I'm using cloudformation to create one admins group for my aws account, and I need to add a custom tag to all of them in order to save their e-mail for notification purpouse. There's no info in aws docs about it.
Is possible tag an IAM resource? I know that is possible to do it for a EC2 instance.
No, currently no IAM objects can be tagged, in cloudfront or using administration console.
I suppose that since Tags are mostly used for billing and resource grouping, and IAM objects are free of charge and represent authority, roles and permissions and not a resource or a general purpose database.
I think the best alternative for your scenario would be something like DynamoDB to store this configuration.
Related
I'm trying to improve my knowledge in GCP-GKE as a newbie and in the way to do that, I found out a little concept that I don't quite understand yet. In GKE, there is a Service Account called service-PROJECT_NUM#container-engine-robot.iam.gserviceaccount.com (where the PROJECT_NUM is the ID of our project) and after several hours googling, I couldn't find any article or definition about this stuff. So could you guys please explain to me
What is this Service Account ? How was it created (by who)?
What is this thing for? How important is it in GKE?
What happens if we delete it ? Could we re-created it manually ?
In fact, I found out that in GCP, we have some Service Account that have a "robot" suffix: ...robot.iam.gserviceaccount.com/ (like #gcf-admin-robot.iam.gserviceaccount.com/, #serverless-robot-prod.iam.gserviceaccount.com, etc). What could we say about this, please ?
If I misunderstand something, please, point it out for me, I really appreciate that.
Thank you guys !!!
Service Accounts aka "robots" contrast with user ("human") accounts and represent two forms of Google identity.
NOTE Robots was the original name for Service Accounts and is a more colorful description of the intent of these accounts, to run software.
(Google) User accounts include consumer (Gmail) e.g. you#gmail.com and you#employee.com (Workspace) accounts. User accounts are used by humans to interact with Google services and must be used (or a suitable delegate) to acccess user-owned content such as Workspace docs, sheets etc.
Software ("robots") generally should run as a Service Account not as a User account. In part, you can't easily run software using User accounts because the User OAuth flow is 3-legged and requires interacting with an OAuth Consent Screen to permit an app access to data.
There are two flavors of Service Account: Google-created|managed and User-created|managed. The difference is essentially the owner. If you create applications, generally you should create a Service Account for each app and run the app using its Service Account.
User-managed Service Accounts take the form {something}#{project}.iam.gserviceaccount.com where you get to define the value of {something} and the Google Project in which the Service Account is created (the project that owns the Service Account) is represented by {project} (actually the Project ID).
When Google provides app functionality, it also creates Service Accounts and often, Google "binds" these Service Accounts to your projects that use them in addition to defining the role that the Service Account has in your project.
Google-managed Service Accounts take the form {something}#{label}.iam.gserviceaccount.com. Unlike User-managed Service Accounts, Google uses more descriptive labels ({label}) to help explain the role of the Service Account.
NOTE With Google-managed Service Accounts {something} often includes the Project Number (not ID) of (your!) project for which the Google-managed account has been created.
You cannot delete Google-managed Service Accounts because you(r Google account) does not own the Service Account.
You can (but should not) delete the role binding between one of your projects and a Google-managed Service Account. It may be possible for you to revert (recreate) the binding but you may not have permission to do this.
When I create a service principal it also creates an App in Active Directory.
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/123456a1-a1b2-1234-12ab-12a3b4cdef67"
If I go to the Azure Portal - Active Directory - App registrations it shows all the applications registered.
I have managed to find the service principal I use for terraform by matching the terraform client_id with the Azure "Application (client) ID". It also had a human readable display name (although not the best since I still had to look via client id!)
However, there are several others where the display name is just "project_subscription".
They look like they must have been generated automatically when setting up a pipeline registering a web app in the portal or something.
I can't tell if they are actually used or if they were just created for experimenting and are then left over.
How do I know what they are for and if they are still used or not?
Is it possible to search Azure for the id or anything?
Is it possible to add a description to these to identify what they are used for beyond just the display name?
e.g. I only identified the terraform one by matching up the id with my code
App registration can be used for many scenarios, the app registrations in your AAD tenant should be created by different users. There is no such thing as a description of them.
To see if they are used, it needs to combine the context, as in AAD, there are different usages for them. For example, there are no sign-in logs of the AD App's corresponding service principal, but you cannot make sure if it was used as a client app. For the details, you may need to check the Audit logs.
For more details about AD App(App Registration) and service principal, you could check this doc - https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
I need to set group permissions by inheriting from another already existing group but it has to be coded. I've managed to create a group but I haven't found a way to edit their permissions, is there any way to do it using either Client libraries or the API resources?
I believe it should be possible to do it using SecurityHttpClient's function SetAccessControlListsAsync() or something similar to it but I'm not sure how to implement it.
It seems you are looking for Access Control Entries - Set Access Control Entries API, which is used to add or update ACEs in the ACL for the provided token.
More details, you can refer to the documentation below:
https://learn.microsoft.com/en-us/rest/api/azure/devops/security/?view=azure-devops-rest-5.0
I don't think it is possible for the APIs at the moment. I also can not find APIs which are used to set the permission for the group.
#Cece Dong - MSFT, in your response, the API is for security namespace of the organization, but it is not for a group. In another word, I can not find any relationship with the security namespace and group. I created a group in my project, but when i use this API to query all the security namespaces, i can not get the relative group info.
I am trying use Google Drive Rest API. My use case is, I have a google domain with some users and one admin. And I need to access and manipulate all users data from admin account.
Is it possible?
If possible can any one say how?
You have to use a Service Account to authorize your requests. Here you can find a guide that explains how. I'd recommend reading the documentation carefully as using service accounts may be quite dangerous.
I'd like to use Amazon SimpleDB to store data for my iPhone app. Different users will own items within the same domain. I'd like for users to be able to delete their own items but not each others', and for this restriction to be enforced server-side.
I am hoping to use anonymous TVM.
What is the best way to do this?
Using IAM User Management you can create a custom policy for each user or group to allow or deny access to delete items in SimpleDB. If each user has their own domain you can restrict access to the domain by using the arn format arn:aws:sdb:<region>:<account_ID>:domain/<domain_name>
I think that you can't use IAM - you seem to say that you have one domain where all user data is stored.
One way to achieve what you want is to use item name prefixes that are user based, e.g. user jimsmith would have all items stored under an item name that beings with 'jimsmith' or some random string, unique to jimsmith (which could be stored somewhere).
Then you are in charge of security, so you would not be able to have the phones directly query AWS - they would need to talk to your intermediary server which would handle security. You have to assume that people could run the app on a jailbroken phone, and decompile, etc.
You can use IAM to restrict a single user to a small portion of an S3 bucket though. You could then index the bucket using a server app of your design. Then the DB could be used for searching purposes with your own code, so that iPhones only deal with S3.
From what I have researched the simpleDB user right policies aren't designed to be used in such a way you are proposing (meaning undisclosed number of users of the app) and the way to handle this might be to use some server application in-the-middle as was suggested here: Mobile app and SimpleDB direct 'Access Policy'