aws-samples / aws-iam-temporary-elevated-access-broker Goto Github PK
View Code? Open in Web Editor NEWAllow users to request temporary elevated access to your AWS environment
License: MIT No Attribution
Allow users to request temporary elevated access to your AWS environment
License: MIT No Attribution
The output (LambdaIdentityBrokerRole
) from CloudFormation includes the full arn - the guidance could be simiplied to simply use the ARN rather than extract <account>
and <federate>
When generating CLI credentials for an approved request, there is an option to copy to clipboard. When clicking this button there is nothing actually being copied, i don't see any errors in the browser console for this and doesn't look like there's even an event firing in response to the button click.
I'm getting a 500 error when rejecting a request. The request is rejected, the status is updated in DynamoDB and the reject email is sent, but the below FlashMessage is displayed.
Here's the API log.
{ 'requestId':'bb5387b6-8e99-42a7-b642-36de59bc0725', 'ip': ', 'caller':'-', 'user':'-','requestTime':'08/Sep/2022:16:40:06 +0000', 'xrayTraceId':'Root=1-631a1ae6-583ae0e6723c7be14df47737', 'wafResponseCode':'-', 'httpMethod':'GET','resourcePath':'/get_pending_requests', 'status':'500','protocol':'HTTP/1.1', 'responseLength':'16' }
Here is the log from the custom_authorizer Lambda
ERROR Invoke Error {"errorType":"TypeError","errorMessage":"Cannot read property 'split' of undefined","stack":["TypeError: Cannot read property 'split' of undefined"," at Parser.parse (/var/task/node_modules/njwt/index.js:290:28)"," at Verifier.verify (/var/task/node_modules/njwt/index.js:349:24)"," at /var/task/node_modules/@okta/jwt-verifier/lib.js:206:21"," at new Promise ()"," at OktaJwtVerifier.verifyAsPromise (/var/task/node_modules/@okta/jwt-verifier/lib.js:204:12)"," at OktaJwtVerifier.verifyAccessToken (/var/task/node_modules/@okta/jwt-verifier/lib.js:238:28)"," at verifyAccessToken (/var/task/index.js:88:31)"," at Runtime.exports.handler (/var/task/index.js:134:9)"," at Runtime.handleOnceNonStreaming (/var/runtime/Runtime.js:73:25)"]}
redirect_uri
and Sig-out redirect URLs to point to the CloudFront URLOverall, screenshots of example configurations would be valuable.
At this stage the IAM Role names are not known. Suggest to reorder creation of IAM roles above this section
Hi,
Is it possible to set this app with a Org Authentication server instead a Custom Authentication Server?
We are unable to validate the AccessToken against a Okta Org Authentication Server.
Thank you in advance
ApiGatewayKeyValue
contains the CLI command to get the key - not the key, this should be clear with steps to get the key (e.g. via Cloud9 environment)
I'm trying to test out this broker and when on the Create-Request form, the input components do not fire the onChange events. The data loads in the accounts select component but when I select an account the roles don't load and further debugging showed the onChange event handler for the account select component never gets fired. I checked if the other components onChange events fire and they do not. Anyone else see this issue?
This is the de-facto recommendation unless requiring more advanced scenarios.
Suggest referencing the actual CloudFormation output name (ServiceEndpoint
) instead of (APIEndpoint
)
Also, remove https://
prefix as the CloudFormation output already has it
Hello, I am receiving the above error after okta authentication. However, when I inspect the network requests all of the "getUserInfo" calls are receiving 200 responses with appropriate data in them. Has anyone encountered this issue before?
I have deployed the solution but when I go to each of the dashboards, i.e. Request, Review or Audit I get the following error message: 'Could not get the requests: TypeError: Failed to fetch'. In Chrome developer tools I get the following message in the Console "Access to fetch at 'https://sj716j38m0.execute-api.us-east-1.amazonaws.com/dev/get_requests' from origin 'https://dfoacryhmkmu6.cloudfront.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled." See attached screenshots for more details.
npm install
added 2596 packages, and audited 2597 packages in 1m
246 packages are looking for funding
run npm fund
for details
27 vulnerabilities (10 moderate, 15 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit
for details.
Hi,
I've followed through the steps and got everything deployed and configured as expected I believe.
I can successfully login and from debugging I can see the groups coming through as expected from the IDP in the HomePageContent.tsx createAccountMap function.
When I navigate to the create request form I can select the account, however this doesn't trigger the onChange event to populate the role and I cannot select that.
