Authenticated users with STS and API Gateway

+2 votes
If there is a user that sends a request to STS requesting for credentials:

AWS.config.credentials = new AWS.WebIdentityCredentials({

  RoleArn: 'arn:aws:iam::{id}:role/{role}',

  WebIdentityToken: idToken,

  RoleSessionName: VALUE

});

Next, if the user sends a request to a private API Gateway endpoint, and if it uses RoleSessionName, it gives me the details as to who the person is that makes the request. Now, can we avoid other users to assume this identity by using the same RoleSessionName?

Is there a best way to authenticate users using STS and IAM roles? If yes what it is?
Mar 26, 2018 in Cloud Computing by hemant
• 5,750 points
107 views

2 answers to this question.

+1 vote
RoleSessionName being an identifier for a defined session, shouldn't be used as a mechanism to differentiate callers in any case.

The assumed role is the "effective" principal in this case. If you want the API to behave differently based on the user, then please use unique role for each user.
answered Mar 27, 2018 by brat_1
• 7,080 points
0 votes
RoleSessionName is the way to tell each user apart. One cannot create a separate role for each user because each account can only have 1000 roles at most. I think this API call is not meant to be used on client side for authentication purpose. It's only meant to give a role to an already authenticated user on server side.
answered Oct 11, 2018 by findingbugs
• 4,750 points

Related Questions In Cloud Computing

+4 votes
3 answers

AWS API Gateway with AWS WAF

Well that is not possible, Reason: API Gateway would ...READ MORE

answered Mar 27, 2018 in Cloud Computing by code_ninja
• 6,220 points
385 views
0 votes
1 answer

Can we Use Api keys with AWS API Gateway?

There is no getting away here. When ...READ MORE

answered Apr 18, 2018 in Cloud Computing by hemant
• 5,750 points
27 views
+4 votes
3 answers

Deploy RESTful API with .net framework 4.5 in AWS Lambda

This is an old question (somewhat), but ...READ MORE

answered Jan 16 in Cloud Computing by Kirk Davis
524 views
0 votes
1 answer

Differentiating Amazon EC2 API tools and AMI tools?

This is what AWS FAQ’s have to ...READ MORE

answered Apr 18, 2018 in Cloud Computing by hemant
• 5,750 points
89 views
0 votes
1 answer

403: API Gateway using custom API

Try setting up a CNAME with your ...READ MORE

answered May 3, 2018 in Cloud Computing by brat_1
• 7,080 points
980 views
+1 vote
2 answers

AWS: API Gateway Encoding for multipart/form-data

API Gateway now supports binary payloads. Simply ...READ MORE

answered Aug 22, 2018 in Cloud Computing by Priyaj
• 56,520 points
1,422 views
0 votes
1 answer

AWS: User Keys API Gateway

For identification you can generate one API ...READ MORE

answered May 22, 2018 in Cloud Computing by code_ninja
• 6,220 points
31 views
0 votes
1 answer

What is MFA and how to use it with AWS CLI?

To get the temporary session token use ...READ MORE

answered Jul 19, 2018 in Cloud Computing by Gopalan
• 1,260 points
61 views
0 votes
1 answer

What approach do I need to take to upload files to Lambda function and API Gateway services?

If you want to upload bigger than ...READ MORE

answered Apr 17, 2018 in Cloud Computing by brat_1
• 7,080 points
43 views
+3 votes
3 answers

Is it possible to delete a API in AWS API Gateway?

Yes, it is possible to delete an ...READ MORE

answered Mar 27, 2018 in Cloud Computing by brat_1
• 7,080 points
627 views