I have following Kubernetes REST API request
GET https://theserver/api/v1/pods?includeUninitialized=true
and included following HTTP Headers in the request:
Authorization: Basic ***************
Accept: application/json, */*
User-Agent: kubectl.exe/v1.13.0 (windows/amd64) kubernetes/ddf47ac
Result is the following error
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
I already tried the following:
Analog kubectl request "kubectl describe pods --all-namespaces" works fine (but I need REST)
Used "--v=12" parameter as in newkind101's comment to Kubernetes REST API to see the underlying REST API calls - looks same as mine
Read Kubernetes Documentation - but I failed to find detail information which HTTP headers or/and HTTP body values to send to authenticate properly (few thing I could retrieve from curl sample calls in that docs)
I read Access Kubernetes API using REST APIs but want to understand my issue before I use a framework like GoDaddy
kubectl seems to do a bit more than I can see with the "--v=12" parameter. This bit is likely connected to things in ".kube/config" file. Still I don't know what exactly and where to put in my HTTP request.
As far as I remember Basic authentication method is disabled by default and needs to be enabled by adding --basic-auth-file flag to the API server configuration, therefore all requests to REST API are identified as anonymous user and might be resulted in 401 Unauthorized error.
Related
I have an API Gateway fronted by CloudFront. The API Gateway has a regional endpoint with api key disabled. An Authorization header must be sent to the regional endpoint or the endpoint returns "Missing Authentication Token" as expected.
Using the same request on the CloudFront endpoint returns the following 403 Forbidden error:
{
"message": "The request signature we calculated does not match the signature you
provided. Check your AWS Secret Access Key and signing method. Consult the service
documentation for details.\n\nThe Canonical String for this request should have been\n'POST
// sensitive data here...
}
The Auth token is created from an AWS signature. The signature originates from an IAM role that allows invocation on the endpoint: "Action": "execute-api:Invoke"
Any ideas on why CloudFront isn't able to use these credentials to hit the API Gateway endpoint?
In summary,
"Postman w/ Authorization header -> API Gateway endpoint" works.
"Postman w/ Authorization header -> CloudFront -> API Gateway endpoint" returns the above 403.
UPDATE: Adding information on how I obtain the signature.
IAM Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:{ACCOUNT}:{ENDPOINT}",
"Effect": "Allow"
}
]
}
AccessKey, SecretKey, Session Token are obtained in CloudShell:
$ aws sts assume-role --role-arn arn:aws:iam::{ACCOUNT}:{ROLE} --role-session-name {SESSION_NAME}
These 3 keys are then used in Postman's Authorization tab. I select "AWS Signature" type and provide the AccessKey, SecretKey, and SessionToken.
From here, I can hit the API Gateway endpoint and receive 200 response. With the same request and headers, hitting the CloudFront endpoint results in the 403.
UPDATE #2: Adding information on CloudFront configuration.
The distribution behavior for the API GW origin is using the CachingOptimized policy. Its also allowing all HTTP methods.
Trying to retrieve details of the kubernetes cluster like namespaces and pod details using kubernetes API
following doc
API:
<publicServiceEndpointURL>/api/v1/namespaces
Headers:
Authorization: bearer <id_token>
<id_token> - An IAM token generated.
will get an certificate error on postman with SSL certificate enabled else throwing 403 Forbidden error
Error: unable to verify the first certificate
Result with disabling SSL certificate verification.
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "namespaces is forbidden: User \"system:anonymous\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "namespaces"
},
"code": 403
}
Tried with curl and will result in same error
curl -k <publicServiceEndpointURL>/api/v1/namespaces -H "Authorization: Bearer <token>"
Error on chrome with API call
net::ERR_CERT_AUTHORITY_INVALID
How will i able to access this API?
Do you have the right permissions to list namespaces in the cluster? If you log in as the same user via the CLI, for example, can you run kubectl get namespaces? It looks like a permissions error. The user would need IBM Cloud IAM Reader service role (which gives you RBAC view role) for all namespaces in the cluster.
I am simply trying to cURL the google api rest resource:
curl -X GET https://www.googleapis.com/youtube/v3/search?part=snippet&channelId=Miniac&maxResults=1&order=date&type=video&key={API_KEY}
the error I'm seeing is:
"code": 403,
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use
This is usually an issue because the youtube API isn't enabled on the project where your API key lives, but in my case it is. What else am I missing?
I just needed to put quotations around the URL.
It seems an HTTP response of 403 is accepted as the norm and correct handling of any calls made to a resource or endpoint that does not exist on an API Gateway setup (this post).
Example: a call to a non-existing endpoint on my Gateway would be;
GET -- https://{{MyGatewayDomain}}/api/v1/blah
This would return a 403 forbidden. Which can be rather confusing and misleading.
I'd like to know if anyone has managed to configure their API Gateway so that any call to a non-existing endpoint / resource, returns what I would have thought is a correct response of a 404?
Thanks in advance.
EDIT
As per bejos-aws's suggestion, I am able to override the default behaviour of the 403 Missing Authentication Token however, this will not solve my issue as then all the valid 403 errors would return a 404 response which is incorrect.
Also, my issue is regarding a 403 forbidden which doesn't exist in the default responses in the AWS Gateway Response's list (and even if it did, that wouldn't help).
Seems this is just not possible?
This is not currently a feature of API Gateway. However, there is a workaround. Using Gateway Responses, you can override the 403 Missing Authentication Token response with a 404 and supply whatever message you want as a response.
Note, this only works when the API stage is valid:
So if your API is deployed to a stage named v1
https://{MyGatewayDomain}/api/v1/somepath
And the caller supplies the wrong stage
https://{MyGatewayDomain}/api/invalidStage/somepath
Then the API will still respond with 403 Forbidden
I have deployed a basic AWS API, Below are the screen shots.
now when i run Test from above and pass parameter shown in Query String of Method Request i will get the following response.
Request: /searchpatents?name=fsf&test=sfsf
Response against above request
{
"name": "fsf",
"sample": "sfsf",
"controller": "awsapi",
"action": "index",
"awsapi": {
"name": "fsf",
"sample": "sfsf"
}
}
Which shows that i can use the name and sample parameter on my HTTP endpoint.
Now i have deployed this api by clicking Deploy API button and sends HTTP request via curl and by POSTMAN after exporting it from AWS stage panel, I am not receiving name and test params.
My Integration Request is as below
Making a GET request with a body is non-standard, and API Gateway is ignoring the body in a GET request. Please try to using POST/PUT for a request with a body.