I have referred the AWS EC2 server provision document.
1. Im unable to create the signature from Access key and secret key.
what is the API (needed parameters, headers) to generate a signature? and how to provision a server ? can any one explain me please?
would you consider finding this out from the Getting Started with AWS SDK for .NET:
http://aws.amazon.com/developers/getting-started/net/
It looks pretty straightforward and in my humble opinion it is a good practice not to reinvent any activities related to security (such as authentication or authorization) and use the recommended framework/SDK.
Regarding launching an instance, please refer to the guide in this page:
http://docs.aws.amazon.com/AWSSdkDocsNET/latest/V3/DeveloperGuide/run-instance.html
Related
I plan to add HashiCorp support for dynamic database credentials for our micronaut applications. I noticed that micronaut-discovery-client may support this. In its configuration I found that key value backend is supported but there is no sign of support for dynamic database credentials. Can anyone share any info about this topic from experience?
Any help will be much appreciated.
I am struggling to understand the documentation on how to make a request to Amazon S3 API's to retrieve a list of Objects.
The documentation doesn't show how to Authorise the request using just the access key and secret. Can someone post an example? preferably something I can use in Postman to test with.
AWS supports two signature versions: Signature Version 4 and Signature Version 2.
You should use Signature Version 4. All AWS services support Signature Version 4, except Amazon SimpleDB which requires Signature Version 2.
All AWS regions support Signature Version 4.
Here is a great article by ĆUKASZ ADAMCZAK explaining how to generate and sign the S3 request using openssl and curl:
Amazon S3 REST API with curl
The real challenge will be to do the sigv4 signing. I truly urge you to use one of the established SDKs (what language are you using??). If not wrap a call to the AWS CLI.
If you really want to implement it yourself the I urge you to open source your efforts so others can benefit.
I would start by setting up the bucket with no auth (so anyone can read from it) and determine how to make a request to S3 first. You can see some raw HTTP Request examples here: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html#RESTObjectGET-responses-examples
Then you'll be on to the fun part, sigv4 signing the request. This is a well documented process but still a good amount of effort. https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
In cloud foundry how can I get the client_id and client_secret code.
This will be used in Basic authentication instead of passing the user and password for respective api calls
In general, this is something that you would get from your platform administrator. He or she would be able to provide you with a properly configured client id and client secret to fit your needs. If you are not the administrator, then you won't be able to do this.
If you are an administrator, read on. There are many existing client and secret pairs within a Cloud Foundry platform. It's also possible, and suggested, to create custom client and secret pairs for use with non-platform apps. You shouldn't use a platform client for your custom app, you should use your own custom client, that way if the client is compromised you can delete it or change the secret.
All of this, viewing & managing client data, is done through UAA, so I'd recommend starting with the docs on UAA. Make sure that you understand the concepts. You may even want to take a step further back and review concepts of OAuth2 as well. Understanding OAuth2 will make working with UAA much easier.
https://docs.cloudfoundry.org/uaa/uaa-overview.html
After that, you'll need the uaac (i.e. UAA client) installed.
https://github.com/cloudfoundry/cf-uaac
Once you're familiar with UAA & have the client installed, this doc on how to manage clients should provide you with instructions to view or create a new client.
https://github.com/cloudfoundry/uaa/blob/master/docs/Sysadmin-Guide.rst#manage-client-registrations
You will need admin role to be able to create a client or get its details.
Refer https://docs.cloudfoundry.org/api/uaa/version/4.7.1/index.html#clients to see various api to manage and create clients.
You can also use the uaa client to get the client details.
Refer https://docs.cloudfoundry.org/uaa/uaa-user-management.html for more info.
Is it possible to use AWS KMS and a tool like credstash without the use of EC2 or equivalent or does it rely solely on IAM roles?
I've got a server elsewhere where I am testing some things out and ultimately I will be looking at migrating an app to EC2 etc. to make use of scaling. But for now whilst I'm setting up my deployment pipeline etc. I wondered if it was still possible to make use of KMS on my non-aws provisioned server?
The only possible way I can think of is by installing the AWS CLI tools on the server in question. Does this sounds like the right approach?
What #Viccari said is correct (in the comments). In terms of what you want to do (store passwords), the AWS Parameter Store would be a good fit for you. See https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html for more information. The guide explicitly calls out your use-case:
Parameter Store offers the following benefits and features.
Use a secure, scalable, hosted secrets management service (No servers to manage).
In the end, if you end up using Parameter Store or KMS, you will need some sort of credentials stored somewhere to grab an AWS STS token to use to call the underlying AWS services. If working outside of AWS EC2, you will need the AWS Access Key and AWS Secret Key from an IAM user. If you are in EC2, the IAM instance role will magically provide you the credentials and use that role to call those AWS services. The AWS SDK does this for you behind the scenes.
But, as you state, you don't want to run this in EC2 (to save money, or other reasons). The quickest way to store these credentials is to have them in a un-tracked file (added to your .gitignore) you can source from as environment variables, which your program will then read. This allows you to do local testing, and easily run it in EC2
with zero code changes. See https://docs.aws.amazon.com/cli/latest/userguide/cli-environment.html for what variables to set. Note that this doc talks about the CLI; the SDK's follow the same behavior.
I am looking to access a local instance of Couchbase Server through its REST API. The HTTP GET requests are sent from Java.
The problem I am currently running into has to do with authorization.
Specifically, I have managed to use Couchbase's Basic Authorization, but only by obtaining the hashed credentials (bG9jYWw6dHdlZXRzOnBBc3Mx in the example linked to above) by monitoring a Couchbase browser session using Chrome's developer tools and inspecting the request headers.
Now, another Couchbase article mentions that Couchbase uses SHA-1 in compliance with SCRAM. However, no mention is made of how to obtain the 'salt' and 'iterations' parameters from Couchbase. Which, I assume I need to go from the credentials to the challenge solution (i.e. hashed string)
So, the question is as follows: how to get from the credentials (user="local:tweets", pass="pAss1") (from the example of the first link) to bG9jYWw6dHdlZXRzOnBBc3Mx?
Thanks in advance,
Thomas
SCRAM SHA-1 support is only for the Data (K/V) service and only through certain Couchbase SDKs which use the memcached binary protocol. The Java SDK does have support for SCRAM SHA-1.
The REST interface you appear to be using is N1QL's API. That does not support SCRAM SHA auth.
If you're looking to give some other application HTTP access, my recommendation would be to write a small Java app with Spring Boot or the like and use the Java SDK from there. Then you have complete control over how auth is done at the REST interface. A colleague wrote one of these just the other day. Note that even in this case, the Java SDK won't be using SCRAM when running N1QL queries, but you can use that as a point of control.