Hello I have the following scenario
callee (with IAM_Role) -> API Gateway -> Downstream app.
API Gateway will check the resource policy when IAM_AUTH is enabled to make sure that the role is valid. However, the customer wants to do a secondary check on the downstream app for an end to end validation so it needs to know the IAM role used for the original request to the API Gateway. Is there a way to do this?
For example
server-a with role-a calls API Gateway with a request. API Gateway validates it's resource policy that role is allowed to make that call. Server-b downstream gets the request from API Gateway and also does a secondary check to have additional logic to check what role-a can do at an application level. Is there a way to pull that role from API Gateway in a timely fashion?
Something in the header preferably such as the role name or role ID. The original request is sigv4 signed.
Cloudwatch logs would be too delayed.