Is it possible to use IAM and Secure Token Service as the authentication solution for an application?


The reasons for considering this are:

  • The number of authenticated users is low, and leveraging the roles and permissions model in AWS would be useful.
  • Unifies the audit processes
  • Allows users of our application to also access AWS features like dashboards, logging etc.

I think it may be possible with API Gateway, but I couldn't see something in the docs that would pass a username or a verification result through the HTTP headers.

2 Answers

I think what you are looking for is AWS Single Sign-On.

Another option would be Amazon Cognito.

profile picture
answered 8 months ago
  • Thanks kentrad, Do you know if you can use an Amazon Cognito endpoint as an AWS Single Sign-On provider? I suspect that may be the way to give a person access to the web AWS console, but it wasn't clear how to configure it that way.


It looks like Cognito Identity Pools is what you are looking for. This lets you map IAM roles to identities. For defining the actual user, password, etc to define the identity you will use with Identity Pools, you can use Amazon Cognito user pools, but you do not have to. Cognito Identity Pools will also work with user IDs defined on Facebook, Google, etc.

profile picture
answered 8 months ago
  • Thanks setheliot, do you know if it is possible to convert a Cognito session's IAM role into a web session for a user to go to the AWS web console?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions