Thoughts on enterprise IT

Dustin Amrhein

Subscribe to Dustin Amrhein: eMailAlertsEmail Alerts
Get Dustin Amrhein: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Cloud Computing, Amazon Cloud Journal

Blog Feed Post

Concept: Using AWS IAM to Protect Your Own APIs

Let’s say, hypothetically, that you are considering building a cloud-based service

Let’s say, hypothetically, that you are considering building a cloud-based service and had come to that fork in the road where you had to think about how to authenticate users to your API’s.

As I was thinking about that problem, it struck me that potentially you could use the new(ish) identity and access management services from AWS.  Create users, set groups and permissions, authenticate them against IAM as an identity provider of sorts.  Of course after I read the FAQ where it asked if you can use it on 3rd party apps, the answer was “not yet”.

But I think you can, today.


  1. New user of my API (“user”) signs up in my app/console/web page/etc
  2. I create a new user for them in my app and credentials in IAM
  3. I add them to an IAM group for something like GetObject permissions on some random S3 bucket and stick a tiny file in there
  4. When the user authenticates to my API using their IAM credentials (access ID/secret key), I make an auth or GetObject request on their behalf behind the scenes on the bucket they have permissions to.
  5. If the S3 request is successful, let them in to use my API

I plan on hacking this together the first chance I get, but if someone else gets around to it first, please let me know in the comments here on cloudnod or on twitter (@scottsanchez).


Follow Scott Sanchez on twitter:

Notice: This article was originally posted at by Scott Sanchez and is his personal opinion.  Copyright 2011 Scott Sanchez, All Rights Reserved.


Read the original blog entry...

More Stories By Scott Sanchez

A recognized thought leader on cloud computing, enterprise architecture and security, Scott Sanchez is a jack of all trades that has held strategy and leadership roles at Goldman Sachs, Bristol-Myers Squibb, Unisys and a number of technology startups along the way.