How can I setup an OAuth flow to acquire user AWS Credentials

Question

I'm trying to build an application that will help users supervise/manage their AWS resources, so it needs access to their AWS credentials.

Usually that's done via some kind of OAuth interface, but all I see is reference to Cognito, which seems to be mostly used to provide my AWS credentials to the browser.

How can I setup a signup flow where users give my application permission to use their AWS credentials on their behalf?

For what it's worth, I'm working in node.js, although I'm not looking for nodejs specific info

Answer 1

You need to familiarize yourself with IAM, and AWS Policies if you're not familiar with it yet.

1. Option one would be to ask customers for generating access key with minimal required permissions... (or provide a script generating such a key, such a script is pretty easy to implement). Is that an option for you?

2. I have never tried to use cognito between user accounts however it seem to be possible using approach similiar to described here: http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html For that approach you still need number of actions on 'customer' side.

Similiar here: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

To summarize, I believe that challange is to provide customers a simple, 'painless' and transparent way to share with you minimal required permissions... Sharing admin-level aws account with someone else can cost a lot of money, so it might not be easy...