Cross-region requests
First Claim
Patent Images
1. A computer-implemented method, comprising:
- making information associated with a first user account of a plurality of user accounts available to a device associated with a second user account of the plurality of accounts, the first user account associated with a first region and the second user account associated with a second region different than the first region, the second user account lacking access to a set of resources associated with the first user account;
obtaining a request from the device associated with the second user account of a plurality of user accounts, the request digitally signed using a long-term key associated with the second user account;
as a result of validating the request, at least;
generating a set of session data, the set of session data at least including a session key and the information;
encrypting the set of session data to generate a session token, the session token encrypted using a session encryption key, the session encryption key maintained as a secret by a security service in the first region; and
providing the session token and the session key to the device associated with the second user accountobtaining a second request from the device associated with the second user account for access to the resources associated with the first user account, the second request including the session token, the second request for resources digitally signed using a digital signature generated from the session key; and
as a result of validating the second request;
extracting the session key from the session token using the session encryption key to produce an extracted session key;
validating the digital signature generated from the session key using the extracted session key; and
satisfying the second request for resources by providing access to the resources associated with the first user account, wherein the second request is validated based at least in part on the information.
1 Assignment
0 Petitions
Accused Products
Abstract
A request is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a session credential that includes a session key. The user in the second region can use the session credentials to access the resources in the first region.
-
Citations
18 Claims
-
1. A computer-implemented method, comprising:
-
making information associated with a first user account of a plurality of user accounts available to a device associated with a second user account of the plurality of accounts, the first user account associated with a first region and the second user account associated with a second region different than the first region, the second user account lacking access to a set of resources associated with the first user account; obtaining a request from the device associated with the second user account of a plurality of user accounts, the request digitally signed using a long-term key associated with the second user account; as a result of validating the request, at least; generating a set of session data, the set of session data at least including a session key and the information; encrypting the set of session data to generate a session token, the session token encrypted using a session encryption key, the session encryption key maintained as a secret by a security service in the first region; and providing the session token and the session key to the device associated with the second user account obtaining a second request from the device associated with the second user account for access to the resources associated with the first user account, the second request including the session token, the second request for resources digitally signed using a digital signature generated from the session key; and as a result of validating the second request; extracting the session key from the session token using the session encryption key to produce an extracted session key; validating the digital signature generated from the session key using the extracted session key; and satisfying the second request for resources by providing access to the resources associated with the first user account, wherein the second request is validated based at least in part on the information. - View Dependent Claims (2, 3)
-
-
4. A system, comprising memory to store instructions that, as a result of execution by one or more processors, cause the system to:
-
generate a request associated with a first user account in a first region, the request generated by a device associated with a second user account in a second region, the request digitally signed by a credential associated with the second user account; obtain a session token including a first session key; use the first session key to generate a second request for access to resources associated with the first user account, the second request generated using the session token, the second request digitally signed with a digital signature generated from a second session key, wherein; the request is a request to assume a role associated with the first user account, wherein the role has a corresponding set of policies associated with the role, the request including a role identifier associated with the role; and the session token is encrypted using a session encryption key; and cause the second user account to assume the role in response to the request, the role providing access to resources not in the second region. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A set of one or more non-transitory computer-readable storage media storing executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
-
obtain a request associated with a first user account in a first region, the request generated by a device associated with a second user account in a second region, the request digitally signed by a credential associated with the second user account; provide a session token including a first session key; obtain a second request, generated using the first session key, for access to resources associated with the first user account, the second request generated using the session token, the second request digitally signed with a digital signature generated from a second session key, wherein; the request is a request to assume a role associated with the first user account, wherein the role has a corresponding set of policies associated with the role, the request including a role identifier associated with the role; the session token is encrypted using a session encryption key; and assume the role in response to the request, the role providing access to resources not in the second region. - View Dependent Claims (15, 16, 17, 18)
-
Specification