Giter VIP home page Giter VIP logo

aws-iam-temporary-elevated-access-broker's People

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar

aws-iam-temporary-elevated-access-broker's Issues

Creating target roles - LambdaIdentityBrokerRole output value

The output (LambdaIdentityBrokerRole) from CloudFormation includes the full arn - the guidance could be simiplied to simply use the ARN rather than extract <account> and <federate>

* **&lt;federate&gt;** is the name of the Lambda execution role used by the broker to fetch temporary credentials for this role on behalf of the user. For the specific role name, please refer to the *LambdaIdentityBrokerRole* output value on the deployment template.

CLI Credentials UI Error

When generating CLI credentials for an approved request, there is an option to copy to clipboard. When clicking this button there is nothing actually being copied, i don't see any errors in the browser console for this and doesn't look like there's even an event firing in response to the button click.

Getting a 500 error when rejecting a request

I'm getting a 500 error when rejecting a request. The request is rejected, the status is updated in DynamoDB and the reject email is sent, but the below FlashMessage is displayed.

image

Here's the API log.
{ 'requestId':'bb5387b6-8e99-42a7-b642-36de59bc0725', 'ip': ', 'caller':'-', 'user':'-','requestTime':'08/Sep/2022:16:40:06 +0000', 'xrayTraceId':'Root=1-631a1ae6-583ae0e6723c7be14df47737', 'wafResponseCode':'-', 'httpMethod':'GET','resourcePath':'/get_pending_requests', 'status':'500','protocol':'HTTP/1.1', 'responseLength':'16' }

Here is the log from the custom_authorizer Lambda

ERROR Invoke Error {"errorType":"TypeError","errorMessage":"Cannot read property 'split' of undefined","stack":["TypeError: Cannot read property 'split' of undefined"," at Parser.parse (/var/task/node_modules/njwt/index.js:290:28)"," at Verifier.verify (/var/task/node_modules/njwt/index.js:349:24)"," at /var/task/node_modules/@okta/jwt-verifier/lib.js:206:21"," at new Promise ()"," at OktaJwtVerifier.verifyAsPromise (/var/task/node_modules/@okta/jwt-verifier/lib.js:204:12)"," at OktaJwtVerifier.verifyAccessToken (/var/task/node_modules/@okta/jwt-verifier/lib.js:238:28)"," at verifyAccessToken (/var/task/index.js:88:31)"," at Runtime.exports.handler (/var/task/index.js:134:9)"," at Runtime.handleOnceNonStreaming (/var/runtime/Runtime.js:73:25)"]}

Okta configuration - missing guidance, and examples

  • Missing guidance when setting up the Okta authorization server (default) you need to change the default Audience string from api://default to the one set in the Okta applications OpenID Connection ID Token
  • Missing guidance of updating Okta Sign-in redirect URLsredirect_uri and Sig-out redirect URLs to point to the CloudFront URL

### Integrating with your identity provider

Overall, screenshots of example configurations would be valuable.

ApiGatewayKeyValue contains the CLI command to get the key - Guidance update

ApiGatewayKeyValue contains the CLI command to get the key - not the key, this should be clear with steps to get the key (e.g. via Cloud9 environment)

Replace the BG_ENDPOINTS values for *ApiKey* and *Endpoint* with ones from your AWS deployment. Please refer to the `ApiGatewayKeyValue`, `CloudFrontURL` and `APIStage` output values on the deployment template.

Form components onchange event not firing

I'm trying to test out this broker and when on the Create-Request form, the input components do not fire the onChange events. The data loads in the accounts select component but when I select an account the roles don't load and further debugging showed the onChange event handler for the account select component never gets fired. I checked if the other components onChange events fire and they do not. Anyone else see this issue?

TypeError: Failed to fetch on each dashboard

I have deployed the solution but when I go to each of the dashboards, i.e. Request, Review or Audit I get the following error message: 'Could not get the requests: TypeError: Failed to fetch'. In Chrome developer tools I get the following message in the Console "Access to fetch at 'https://sj716j38m0.execute-api.us-east-1.amazonaws.com/dev/get_requests' from origin 'https://dfoacryhmkmu6.cloudfront.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled." See attached screenshots for more details.

Screen Shot 2021-11-29 at 2 11 09 pm
Screen Shot 2021-11-29 at 2 13 05 pm

npm install build has vulnerabilities

npm install

added 2596 packages, and audited 2597 packages in 1m

246 packages are looking for funding
run npm fund for details

27 vulnerabilities (10 moderate, 15 high, 2 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.

Create Request Form Not Triggering onChange Event

Hi,

I've followed through the steps and got everything deployed and configured as expected I believe.

