By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access existing AWS resources in new application

0

We want to access existing AWS resources that have existing security policies.  We want to move to either OAuth2 or SAML authentication/authorization. We would like to find documentation and examples demonstrating the best practice for accomplishing this access of pre-existing resources using either OAuth2 or SAML. Ideally we are looking for a tutorial covering both the API usage in our application as well as any additional IAM configuration.

Our reading of the documentation suggests that calling AssumeRoleWithWebIdentity() (for OAuth2) requires the addition of a role that maps the federated user space to a specific set of authorization policies for individual resources. Is this the best practice? If so, how does this interact with the existing set of authorization policies, especially when we scale to 10's of thousands of users and millions of resources?

Any pointers would be Most Helpful. Thank you!

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementSecurity
Language
English
amcy
asked 2 years ago216 views
1 Answer
0

That's a really big question which has multiple answers depending on actual use cases; which identity provider you're going to use; your multi-account structure; and so on. Not something that I'd like to give specific advice on here because of those variables.

For machine-to-machine authentication this is an excellent resource.

For large-scale user authentication you definitely want to look at best practices for IAM, Single Sign-on as well as Organizations and possibly Control Tower.

I'd strongly encourage you to reach out to your local AWS account team and get advice specific to you from them.

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 years ago
  • amcy
    2 years ago

    Thank you for your response. The use case is pretty straightforward. I have existing customers (end users) with existing (secured) resources. As I am using OAuth2, we are talking about end users. I need to be able to federate their identity so as to be able to access the existing resources. All the documentation I have seen so far assumes a brand new application with new resources managed by the application. That is not us.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content