I'm using the Google client API library for Python. My code is running on an Ubuntu 14.04LTS server.
I have a working Google Compute project, were I created and downloaded a OAuth2.0 token to my server.
I'm trying to write a script that does the following:
Automatically (with no user interaction) authenticate to Google Compute engine.
create a new VM and then perform more actions...
My basic problem is using the OAuth2.0 authentication. It required user approval on a javascript supporting browser, and I want to do it automatically, on my server.
Using my code on my desktop works. A browser page pops up requiring my approval. On my server, I get the following message:
we have detected that your javascript is disabled in your browser
The code segment I use for authentication is:
# authenticate using the OAuth token
client_secret = os.path.join(
os.path.dirname(__file__),
self._oauth_token_path)
# set up a Flow object for the authentication
flow = client.flow_from_clientsecrets(
client_secret,
scope=scope,
message=tools.message_if_missing(client_secret))
# open credential storage path
credential_storage = file.Storage(self._credential_storage_path)
credentials = credential_storage.get()
# get credentails if necessary
if credentials is None or credentials.invalid:
credentials = tools.run_flow(flow, credential_storage, flags)
I read about service account access as a replacement of the regular OAuth2.0 authentication. Does any one know if that's the best way to go? any thoughts on how to do it better?
OAuth 2.0 requires user approval and is not the method to go for if you want to run your code/scripts automatically.
Service accounts are more suitable for this and are supported by the API (https://cloud.google.com/compute/docs/authentication#tools)
You create a service account + key in the developer console and use both to authenticate your application.
Related
I have some params in Remote Config that I want to update from the Google Cloud Functions.
Should I use the Remote Config API when both Cloud Functions and Remote Config belong to the same account or project?
I am asking because Cloud Functions can directly import the data from Firestore without any authentication and API.
Remote Config provided the RESTful APIs to update the parameters or template.
You don't have to call them from a Google Cloud function. But calling them from a Google Cloud function or even Firebase Cloud function is definitely workable.
You can even call the RESTful APIs from postman or some other tools once you set up the call properly.
Check more details here: https://firebase.google.com/docs/reference/remote-config/rest
With Remote Config backend APIs, you could use Remote Config with Cloud Functions for Firebase, changing values in your app based on events that happen server-side. For example, you can use Remote Config to promote a new feature in your app, and then turn off that promotion automatically once you detect enough people have interacted with the new feature.
Using the Remote Config REST API or the Admin SDKs described in this guide, you can bypass managing the template in the Firebase console to directly integrate Remote Config changes into your own processes.
As described here, Cloud Functions can be triggered in response to changes in Firebase Remote Config in the same Cloud project as the function. This makes it possible to change the behavior and appearance of your app without publishing an app update.
I'm doing some tests with Azure APIM and have already published an API on the developer portal. I have the docs, have it secured using OAuth2 with Azure AD with client_credentials flow. I can invoke this API from Postman and from the developer portal.
Unfortunatelly, the client_id and secret are set on the configuration and the developer cannot self service them. Is there a way to do so instead of having to add it manually to each developer?
I was looking for something like this: https://tyk.io/docs/tyk-stack/tyk-developer-portal/portal-oauth-clients/
Azure APIM itself doesn't act as an identity provider like tyk but instead uses Azure AD (or rather any OAuth 2.0 provider).
The configuration in the docs is primarily to get the Developer Portal Console (the one used to test APIs) to work. For the actual API calls, there is no configuration required.
The validate-jwt policy is what takes care of preauthorization of requests.
Since you are looking for the client credentials flow alone, you could simply expose a portal that can create the required app registrations on your Azure AD using the Microsoft Graph API and expose the client id/secret to your users.
The current developer portal doesn't support this as of today but is something you could contribute to if you wish.
I am using pyzabbix module to use the Zabbix API, but is there any way to login the Zabbix API without giving the username and password in Python script?
Like any API token which serves the purpose.
There are no API tokens or similar access methods in Zabbix currently.
There is not, but you should use an environment variable (see environment variable in python) to store the password/token anyway, in order to avoid having it inside the code in cleartext. The environment is visible to the user only, and is usually initialized from a protected file (0600 permission in unix style), or a masked CI/CD variable.
I am using Zabbix 5.4.7
There is a section API tokens under:
Administration -> General -> API tokens
I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
I am trying to figure out what is involved to write a console application that will run as part of a VSTS Release task and that program will read a connection string (secret) from a preconfigured keyvault and then connect to an Azure SQL db using that connection string and apply some changes.
Currently I have my Web Apps connecting to KeyVault and the Azure SQL Server
using Azure AD Application Token authentication so I know what is involved on that front.
When you check "Allow scripts to access OAuth token" on agent settings page,
can this token be used (using ADAL) to connect to KeyVault and SQL Server.
(Assuming the VisualStudioSPNxxx has the appropriate access to the above resources).
If not what should I be looking for?
The vsts token (Allow scripts to access OAuth token) can’t be used to connect to KeyVault.
You need to register app with Azure Active Directory and enable to communicate with Azure Active Directory and Key Vault, then get the connectionstring dynamically.
More information, you can refer to: Protecting Secrets using VSTS and Azure Key Vault
This is made relatively very easy now with Variable Groups - https://learn.microsoft.com/en-us/vsts/pipelines/library/variable-groups?view=vsts
You can link a secret by connecting your Azure KV to a variable and then use this variable as you would normally use it in any script/task.