[Feature Request] Resource Level Policies for API Gateway
The CBDE team is investigating how to put authentication in front of out Docker Registry. Ideally we would use the same system to authenticate people and EC2 instances. We would like to leverage IAM to achieve this.
Our goal is to create a short lived token dispenser that responds to version 4 signed requests with a token containing:
- the ARN of the caller
- expiry time
- signature
As a start we have spiked out the simplest client and server possible:
- an API Gateway method with that returns the ARN of the caller.
- a ruby script that signs a request to this method.
When run as a SAML authenticated user, the method returns:
{
"account_id": "867471893442",
"caller": "AROAJBP7Q6HCH3XU267ZS:mbailey",
"source_ip": "203.17.253.249",
"user": "AROAJBP7Q6HCH3XU267ZS:mbailey",
"user_arn": "arn:aws:sts::867471893442:assumed-role/cbde-Developer/mbailey"
}
When IAM Auth is turned on for an API Gateway method, it's only enabled for the current account. We use many accounts and would like the option of running a single API Gateway to issue tokens to these accounts. I believe we need policies at a resource level (API or method, preferably both) to achieve this.
I don't believe "sts assume-role" will suffice to as it means:
- it means the user_arn is that of the assumed role in current account
- we need to grant access to each account individually
- it's extra work for clients to obtain and configure the arn for the role to assume