Authenticated users with STS and API Gateway

+2 votes
If there is a user that sends a request to STS requesting for credentials:

AWS.config.credentials = new AWS.WebIdentityCredentials({

  RoleArn: 'arn:aws:iam::{id}:role/{role}',

  WebIdentityToken: idToken,

  RoleSessionName: VALUE

});

Next, if the user sends a request to a private API Gateway endpoint, and if it uses RoleSessionName, it gives me the details as to who the person is that makes the request. Now, can we avoid other users to assume this identity by using the same RoleSessionName?

Is there a best way to authenticate users using STS and IAM roles? If yes what it is?
Mar 27, 2018 in Cloud Computing by hemant
• 5,790 points
1,656 views

2 answers to this question.

+1 vote

RoleSessionName being an identifier for a defined session, shouldn't be used as a mechanism to differentiate callers in any case.

The assumed role is the "effective" principal in this case. If you want the API to behave differently based on the user, then please use unique role for each user.

answered Mar 27, 2018 by brat_1
• 7,200 points
0 votes
RoleSessionName is the way to tell each user apart. One cannot create a separate role for each user because each account can only have 1000 roles at most. I think this API call is not meant to be used on client side for authentication purpose. It's only meant to give a role to an already authenticated user on server side.
answered Oct 11, 2018 by findingbugs
• 4,780 points

Related Questions In Cloud Computing

+4 votes
3 answers

AWS API Gateway with AWS WAF

Well that is not possible, Reason: API Gateway would ...READ MORE

answered Mar 27, 2018 in Cloud Computing by code_ninja
• 6,300 points
1,908 views
0 votes
1 answer

Can we Use Api keys with AWS API Gateway?

There is no getting away here. When ...READ MORE

answered Apr 18, 2018 in Cloud Computing by hemant
• 5,790 points
557 views
+4 votes
3 answers

Deploy RESTful API with .net framework 4.5 in AWS Lambda

This is an old question (somewhat), but ...READ MORE

answered Jan 17, 2019 in Cloud Computing by Kirk Davis
3,258 views
0 votes
1 answer

Differentiating Amazon EC2 API tools and AMI tools?

This is what AWS FAQ’s have to ...READ MORE

answered Apr 18, 2018 in Cloud Computing by hemant
• 5,790 points
1,606 views
0 votes
1 answer

403: API Gateway using custom API

Try setting up a CNAME with your ...READ MORE

answered May 4, 2018 in Cloud Computing by brat_1
• 7,200 points
3,888 views
+1 vote
2 answers

AWS: API Gateway Encoding for multipart/form-data

API Gateway now supports binary payloads. Simply ...READ MORE

answered Aug 22, 2018 in Cloud Computing by Priyaj
• 58,020 points
6,565 views
0 votes
1 answer

AWS: User Keys API Gateway

For identification you can generate one API ...READ MORE

answered May 22, 2018 in Cloud Computing by code_ninja
• 6,300 points
694 views
0 votes
1 answer

What is MFA and how to use it with AWS CLI?

To get the temporary session token use ...READ MORE

answered Jul 19, 2018 in Cloud Computing by Gopalan
• 1,360 points
847 views
0 votes
1 answer

What approach do I need to take to upload files to Lambda function and API Gateway services?

If you want to upload bigger than ...READ MORE

answered Apr 17, 2018 in Cloud Computing by brat_1
• 7,200 points
855 views
+3 votes
3 answers

Is it possible to delete a API in AWS API Gateway?

Yes, it is possible to delete an ...READ MORE

answered Mar 27, 2018 in Cloud Computing by brat_1
• 7,200 points
4,815 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP