I have full permission to my s3 User login:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
There is no group policy attached to this user.
But when I give putObject() command from my java program, I receive Access Denied message.
What can be the issue. As I told my user login has administrator access as well as AmazonS3FullAccess. Thanks for help in advance.
I got the issue resolved.
It was not about firewall or permissions settings as I thought.
I was trying to do putObject on bucket which I should have created before doing this.
Inspite of saying no bucket found AWS gives a message Access Denied, which is wierd.
Hope this helps someone.
You should make sure whether your IP address is allowed or not. For Amazon Services, you can restrict access using IP addresses too. I had the same issue.
Related
My goal (background info)
I want to develop a java microservice on cumulocity. It should be able to do the following:
I would send "112233" to the microservice as follows:
https://myTenant.cumulocity.com/service/my-application-name/decode?data=112233
The microservice should then split the data into "11" for the first measurement and "22" for the second measurement etc. These measurements would be POSTed to cumulocity.
My problem
I am now stuck on getting the Hello, microservice tutorial to work. I can't deploy the microservice (zip file) to cumulocity.
"error":"security/Forbidden","info":"https://www.cumulocity.com/guides/reference-guide/#error_reporting","message":"Access is denied"} (I am an admin user.)
I also tried to upload the zip file via the website, this created a HOSTED application instead of a MICROSERVICE. Uploading my zip via a POST request to a HOSTED application actually works (which I obviously don't need).
I suspect that I get the "access denied" error cause cumulocity thinks that I upload a HOSTED application to a MICROSERVICE.
What I've done so far
Code side
I downloaded the hello-world-microservice example from the cumulocity bitbucket development branch. (This code is not available on the default branch).
I changed the cumulocity versions to 9.3.0, only this version seems to exist.
The HelloWorldMain.java is unedited
This is my cumulocity.json manifest file: (the roles make no difference)
{
"apiVersion":"1",
"type":"MICROSERVICE",
"version":"#project.version#",
"availability":"PRIVATE",
"provider":{
"name":"Cumulocity GmbH"
},
"isolation":"MULTI_TENANT",
"requiredRoles":[
"ROLE_APPLICATION_MANAGEMENT_ADMIN",
"ROLE_MEASUREMENT_ADMIN",
"ROLE_INVENTORY_ADMIN"
],
"roles":[
"ROLE_APPLICATION_MANAGEMENT_ADMIN",
"ROLE_MEASUREMENT_ADMIN",
"ROLE_INVENTORY_ADMIN"
],
"livenessProbe":{
"httpGet":{
"path":"/health",
"port":80
},
"initialDelaySeconds":15,
"periodSeconds":10
},
"readinessProbe":{
"httpGet":{
"path":"/health",
"port":80
}
}
}
This is my application.properties file
application.name=my-application-name
server.port=80
C8Y.baseURL=https://myTenant.cumulocity.com
C8Y.bootstrap.tenant=myTenant
C8Y.bootstrap.user=servicebootstrap_my-application-name
C8Y.bootstrap.password={SECRET_BOOTSTRAP_PASSW}
C8Y.user={MY_USERNAME}
C8Y.password={SECRET_PASSW}
C8Y.bootstrap.register=true
C8Y.microservice.isolation=MULTI_TENANT
C8Y.bootstrap.initialDelay=10000
Cumulocity side
I successfully created a microservice application,
GET https://myTenant.cumulocity.com/application/applications/5886 returns:
{
"availability":"PRIVATE",
"id":"5886",
"key":"my-application-key",
"manifest":{
"imports":[
],
"noAppSwitcher":true
},
"name":"my-application-name",
"owner":{
"self":"https://myTenant.cumulocity.com/tenant/tenants/myTenant",
"tenant":{
"id":"myTenant"
}
},
"requiredRoles":[
"ROLE_APPLICATION_MANAGEMENT_ADMIN",
"ROLE_MEASUREMENT_ADMIN",
"ROLE_INVENTORY_ADMIN"
],
"roles":[
"ROLE_APPLICATION_MANAGEMENT_ADMIN",
"ROLE_MEASUREMENT_ADMIN",
"ROLE_INVENTORY_ADMIN"
],
"self":"https://myTenant.cumulocity.com/application/applications/5886",
"type":"MICROSERVICE"
}
I also successfully subscribed to this application.
When I try to upload the zip file to cumulocity, I get this error:
"error":"security/Forbidden","info":"https://www.cumulocity.com/guides/reference-guide/#error_reporting","message":"Access is denied"}
(Uploading to a HOSTED type application works fine, but I don't want that.)
note: I also tried to use the microservice deploy script, this gave the same result as doing everything manually.
Trying to run it locally
Since I couldn't get it to work on the cumulocity platform, I tried to run it locally via docker. I ran it with this command:
docker run -e "C8Y_MICROSERVICE_ISOLATION=MULTI_TENANT" 10aa0b73ddb3
note: I had to add the "C8Y_MICROSERVICE_ISOLATION=MULTI_TENANT" environment variable. if I didn't add this, I'd get credential/permission issues. This seems weird to me, since all other info is read from the application.properties file except for this one.
I have no errors when running this image on a local docker.
According to the Hello, microservice tutorial, I should be able to request curl -H "Authorization: {AUTHORIZATION}" https://myTenant.cumulocity.com/service/my-application-name/hello?who=me
This returns:
{"error":"microservice/Not Found","info":"https://www.cumulocity.com/guides/reference-guide/#error_reporting","message":"Microservice my-application-name not found."}
Back to the questions
Has anyone else had difficulties with setting up a microservice on cumulocity?
