So I have a scenario which I'm trying to solve. Requests are coming into my api, which is hosted on-prem, and included is an X-Amz-Security-Token header. This is because the caller of said api is using a set of long-term credentials to assume an IAM role and is using the returned temporary credentials to sign the request. This is specified in the note here
In my api, I am doing the same logic of assuming the role using the same long-term credentials, but what seems to be happening is that because I need to sign the request myself in order to compare the signatures to validate the request, I'm getting a different X-Amz-Security-Token generated, since the temporary credentials granted are different, and therefore the signatures don't match. How do I get around this? And more to the point, if I wasn't using an on-prem hosted api, how would other AWS services validate the request by default? Is X-Amz-Security-Token able to be passed back to the STS for validation somehow? I'm confused how this header adds any value to the sigv4 as it seems to only be causing me problems.
Apologies if this a bit vague. I'm new to the AWS world and only need to get involved in order to integrate on-prem systems with an AWS-hosted partner. And sigv4 is contractual requirement for both inbound and outbound communications.
Any help would be much appreciated. Cheers
