问题
We have have an existing application and we are developing the new APIs required for our application in AWS.
We want to enable role based access control to our AWS API without migrating our users to AWS Cognito. We think we might need to use Developer Identity Provider and IAM Roles, but not sure how the users from our application will be attached to IAM Roles. Any help in this direction will be appreciable.
Thanks in advance.
Note: I am new to AWS.
回答1:
I think you should have a look at API Gateway Custom Authorizers.
This way you can plug your already existing authorization system into the API gateway. I wouldn't use IAM roles as long as you are not sharing AWS resources directly with your users.
If you are only using role based access controls for your application, using existing application roles is absolutely fine. You just need to make them accessible, so the custom authorizer lambda can validate the authorization against it.
回答2:
Since you are planning to use the existing roles and permissions of your application for the API, there are several options available.
Using IAM authorizer with Cognito User Groups feature recently introduced and map your existing roles, to attributes from Developer Identity provider and map them to Groups. Using this, you can define, different API Gateway resources to be accessed by different user groups by defining them in IAM policies.
Using Custom Authorizer you will need to write your custom authorizer code to do the authentication as well as authorization.
来源:https://stackoverflow.com/questions/45333690/securing-aws-api-gateway