or Token generated
no matter what type of client I choose (DataPower, Docker or Installer)
Anyone facing the same issue?
Empty ID and Token when trying to setup Secure Gateway Client
turned out that creating SecureGateway from within the APIC is deprecated feature anyway.
you will need to create standalone SecureGateway resource on Bluemix and call it from your API assembly.
here is the instructions
https://www.ibm.com/support/knowledgecenter/en/SSFS6T/com.ibm.apic.apionprem.doc/task_api_secure_gateway.html

Tomcat / Geoserver returns 403 access denied after multiple REST API calls

I'm running Geoserver 2.11.2 on Java 1.8.0_144 32 bits on Amazon Linux together with Tomcat 9 and ran into the following problem:
I the Geoserver REST API to automatically create users accounts. To create 450+ accounts I wrote a loop to generate the accounts. This went flawless till about account 137. After that I got a access denied:
HTTP 403 status Forbidden
Access is denied
The server understood the request but refuses to authorize it.
Apache Tomcat/9.01
Also when I log into the web interface using the admin account I cannot access anything. The data is however still served. This leads me to believe it is some kind of protection from Geoserver and/or Tomcat against DDoS or brute force attacks. I do not have another account with admin rights.
How do I re-enable access to the Geoserver? I already tried restarting the task of the AWS EC2 instance, but no luck. Do I need to reconfigure Tomcat?

Powershell for Google Cloud: Authenticate with a service account

I'm trying to build an automatic sync solution that uses a Google Cloud storage bucket for storing data.
When I install the cloud SDK it asks for my authentication, but obviously I don't want to use my credentials on the client's server, it should be done with a service account with specific permissions, right?
The documentation just says to authenticate with your credentials. What is the security best practice here?
Found it, it's this simple command:
gcloud auth activate-service-account --key-file=credentials.json
And it works! I can upload stuff with PowerShell
The doc is here

How to use the google sdk to authenticate within a VM?

Working in a Debain 8 vagrant box and I'm trying to connect to the gcloud, but I'm unable to authenticate through a webapp cause there is none. Anyone know how to get authentication?
You could use gcloud CLI tool (here). Install it, run gcloud auth login and it will display a link you can open on a different machine to authenticate and paste back a secret to the machine where you ran the command to get authentication there.