We are designing a solution with the following layered architecture:
- A microservice (Service A) that exposes private API (endpoint type = private) via API gateway and stores data into DynamoDB.
- A web app backend service (Service B) that consumes APIs provided by Service A with IAM authentication by assuming a service role, and exposes internet facing API via API gateway for a web app to consume.
- A web app authenticate itself using Cognito user pool and identity pool, and assumes IAM roles based on user pool group to call APIs provided by Service B.
Service B should be able to get the end user's identity info. My question is, how can I easily and securely pass this identity info from Service B to service A?
The options we've considered are:
- Encrypting the end user identity using KMS and then pass as request header when Service B calls Service A.
- Signing the end user identity as a JWT and then pass as request header when Service B calls Service A.
Both approaches are a bit complicated. I am wondering if there is such feature out of the box?
Why you don't send the JWT tokens issued by Cognito?
Many thanks @Tarit_G, that's a good idea.
I am not familiar with Cognito. According to this doc the client app will get credentials to sign requests, but it should have access to the JWT too. I will do a bit more research.