I've added some console.logs to the onChange events and I can't see any of them being triggered when the form input is changed.
I'm using Chrome version 98.0.4758.102, also checked in edge 98.0.1108.55 and had the same.
Any ideas?
Thanks
Paul
Groups claim name must be all lower case! as itβs expected by the SPA code to be lower: groups
Please make this very clear in the guidance, as the current reference has it proper case which does not work.
Please include guidance for the other fields for Okta configuration - such as Filter and Regex
Am screen shot of an example Okta configuration could be useful.
Failed to compile.
TS2322: Type '{ header: { text: string; href: string; }; expanded: boolean; items: SideNavigationItem[]; }' is not assignable to type 'IntrinsicAttributes & (IntrinsicClassAttributes<Component<Pick<SideNavigationProps, "header" | "items"> & ({} | { wrappedComponentRef?: Ref | undefined; }), any, any>> & (Readonly<...> & Readonly<...>))'.
Property 'expanded' does not exist on type 'IntrinsicAttributes & (IntrinsicClassAttributes<Component<Pick<SideNavigationProps, "header" | "items"> & ({} | { wrappedComponentRef?: Ref | undefined; }), any, any>> & (Readonly<...> & Readonly<...>))'.
17 | return <SideNavigationBase
18 | header={{text: 'Demo', href: '/'}}
19 | expanded={false}
| ^^^^^^^^
20 | items={
21 | getNavigation()
22 | }
Error
Property 'groups' does not exist on type '{ auth_time?: number | undefined; aud?: string | undefined; email?: string | undefined; email_verified?: boolean | undefined; exp?: number | undefined; family_name?: string | undefined; ... 12 more ...; at_hash?: string | undefined; }'. TS2339
83 | const claims = await oktaAuth.getUser();
84 | userInfo.user = claims.email ? claims.email : "";
> 85 | userInfo.accountMap = createAccountMap(claims.groups);
| ^
86 |
87 | const tokenManager = oktaAuth.tokenManager;
88 | const accessToken = await tokenManager.get('accessToken');
Step to replicate
npm run build
on ui-frontendTemp fix
pin @okta/okta-react to version 6.3.0
The current guidance for CloudFormation deployment does not cover the steps/guidance to get the template from the Cloud9 environment to either an S3 bucket or local file such that it can be deployed via the AWS Management Console
What changes need to be made into cloudformation if we dont want to use Lambda@Edge. Will it even work if we dont want to use Lambda@Edge
Suggest that the listed bullets in the same order as they appear on the CloudFormation console page
I try to deploy the resulting template with :
aws cloudformation deploy --template-file /home/adrian/Downloads/dlg/aws-iam-temporary-elevated-access-broker/packaged-template.yaml --stack-name stack --s3-bucket bucketspa3 --capabilities CAPABILITY_NAMED_IAM
This always fails and I have to rollback. I have admin privileges on my IAM role.
some of the errors I get:
The following resource(s) failed to create: [LambdaExecutionRole, ApiGatewayLogGroup, GetrequestsLogGroup, DynamodbstreamLogGroup, WebBucket, FederateconsoleLogGroup, CustomauthorizerLogGroup, GetpendingrequestsLogGroup, GetallrequestsLogGroup, CloudWatchRole, LambdaLayer, OriginResponseLogGroup, RejectrequestLogGroup, FederatecliLogGroup, KMSDecryptPolicy, DeleterequestLogGroup, OriginAccessIdentity, CreaterequestLogGroup, DynamoDBReadPolicy, HttpoptionshandlerLogGroup, LambdaEdgeFunctionRole, requestTable, CloudFrontCachePolicy, ApprovalSNSTopic, GetprocessedrequestsLogGroup, ApproverequestLogGroup]. Rollback requested by user.
The ui
directory does not exist. The relative path would be /public/index.html
These parameters in the CloudFormation deployment are dependent on the Okta configuration:
I'd suggest the Okta setup section is put before the CloudFormation deployment.
When building the lambda layers the instructions say
From within the /lambda-layer/python directory run:
no leading / is required because lambda-layer is a sub directory of aws-iam-temporary-elevated-access-broker
The next step:
The /okta-authorizer directory contains a Node.js package.json file. From within the directory, install the package.json contents:
is similar. You actually need to go back up 2 levels from the previous instruction to run the npm install command
Create & validate an email to be used by SNS before CloudFormation deployment
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.