API Authentication using IAM Assume Role

0
votes

I have one EC2 Instance running custom apps under AWS Account A. Custom Apps execute the API from another AWS Account B. I have created IAM-Role and attached to EC2 instance. Below policy is attached to IAM-Role, just for testing I have allowed all resources.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::*.*"
  }
}

Please advise what Policy updates or role updates needs to be done on Account B OR any other setting I need to configure.

I am new to IAM_Roles and Gateway API.

1
amazon-web-servicesamazon-ec2aws-api-gatewayamazon-iam
Is the API Gateway in Account B setup and working correctly? Have you tried sending it test API calls? Are you experiencing a particular problem? Otherwise, it is hard to know what we should "advise". No IAM permissions are required to call the API Gateway endpoint. - John Rotenstein

1 Answers

0
votes

Let me explain you the concepts:

IAM Role and IAM User are used to access AWS Services. IAM User is used by the actual user while IAM Role is used by an AWS Service to access another Service.

While, similar logic may seem fitting for all the services on AWS, there are some services that do not need IAM Role or User to access them. One of them is API Gateway. You just need the right URL and network access to hit the API Gateway.

Another example for that is RDS (without enabling IAM Authorization). You just need the right JDBC URL and credentials for RDS DB to access it.

Consider API Gateway, yet another Rest API and so, its authentication can be done using a number of Auth tools for example Okta, Auth0, Cognito. You can read this article to get more insights.