I can successfully login and from debugging I can see the groups coming through as expected from the IDP in the HomePageContent.tsx createAccountMap function.

When I navigate to the create request form I can select the account, however this doesn't trigger the onChange event to populate the role and I cannot select that.

I've added some console.logs to the onChange events and I can't see any of them being triggered when the form input is changed.

I'm using Chrome version 98.0.4758.102, also checked in edge 98.0.1108.55 and had the same.

Any ideas?

Thanks

Paul

Adding a Groups claim to ID tokens - guidance

Groups claim name must be all lower case! as it’s expected by the SPA code to be lower: groups

### Adding a Groups claim to ID tokens

Please make this very clear in the guidance, as the current reference has it proper case which does not work.

Please include guidance for the other fields for Okta configuration - such as Filter and Regex

Am screen shot of an example Okta configuration could be useful.

Failed to compile : ui-frontend\src\components\AppLayout\index.tsx

Failed to compile.

TS2322: Type '{ header: { text: string; href: string; }; expanded: boolean; items: SideNavigationItem[]; }' is not assignable to type 'IntrinsicAttributes & (IntrinsicClassAttributes<Component<Pick<SideNavigationProps, "header" | "items"> & ({} | { wrappedComponentRef?: Ref | undefined; }), any, any>> & (Readonly<...> & Readonly<...>))'.
Property 'expanded' does not exist on type 'IntrinsicAttributes & (IntrinsicClassAttributes<Component<Pick<SideNavigationProps, "header" | "items"> & ({} | { wrappedComponentRef?: Ref | undefined; }), any, any>> & (Readonly<...> & Readonly<...>))'.
17 | return <SideNavigationBase
18 | header={{text: 'Demo', href: '/'}}

19 | expanded={false}
| ^^^^^^^^
20 | items={
21 | getNavigation()
22 | }

npm build failed : Property 'groups' does not exist

Error

Property 'groups' does not exist on type '{ auth_time?: number | undefined; aud?: string | undefined; email?: string | undefined; email_verified?: boolean | undefined; exp?: number | undefined; family_name?: string | undefined; ... 12 more ...; at_hash?: string | undefined; }'. TS2339

    83 |         const claims = await oktaAuth.getUser();
    84 |         userInfo.user = claims.email ? claims.email : "";
  > 85 |         userInfo.accountMap = createAccountMap(claims.groups);
       |                                                       ^
    86 | 
    87 |         const tokenManager = oktaAuth.tokenManager;
    88 |         const accessToken = await tokenManager.get('accessToken');

Step to replicate

  1. Run npm run build on ui-frontend
  2. npm package.json is set to "@okta/okta-react": "^6.3.0"

Temp fix
pin @okta/okta-react to version 6.3.0

Changes to not use Lambda Edge

What changes need to be made into cloudformation if we dont want to use Lambda@Edge. Will it even work if we dont want to use Lambda@Edge

deploying the template fails

I try to deploy the resulting template with :

aws cloudformation deploy --template-file /home/adrian/Downloads/dlg/aws-iam-temporary-elevated-access-broker/packaged-template.yaml --stack-name stack --s3-bucket bucketspa3 --capabilities CAPABILITY_NAMED_IAM

This always fails and I have to rollback. I have admin privileges on my IAM role.

some of the errors I get:

The following resource(s) failed to create: [LambdaExecutionRole, ApiGatewayLogGroup, GetrequestsLogGroup, DynamodbstreamLogGroup, WebBucket, FederateconsoleLogGroup, CustomauthorizerLogGroup, GetpendingrequestsLogGroup, GetallrequestsLogGroup, CloudWatchRole, LambdaLayer, OriginResponseLogGroup, RejectrequestLogGroup, FederatecliLogGroup, KMSDecryptPolicy, DeleterequestLogGroup, OriginAccessIdentity, CreaterequestLogGroup, DynamoDBReadPolicy, HttpoptionshandlerLogGroup, LambdaEdgeFunctionRole, requestTable, CloudFrontCachePolicy, ApprovalSNSTopic, GetprocessedrequestsLogGroup, ApproverequestLogGroup]. Rollback requested by user.

Absolute paths in deployment instructions

When building the lambda layers the instructions say

From within the /lambda-layer/python directory run:

no leading / is required because lambda-layer is a sub directory of aws-iam-temporary-elevated-access-broker

The next step:

The /okta-authorizer directory contains a Node.js package.json file. From within the directory, install the package.json contents: is similar. You actually need to go back up 2 levels from the previous instruction to run the npm install command

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.