Hello everyone,
I’m looking for advice on secure, scalable, and seamless API authorization best practices across multiple cloud platforms.
Here’s the setup:
I have an API Gateway deployed in AWS, protected by IAM authorization.
These APIs handle highly sensitive operations — they perform CRUD actions on secrets and passwords stored in a central AWS Secrets Manager.
Our customers run workloads across multiple CSPs — including Azure, GCP, and other AWS accounts.
Each customer’s workloads are managed by separate teams and are frequently updated, with new workloads added during onboarding.
So far:
I previously allowed access to AWS resources within my AWS Organization, but that approach was too broad and not aligned with least-privilege practices.
Now, I plan to deploy a dedicated IAM role in each AWS account (via StackSets) and allow those roles to invoke the APIs securely.
Where I need help:
I’m looking for a similar or better approach for Azure and GCP workloads.
Long-lived credentials (like static keys or service accounts) are not acceptable due to security policies.
Using Managed Identities / Workload Identities directly attached to compute isn’t feasible in this setup.
In short —
What’s the best, secure, and scalable way for services running on Azure and GCP workloads to invoke AWS API Gateway endpoints protected by IAM, without maintaining long-lived credentials?
Any design suggestions, reference architectures, or best practices from real implementations would be greatly appreciated.
Thanks in advance!
asked 5 years ago
Hi Riku
Thank you for the quick response. In our case we do not have option to install AWS CLI, Boto3 on Azure VM for option 1 (first link) would not work for our use case. I am trying to find solution without installing native libraries on Azure VM.
Thank You