(tenant management service): (create tenant doc example failing with 403 forbidden)

[jmezzera]

Describe the issue

Hello there,

I'm trying to run the example stack to test the library, however, I'm facing some authentication issues.

The following request is returning a 403 status:

sbt-aws/docs/public/README.md

Lines 522 to 526 in f57391e

	curl --request POST \
	--url "${CONTROL_PLANE_API_ENDPOINT}tenants" \
	--header "Authorization: Bearer ${ACCESS_TOKEN}" \
	--header 'content-type: application/json' \
	--data "$DATA" | jq

While inspecting the API Gateway the stack deploys, and looking at the underlying code, I noticed that the authorizer for the POST routes is an IAM authorizer and not a CognitoAuthorizer, which led me to believe that the JWT token being passed to that request in the docs (retrieved from cognito) is not the one to be used.

Context

  "dependencies": {
    "@cdklabs/sbt-aws": "^0.5.14",
    "aws-cdk-lib": "2.171.1",
    "constructs": "^10.0.0"
  }

Am I doing anything wrong on my side?

Thanks in advance

Links

sbt-aws/docs/public/README.md

Lines 522 to 526 in f57391e

	curl --request POST \
	--url "${CONTROL_PLANE_API_ENDPOINT}tenants" \
	--header "Authorization: Bearer ${ACCESS_TOKEN}" \
	--header 'content-type: application/json' \
	--data "$DATA" | jq

[jmezzera]

Using sigv4 with personal credentials worked and the tenant got created. What's the general guideline in these cases? Should I use IAM identities to manage tenants or Cognito's?

It returned 201, created the tenant in the dynamo table, but did not trigger the stepfunction that provisions the tenant infra.

After a bit of debugging, I realized that the /tenant-registrations function internally POSTs to /tenants and uses cognito authentication. So maybe that's the one that should get used? Trying that, the stepfunction triggered (it failed though - will continue debugging)

[jmezzera]

I got it to work by POSTing to /tenant-registrations with the tenant payload nested within a tenantData key.

[suhussai]

@jmezzera , sorry the docs need a little bit of an update. The TenantRegistration functionality was very recently added. Initially, you could access the TenantManagement directly, but in order to improve the orchestration, we've added the TenantRegistration service that not only calls out to the TenantManagement service (via IAM Auth) to create the tenant, it's also responsible for placing the tenant onboarding message on the shared event bus in order to trigger the onboarding step function.

Just as an FYI, here's a sample request out to the TenantRegistration endpoint:

sbt-aws/scripts/sbt-aws.sh

Lines 167 to 197 in 4b3afd8

	DATA=$(jq --null-input \
	--arg tenantName "$TENANT_NAME" \
	--arg tenantEmail "$TENANT_EMAIL" \
	'{
	"tenantData": {
	"tenantName": $tenantName,
	"email": $tenantEmail,
	"tier": "basic",
	"prices": [
	{
	"id": "price_123456789Example",
	"metricName": "productsSold"
	},
	{
	"id": "price_123456789AnotherExample",
	"metricName": "plusProductsSold"
	}
	]
	},
	"tenantRegistrationData": {
	"registrationStatus": "In progress",
	"tenantRegistrationData1": "test"
	}
	}')
	RESPONSE=$(curl --request POST \
	--url "${CONTROL_PLANE_API_ENDPOINT}tenant-registrations" \
	--header "Authorization: Bearer ${ACCESS_TOKEN}" \
	--header 'content-type: application/json' \
	--data "$DATA" \
	--silent)

You can have a look at our testing framework to see how to interact with it and what the response includes:

sbt-aws/scripts/test-sbt-aws.sh

Lines 72 to 76 in 4b3afd8

	# Test create-tenant-registration
	echo "Testing create-tenant-registration..."
	response=$(./sbt-aws.sh create-tenant-registration)
	tenant_registration_id=$(echo "$response" | jq -r '.data.tenantRegistrationId')
	tenant_id=$(echo "$response" | jq -r '.data.tenantId')

Hope this helps!

Sorry about the confusion. I'll leave this open until we get a PR to fix the documentation.