Is there something I'm totally overseeing?
The microservice hosting needs to be assigned to your tenant otherwise it won't work and the API in that case will return forbidden. So it might be that it is no issue with your user but that your tenant has the feature not activated.
My client has an S3 bucket where they write some files and they have shared their accessKey & secretKey which I'm able to access from cyberduck s3 UI client but I need to automate this process of reading files so I wrote Java code using aws-s3 sdk jars to get access to that bucket but I am getting Access Denied Exception, had discussed with client to grant persmissions so that we can get read only access to bucket but they are saying we have restricted access to cyberduck UI client only. I did some r&d and found that access to s3 buckets can be restricted for particular http referrer but not very sure if it can be restricted for cyberduck type UI client only or any particular limited clients. Also operations allowed on s3 bucket can be enabled and I am using listObjects() and getObject() (which is enabled as per my client). I think my client isn't very sure about what they have done. So I tried to access it from Dragon Disk s3 UI client and I got same Access Denied Exception. I am trying to access through my white listed IP address.
exception stack trace is : -
com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 96924E9AF7DDBA9E), S3 Extended Request ID: aRS00z2jHkv8TWhyHlV9k0wYj/MYuMwcrwcDgqgK2frjtSEAgTZ+tv6//brhfofGQr/UBIOCMgA=
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1586)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1254)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1035)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:747)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:721)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:704)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:672)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:654)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:518)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4137)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4079)
at com.amazonaws.services.s3.AmazonS3Client.listObjects(AmazonS3Client.java:819)
at com.amazonaws.services.s3.AmazonS3Client.listObjects(AmazonS3Client.java:791)
It'll be very helpful if someone can comment or share something on this, If it is possible to restrict access to only one client or how to achieve this so that I can figure out what bucket policies my client might have set so that I can ask him to enable permissions that way.
I'm trying to list of all files within Google Drive using Drive API. I've found one API which gives me this list.
When I try to run this API in API explorer it works fine. Give me list of all files
https://www.googleapis.com/drive/v3/files
But when I copy paste url in browser & runs it proving API key, Show me an error.
https://www.googleapis.com/drive/v3/files?key={YOUR_API_KEY}
{
"error": {
"errors": [
{
"domain": "global",
"reason": "insufficientFilePermissions",
"message": "The user does not have sufficient permissions for this file."
}
],
"code": 403,
"message": "The user does not have sufficient permissions for this file."
}
}
I'm pretty new in android. I just want retrieve file list. not search function.
The issue might be your file permission check this documentation for the file permissions -
https://developers.google.com/drive/v3/reference/permissions
Only OAuth 2.0 is supported for Google Drive API.
https://developers.google.com/drive/v3/web/about-auth
Is there a way to leverage instance roles to be able to send mail to SES from a Java application running on an Amazon Linux EC2 instance so that one does not have to have IAM access keys on the box or in memory?
Would prefer not to have any private keys, including IAM keys (even those with locked down privileges), on our EC2 instances whether on disk or in memory.
Create an IAM EC2 Instance Profile/Role with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1393257734000",
"Effect": "Allow",
"Action": [
"ses:SendEmail"
],
"Resource": [
"*"
]
}
}
When you launch your instance, assign to it your IAM EC2 instance profile from above, then you can use the AWS cli or various AWS SDK to send emails using the ses:SendEmail command.
Edit:
The AWS SDK for Java can use Instance Profile credentials.
AmazonSimpleEmailService sesClient = new AmazonSimpleEmailServiceClient(new InstanceProfileCredentialsProvider());
Reference: http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-roles.html
I can't upload data to my GAE Java dev serwer. Bulkloader asks for a password, but no password matches:
D:\python_google_appengine>appcfg.py upload_data --config_file=bulkloader.yaml --filename=templates.csv --url=http://localhost:8080/remote_api --kind=EmailMessageTemplate --application=myappid --insecure
Uploading data records.
[INFO ] Logging to bulkloader-log-20110927.084025
[INFO ] Throttling transfers:
[INFO ] Bandwidth: 250000 bytes/second
[INFO ] HTTP connections: 8/second
[INFO ] Entities inserted/fetched/modified: 20/second
[INFO ] Batch Size: 10
[INFO ] Opening database: bulkloader-progress-20110927.084025.sql3
Please enter login credentials for localhost
Email: m#gmail.com
Password for m#gmail.com:
[INFO ] Connecting to localhost:8080/remote_api
2011-09-27 08:40:44,062 WARNING appengine_rpc.py:435 ssl module not found.
Without the ssl module, the identity of the remote host cannot be verified, and
connections may NOT be secure. To fix this, please install the ssl module from
http://pypi.python.org/pypi/ssl .
To learn more, see http://code.google.com/appengine/kb/general.html#rpcssl .
Please enter login credentials for localhost
Email: Interrupted.
Then how to create credentials with a password on Java dev server or bypass password requirement?
I've read answers from here Which credentials should I put in for Google App Engine BulkLoader at development server? and comments for this issue http://code.google.com/p/googleappengine/issues/detail?id=2440 but it is all about Python dev server not Java.
Maybe this is temporary issue. Try redeploying application, and restart all the stuff. Use any email and empty password.
For development server of GAE
(1) use browser to goto http://localhost:8080/_ah/login in order check admin email. The default is test#example.com
(2) add --email=test#example.com --passin to the appcfg.py parameters and just press enter for the password prompt
(3) the application id has the prefix of dev~ for development server e.g. application=dev~myappid