up vote 1 down vote favorite

So I get the notion of roles and service-linked roles and policies in AWS. However, all of that works only if the principal/identity (and I know there's a difference between the two, but using either term quite liberally here) being claimed by an app can be verified (i.e. app authentication). I am guessing this authentication occurs against the "AWS fabric" and not the target service/resource the app wants to access.

Can anyone share details of how an app establishes its identity and how the "fabric" verifies the identity?

Azure has the notion of managed service identities (based on system assigned identity and VM extensions).

  • What's the equivalent on AWS? How does the AWS "fabric" assign/verify app identities?
  • If the only mechanism for verification is an access key and secret key (or a bearer token), I would think that's either a circular problem for credential management or very insecure.

Of course, I could be totally wrong in the way I am comparing Azure identity management to AWS, but it seems that a credential-less verification/assignment of identity as in Azure is probably as secure as it gets.

share|improve this question

bumped to the homepage by Community 8 hours ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

up vote 0 down vote

I've never used Azure, but that looks similar to AWS KMS that apparently also uses HashiCorp Vault. You can see some use cases here.

Take a look at this, I think it explain what you need.

share|improve this answer

Your Answer

 

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.