How does one authenticate non-AWS apps with AWS Directory Service? - powershell

Assuming I have an instance of Jira (or any other non-aws app that supports SAML), and it is running in my VPC, what steps do I need to take enable single-sign on using AWS Directory Service MicrosoftAD? (Ideally, when people try to access the app, they should be authenticated first, and the app should be able to access their user attributes.)
AWS Directory Service says in its documentation that it has disabled powershell access in AWS Directory Service. Does that mean that it is impossible to enable single sign on programmatically?

You can use AWS Cognito User Pools and Connect Active Directory as a Federated Identity Provider to the User Pool. After the integration you can use Cognito User Pools and SDKs to integrate with any web applications for authentication.
Check the AWS documentation of Using Federation for Amazon Cognito User Pools for more details.

Related

Difference between AWS IAM & AWS SSO? What are all to be careful before we opt for AWS SSO

I'm currently using AWS IAM to provision access to the AWS resources for the users. Recently I created an AWS Organization to separate the Dev & Prod environments. While doing this I supposed to create another IAM user for all users for the Dev AWS Organization Account. so there is 2 IAM user for every user so that all users can access the resources in both Dev & Prod environments. (Yes, its conditional access, not all AWS resources is provisioned).
We started to implement AWS SSO using SAML & came to know about the IAM Identity Center, using which a single user can access resources in both the AWS accounts (Organizations) with a single username itself which is good.
I've some queries regarding the AWS SSO,
Question 1
AWS SSO requires AWS Organization to be enabled by default with an message. What does this means? Once AWS SSO is enabled I can't create new additional/sub organizations?
After you create an organization, you cannot join this account to
another organization until you delete its current organization
Question 2
Once I setup AWS Organization & AWS SSO and changed the identity source it syncs the groups & users to the AWS root account using which we can provision the resources. Will it remove/delete the existing IAM user & role?
If NO, can I still be able to login with the IAM username & password other than this AWS SSO?
Question 3
While I change the identity source using the AWS SSO it warns that the MFA configurations will be deleted. Will it delete the MFA for the root account and the IAM users? or Just the users inside the AWS SSO?
IAM Identity Center will delete your current multi-factor authentication (MFA) configuration.
Question 4
Why I can't setup the AWS SSO from an organization account? Is there any specific reason?
Final Question
Did I understood the AWS SSO (IAM Identity Center) Properly?

How to use service account to authenticate Cloud Run to Firestore

I'm looking for a way to connect Cloud Run to Firestore without using a service account access key. I have a key set up for my local dev environment to access Firestore. I know you can access Firestore from the account running Cloud Run containers, but haven't been able to find any documentation on how to do this.
The most I could find is using a Workforce Identity Federation but that seems to be focused on connecting external services which isn't my goal.
Edit, forgot to mention I'm using nodejs and am not using firebase, just firestore
Every service in Cloud Run has a service account assigned (default Compute Engine service account), but you can create you own service account and assign it (Recommended), you don't need to download a key.
Cloud Run console
In the IAM section look for datastore permissions instead of Firestore permissions, because Firestore is the 'evolution' of datastore.
Follows the doc for more info: https://cloud.google.com/run/docs/configuring/service-accounts

AWS IAM User Access for Developer

I want to give access to my developer to my MongoDB which is hosted by an EC2 Instance on AWS.
He should be able to make mongodump, upload the new backend and do some changes on our control Panel.
I created an IAM User with EC2FullAccess Permissions - I have seen that he was able to add his own IP to the Security Group so he could connect.
I don't feel so comfortable with that - what should I do, to secure myself that he has just enough access to do the necessary work:
Upload new code to server
Do MongoDB dump
I don't want him to be able to switch off/delete my instance or be able to delete my database at all.
Looking at your use case, you do not need to give any EC2 permissions, your developer does not even need IAM user, he can simply have the IP of the instance and the login credentials to the EC2 Instance, that should be suffice to log in to the instance and make the required changes. No need for an IAM user or AWS Console access.
IAM roles are for the purpose of accessing a service on behalf of another. Say, you want to access AWS DynamoDB or S3 from EC2 instance. In this case, an IAM role with required permissions attached to EC2 will server the purpose.
IAM User is for users who need access to AWS services either through Console or through API (programmatic). AWS credentials are required to access the service.
In your case, MongoDB is installed on EC2 and your developer needs access to "the server on which MongoDB is installed" and is not required any access of "AWS EC2 Service".
As correctly pointed out in answer by #X-Men, IAM role or IAM user is not at all required. What required is, your developer to have the IP of server and credentials to login to that server. Username-password or username-key.
Restriction which you need on developer related to MongoDB are to be configured on MongoDB itself and not on EC2 level.

Powershell for Google Cloud: Authenticate with a service account

I'm trying to build an automatic sync solution that uses a Google Cloud storage bucket for storing data.
When I install the cloud SDK it asks for my authentication, but obviously I don't want to use my credentials on the client's server, it should be done with a service account with specific permissions, right?
The documentation just says to authenticate with your credentials. What is the security best practice here?
Found it, it's this simple command:
gcloud auth activate-service-account --key-file=credentials.json
And it works! I can upload stuff with PowerShell
The doc is here

How to use Windows credentials to auto login Azure Active Directory managed applications instead of Single Sign-On

After implementing the integration of Azure Active Directory and some other could applications like Salesforce, and syncing On-Premise Active Directory data by using Azure AD Connect, now I could auto login Salesforce and other cloud apps with Single Sign-On by using the credentials I used for desktop logon, but I still need to key in the credentials once when accessing Azure Applications page (Azure Portal).
Is there any configuration in Azure I can change to support auto-login by using the Windows credentials, so that once I log into my encrypted machine, I could auto login the Azure Applications page (the Azure portal) without key in password again? If Azure does not support no sign-on, what's the best way to do some development to support no sign-on?
Any post or suggestion will be appreciated!
You can always try to authorize users using Graph API. Maybe this will be helpfully: https://github.com/devkimchi/Graph-API-App-Only-Web-API-Sample
I had a similar issue when using ADFS for federated identity and the following article helped, not sure if it applies to Azure AD Connect but it might give you some useful info.
https://support.microsoft.com/en-us/kb/2535227
Thanks thedev and dawidr for your reply.
Finally I found a solution which might achieve the No Sign-On. AAD supports federation authentication, so just try to integrate the ADFS and AAD by using Azure AD Connect to implement the federation identify with On-Premise AD, then no more password key-in when accessing the Azure Applications. I don't have a proxy server with public IP so it's just a solution in my mind without verification.