- Newest
- Most votes
- Most comments
What's missing from your question is what you're trying to do. What I think you're saying is "I have a mobile app that needs to do something with Polly". I'm going to assume that's what you're looking for.
First, you can do what you describe but that will involve putting some sort of long-term credentials into your application - either in the form of IAM credentials or something else that will allow you to get those IAM credentials. As you've figured out, the credentials are necessary for calling Polly directly. But this is not necessarily the best way (even taking out the long-lived credential problem) - there are likely to be other services that you want to call on the AWS side.
Also: It would be very unwise to assign the permissions you mention to those credentials - if an external (malicious) user were to gain access they can do pretty much anything in your AWS account. Please use permissions that are least-privileged; in this case - access to Polly only.
What I'd recommend is that you use API Gateway. This will allow your application to call an API which then triggers specific actions. One action could be to trigger a Lambda function which calls Polly on your behalf. Another action might be to call a second AWS service to do some other work - again, a Lambda function.
The advantage here is that you don't need long-term credentials on the client; and you can create very specific permissions for each Lambda function so that they can only access the services they are supposed to. For example, the Polly Lambda function can only access Polly. I wouldn't be assigning Administrator or PowerUser access here either as there is no need to do that.
You can also use a service such as Cognito to authenticate your users and from there only allow those authenticated users to access the API (which you can link to Cognito).
This sounds complex and it kind of is; but it gives you a base to build on that is very flexible and extremely powerful.
You can start here: https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/ - you can substitute S3 and DynamoDB with Polly. There are many other guides too.
Edit based on comment below: The challenge here is that you need IAM credentials to communicate with Polly (or any AWS service for that matter). If you were running this from a computer that you control and is always in your possession you could install long-lived credentials on that computer. That isn't (strictly) best practice but the risk there is reasonably low. But for mobile applications that are in the hands of other people you don't necessarily want long-lived credentials out there.
You could put long-lived credentials in the app and only give them permission to call Polly. But the risk there is that someone could use those credentials to call the service and use it without your permission - extra charges could be an issue there.
So temporary credentials are a way to fix this issue. Cognito allows you to authenticate users and then issue temporary IAM credentials. That works if your users have to log in to user your app. If not, another method would be to use API Gateway (as mentioned above) and have an API Key which is in your app. This is (again, unfortunately) another form of long-lived credential but you can do rate limiting and some other work on API Gateway to block access if you need to.
Another way to do this is using IAM Roles Anywhere - here you would put a certificate in the app and use that to authenticate to get IAM credentials. The intent behind this is to use this with servers on premises but it can also work for an application. If you were going to do this (but it's quite a bit of work and Cognito would be better) then I'd recommend a certificate for each instance of the application - that way you can deny access on a per-user basis. Again, much work for you but much better control and security.
We can't stop you putting IAM credentials in your application. But it is generally not a good idea hence the suggestions above which have better security and more control for you.
Relevant content
- asked 6 months ago
- AWS OFFICIALUpdated 20 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 3 months ago
Hello, Brettski. Thank you very much for pointing me out to such powerful tools, I think they're worth considering when developing for the web. However, at the time being I'm trying to solve a little different task. My tool calls Amazon Polly API directly to get audio streams. But it also works with other TTS engines, like Google's one for example. Then I process the streams with FFmpeg etc. So I think I really need to find a way to authenticate in Amazon Polly. What is the way to do this? How can I authenticate?