Call AWS API from external

To assume an AWS IAM role from an Azure Function, you can follow these steps:

1. Set up cross-account access in AWS: First, you must create an IAM role in AWS that your Azure Function can assume. This role must have a trust relationship with an identity provider that supports SAML 2.0 (like Azure AD). You'll define a policy allowing you to perform the actions you want in AWS (ex. ec2:DescribeInstances)

2. Configure Azure AD for SSO to AWS: In Azure AD, you'll set up a single sign-on (SSO) to AWS. This involves configuring Azure AD as a SAML identity provider in AWS. You'll download the metadata XML from Azure and upload it to AWS to establish trust.

3. Assign users or groups in Azure AD: Assign the Azure AD users or groups with access to assume the AWS IAM role. These are typically the identities associated with your Azure Functions.

4. Acquire Azure AD token: Your Azure Function needs to authenticate with Azure AD to get a SAML assertion token. You can use the Microsoft identity platform (Azure AD for developers) to obtain tokens.

5. Assume the AWS role using the SAML assertion: Once you have the SAML assertion, you use the AWS Security Token Service (STS) AssumeRoleWithSAML API to exchange the SAML assertion for AWS temporary security credentials.

6. Use AWS credentials in your Azure Function: Your Azure Function can make authenticated requests to AWS services with temporary security credentials (access key ID, secret access key, and session token).

Another approach could be to create an api gateway in aws with a lambda making the call, which the azure function can consume. Thought involving a bit more manual work, you separate the logic clearly into e.g. a lambda function, protected by either IAM auth or another lambda authorizer.

Also this stipulate clear contract between two different cloud vendor sources and makes the interaction more visible.