Granting AWS resources access to a third party app

Question

I have a use-case, where the users of an app are required to grant temporary access to their AWS Account. Looking for an Oauth style solution, where the user is directed to the AWS Auth interface and redirected back on successful auth. In the process, the user granting temporary access to the required AWS resources.

The closest use-case: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html

But I may not be able to apply the solution directly.

An IAM role is not the best for this usecase. Look into Cognito, that is the service for this. — Tamás Sallai, Sep 28 '20 at 12:40
Yes, Cognito Identity pools will give the user access to my AWS Account services. However, it is required that the user grant access to his services. — Ar034, Oct 08 '20 at 22:54

amsh · Answer 1 · 2020-10-09T06:16:10.940

The service you are looking for is Cognito Identity Pools. They can integrate with many OAuth providers and are used to get temporary access to several AWS Services e.g. DynamoDB, S3 etc.

You may look into this tutorial to get more idea on how it works. Cognito User Pool is not required and may be replaced by any other IdP or SSO like Auth0, Okta, FB etc.

Let's say you want to access services from multiple accounts e.g. AccountA and AccountB. If AccountA has Cognito Identity pool, you will have to do following steps:

Create an IAM Role in AccountB and add access to the services you want to access in the app. You will have to create it using Another AWS account option and provide AccountID of AccountA.
In the AccountA, create an IAM Role that allows access to services from current account and that will be attached to your Cognito Identity Pool. More details here.
Add this policy to AccountA Role, so it can assume role from AccountB.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::AccountB_ID:role/account_b_role"
  }
}

To access services of AccountA:

Simply get temporary credentials from Cognito Identity Pool and use them in SDK as:

AWS.config.update({
    region: "us-east-1",
    credentials: new AWS.Credentials('AccessKeyId', 'SecretAccessKey', 'SessionToken')
});

To access services of AccountB:

Set AccountA credentials as done above.
Assume AccountB Role and get temporary credentials from it.
Set these credentials to access AccountB Services.

This solution can be extended to any number of accounts.

Yes, Cognito Identity pools will give the user access to my AWS Account services. However, it is required that the user grant access to his services. — Ar034, Oct 08 '20 at 22:54
What do you mean by `his services`? Can please you explain.. — amsh, Oct 08 '20 at 23:02
"his service" => AWS resource from the User's AWS account. Which is a different account to the one that the APP is hosted on. — Ar034, Oct 09 '20 at 00:38
@Ar034, thanks for clarification. I have added a detailed solution to handle that scenario. — amsh, Oct 09 '20 at 06:16
Amsh, thanks for the well-described solution and yes, it is the solution that I am using now. However, I am looking for a solution similar to OAuth 2.0 where the user is automatically redirected to the provider for Authorization and Authentication. — Ar034, Oct 09 '20 at 13:00
@Ar034 did you find a better way than having the "customer" create an IAM role with an externalID and access? — Philipp Schmid, Nov 03 '22 at 14:45

Granting AWS resources access to a third party app

1 Answers1