For context, what I want to accomplish is utilizing a Cognito user's user group IAM role as the role that performs an action (in this case accessing s3 resources). I have a bucket per user group and ultimately what I want is to accomplish is using SSE-KSM to double encrypt s3 content and give access to the KSM key only to the group IAM role and NOT to the Fargate container's task role. Then when the user makes a request to our API to a route that has an interaction with s3, part of the code path for the request would be to assume the group IAM role using fromCognitoIdentityPool and create an s3Client to then make the request rather than having the ECS container make the request using it's taskRole. That way the request would succeed since the group role has access to the KSM key and the bucket.
My concerns are:
- Is STS not really designed for this use case? I would creating a potentially large number of temporary credentials are are used once and thrown away. Would I hit some sort of rate limit with STS?
- Does this make even make sense? Is there a better way to accomplish what I'm trying to do?
