aws-samples / aws-iam-temporary-elevated-access-broker Goto Github PK

Causes the following dependency error:

I plan to submit a PR for this; in the meantime you can comment out all mentions of: // Clipboard.setString(content)

And also remove it from the package.json - and rerun npm install

The output (LambdaIdentityBrokerRole) from CloudFormation includes the full arn - the guidance could be simiplied to simply use the ARN rather than extract <account> and <federate>

When generating CLI credentials for an approved request, there is an option to copy to clipboard. When clicking this button there is nothing actually being copied, i don't see any errors in the browser console for this and doesn't look like there's even an event firing in response to the button click.

I'm getting a 500 error when rejecting a request. The request is rejected, the status is updated in DynamoDB and the reject email is sent, but the below FlashMessage is displayed.

Here's the API log.
{ 'requestId':'bb5387b6-8e99-42a7-b642-36de59bc0725', 'ip': ', 'caller':'-', 'user':'-','requestTime':'08/Sep/2022:16:40:06 +0000', 'xrayTraceId':'Root=1-631a1ae6-583ae0e6723c7be14df47737', 'wafResponseCode':'-', 'httpMethod':'GET','resourcePath':'/get_pending_requests', 'status':'500','protocol':'HTTP/1.1', 'responseLength':'16' }

Here is the log from the custom_authorizer Lambda

ERROR Invoke Error {"errorType":"TypeError","errorMessage":"Cannot read property 'split' of undefined","stack":["TypeError: Cannot read property 'split' of undefined"," at Parser.parse (/var/task/node_modules/njwt/index.js:290:28)"," at Verifier.verify (/var/task/node_modules/njwt/index.js:349:24)"," at /var/task/node_modules/@okta/jwt-verifier/lib.js:206:21"," at new Promise ()"," at OktaJwtVerifier.verifyAsPromise (/var/task/node_modules/@okta/jwt-verifier/lib.js:204:12)"," at OktaJwtVerifier.verifyAccessToken (/var/task/node_modules/@okta/jwt-verifier/lib.js:238:28)"," at verifyAccessToken (/var/task/index.js:88:31)"," at Runtime.exports.handler (/var/task/index.js:134:9)"," at Runtime.handleOnceNonStreaming (/var/runtime/Runtime.js:73:25)"]}

• Missing guidance when setting up the Okta authorization server (default) you need to change the default Audience string from api://default to the one set in the Okta applications OpenID Connection ID Token
• Missing guidance of updating Okta Sign-in redirect URLsredirect_uri and Sig-out redirect URLs to point to the CloudFront URL

Overall, screenshots of example configurations would be valuable.

At this stage the IAM Role names are not known. Suggest to reorder creation of IAM roles above this section

Hi,

Is it possible to set this app with a Org Authentication server instead a Custom Authentication Server?

We are unable to validate the AccessToken against a Okta Org Authentication Server.

Thank you in advance

ApiGatewayKeyValue contains the CLI command to get the key - not the key, this should be clear with steps to get the key (e.g. via Cloud9 environment)

I'm trying to test out this broker and when on the Create-Request form, the input components do not fire the onChange events. The data loads in the accounts select component but when I select an account the roles don't load and further debugging showed the onChange event handler for the account select component never gets fired. I checked if the other components onChange events fire and they do not. Anyone else see this issue?

This is the de-facto recommendation unless requiring more advanced scenarios.

ref: https://github.com/awslabs/aws-jwt-verify

Suggest referencing the actual CloudFormation output name (ServiceEndpoint) instead of (APIEndpoint)

Also, remove https:// prefix as the CloudFormation output already has it

Hello, I am receiving the above error after okta authentication. However, when I inspect the network requests all of the "getUserInfo" calls are receiving 200 responses with appropriate data in them. Has anyone encountered this issue before?

I have deployed the solution but when I go to each of the dashboards, i.e. Request, Review or Audit I get the following error message: 'Could not get the requests: TypeError: Failed to fetch'. In Chrome developer tools I get the following message in the Console "Access to fetch at 'https://sj716j38m0.execute-api.us-east-1.amazonaws.com/dev/get_requests' from origin 'https://dfoacryhmkmu6.cloudfront.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled." See attached screenshots for more details.

npm install

added 2596 packages, and audited 2597 packages in 1m

246 packages are looking for funding
run npm fund for details

27 vulnerabilities (10 moderate, 15 high, 2 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.

Hi,

I've followed through the steps and got everything deployed and configured as expected I believe.

I can successfully login and from debugging I can see the groups coming through as expected from the IDP in the HomePageContent.tsx createAccountMap function.

When I navigate to the create request form I can select the account, however this doesn't trigger the onChange event to populate the role and I cannot select that.

I've added some console.logs to the onChange events and I can't see any of them being triggered when the form input is changed.

I'm using Chrome version 98.0.4758.102, also checked in edge 98.0.1108.55 and had the same.

Any ideas?

Thanks

Paul

Groups claim name must be all lower case! as it’s expected by the SPA code to be lower: groups

Please make this very clear in the guidance, as the current reference has it proper case which does not work.

Please include guidance for the other fields for Okta configuration - such as Filter and Regex

Am screen shot of an example Okta configuration could be useful.

Failed to compile.

TS2322: Type '{ header: { text: string; href: string; }; expanded: boolean; items: SideNavigationItem[]; }' is not assignable to type 'IntrinsicAttributes & (IntrinsicClassAttributes<Component<Pick<SideNavigationProps, "header" | "items"> & ({} | { wrappedComponentRef?: Ref | undefined; }), any, any>> & (Readonly<...> & Readonly<...>))'.
Property 'expanded' does not exist on type 'IntrinsicAttributes & (IntrinsicClassAttributes<Component<Pick<SideNavigationProps, "header" | "items"> & ({} | { wrappedComponentRef?: Ref | undefined; }), any, any>> & (Readonly<...> & Readonly<...>))'.
17 | return <SideNavigationBase
18 | header={{text: 'Demo', href: '/'}}

19 | expanded={false}
| ^^^^^^^^
20 | items={
21 | getNavigation()
22 | }

Error

Property 'groups' does not exist on type '{ auth_time?: number | undefined; aud?: string | undefined; email?: string | undefined; email_verified?: boolean | undefined; exp?: number | undefined; family_name?: string | undefined; ... 12 more ...; at_hash?: string | undefined; }'. TS2339

    83 |         const claims = await oktaAuth.getUser();
    84 |         userInfo.user = claims.email ? claims.email : "";
  > 85 |         userInfo.accountMap = createAccountMap(claims.groups);
       |                                                       ^
    86 | 
    87 |         const tokenManager = oktaAuth.tokenManager;
    88 |         const accessToken = await tokenManager.get('accessToken');

Step to replicate

1. Run npm run build on ui-frontend
2. npm package.json is set to "@okta/okta-react": "^6.3.0"

Temp fix
pin @okta/okta-react to version 6.3.0

The current guidance for CloudFormation deployment does not cover the steps/guidance to get the template from the Cloud9 environment to either an S3 bucket or local file such that it can be deployed via the AWS Management Console

What changes need to be made into cloudformation if we dont want to use Lambda@Edge. Will it even work if we dont want to use Lambda@Edge

Suggest that the listed bullets in the same order as they appear on the CloudFormation console page

I try to deploy the resulting template with :

aws cloudformation deploy --template-file /home/adrian/Downloads/dlg/aws-iam-temporary-elevated-access-broker/packaged-template.yaml --stack-name stack --s3-bucket bucketspa3 --capabilities CAPABILITY_NAMED_IAM

This always fails and I have to rollback. I have admin privileges on my IAM role.

some of the errors I get:

The following resource(s) failed to create: [LambdaExecutionRole, ApiGatewayLogGroup, GetrequestsLogGroup, DynamodbstreamLogGroup, WebBucket, FederateconsoleLogGroup, CustomauthorizerLogGroup, GetpendingrequestsLogGroup, GetallrequestsLogGroup, CloudWatchRole, LambdaLayer, OriginResponseLogGroup, RejectrequestLogGroup, FederatecliLogGroup, KMSDecryptPolicy, DeleterequestLogGroup, OriginAccessIdentity, CreaterequestLogGroup, DynamoDBReadPolicy, HttpoptionshandlerLogGroup, LambdaEdgeFunctionRole, requestTable, CloudFrontCachePolicy, ApprovalSNSTopic, GetprocessedrequestsLogGroup, ApproverequestLogGroup]. Rollback requested by user.

The ui directory does not exist. The relative path would be /public/index.html

These parameters in the CloudFormation deployment are dependent on the Okta configuration:

I'd suggest the Okta setup section is put before the CloudFormation deployment.

When building the lambda layers the instructions say

From within the /lambda-layer/python directory run:

no leading / is required because lambda-layer is a sub directory of aws-iam-temporary-elevated-access-broker

The next step:

The /okta-authorizer directory contains a Node.js package.json file. From within the directory, install the package.json contents: is similar. You actually need to go back up 2 levels from the previous instruction to run the npm install command

Create & validate an email to be used by SNS before CloudFormation deployment