0

I'm looking for the best way to control the access to different parts of my API. The api is being called via federated identities which get temporary credentials (STS) that map to a specific IAM role. This ensures that only logged in users can call the API which is great. However, I would like to control access for example for user management related API endpoints in a more fine grained way. Currently I use lambda functions and a dynamo db table to achieve this, but it seems tedious to drag the authorization part in every lambda function or even only create the lambda function for this purpose. I have looked into custom authorizers but was not able to find documentation on how to validate the STS token in there and actually I would like to avoid dealing with it.

So is there an elegant way of per resource / method authorization while still using AWS_IAM as authorizer for the authentication?

Martin Schulze
  • 2,091
  • 2
  • 22
  • 27

1 Answers1

1

If you are using AWS_IAM authorizer at API Gateway, the only approach in providing fine-grained access is using IAM policies attached to the STS Assumed Role.

Note: It is not possible to pass through the IAM policy to the Lambda function via API Gateway invoke with IAM credentials.

However, you can use Invoke with Caller credentials property in API Gateway integration request to validate any API Gateway Access Policies defined in your IAM role assumed by STS. This way you can define a part of authorization where you can define which API Gateway Endpoints and HTTP Methods allowed for the Assumed Role.

If you need to define object level permission and grant access to users for the individual objects exposed through an API Gateway endpoint, you will need to handle it in Lambda.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • Thank you Ashan for the answer! Invoke with caller credentials is indeed a good point, but would you agree with my understanding that it won't enable me to have user A access GET /resourceX and deny it for user B? Since they both assume the same role there is no way of differentiating, correct? – Martin Schulze Feb 24 '18 at 18:26
  • If both users, assume the same role, they will have same privileges. Any reason not assuming different IAM Roles based on the Role Assigned to the user in the application? – Ashan Feb 24 '18 at 18:31
  • well, I'd love different roles but with Cognito Federated identities you just define a unauthorized and an authorized role. So you can't distinguish... unless I'm missing something.. – Martin Schulze Feb 24 '18 at 18:33
  • With Cognito Federated Identities you can assume different roles based on your identity providers claims. What do you use for IDP? Cognito UserPools or Social Identities or SAML? – Ashan Feb 24 '18 at 18:35
  • Ah, then I have to look into this further. Currently I have a user pool and social (google). I was planning to add SAML in the future. – Martin Schulze Feb 24 '18 at 18:36
  • 1
    Martin, Check the following article. https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/ Hope it helps! :) – Ashan Feb 24 '18 at 18:38
  • This looks super promising! I never realized that you can use rules to assign specific roles. I will investigate this now. – Martin Schulze Feb 24 '18 at 18:41