Cross-region roles
First Claim
Patent Images
1. A computer-implemented method comprising:
- creating a role associated with a first user account of a plurality of user accounts, the role having a corresponding set of policies associated with the role, the role including a role identifier, the first user account associated with a first region, the role corresponding to access to a set of resources associated with the first user account;
making the role identifier available to a device associated with a second user account of the plurality of user accounts, the second user account associated with a second region different than the first region, the second user account not having access to the set of resources associated with the first user account;
receiving a first request from the device associated with the second user account to assume the role, the request digitally signed using a long-term key associated with the second user account, the first request including the role identifier;
in response to the first request, at least providing a session token and a session key to the device associated with the second user account;
receiving a second request from the device for access to at least a subset of the set of resources, the second request including the session token and digitally signed using a digital signature generated from the session key; and
extracting the session key from the session token;
validating the digital signature generated from the session key using the extracted session key; and
satisfying the second request by providing access to a set of resources associated with the first user account.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for using short-term credentials with access roles across regions are described herein. A request to assume a role associated with resources in a first region is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a short-term session credential that includes a session key and that can be used to assume the role. The user in the second region then assumes the role and, accordingly, can use the short-term session credentials to access the resources in the first region.
48 Citations
24 Claims
-
1. A computer-implemented method comprising:
-
creating a role associated with a first user account of a plurality of user accounts, the role having a corresponding set of policies associated with the role, the role including a role identifier, the first user account associated with a first region, the role corresponding to access to a set of resources associated with the first user account; making the role identifier available to a device associated with a second user account of the plurality of user accounts, the second user account associated with a second region different than the first region, the second user account not having access to the set of resources associated with the first user account; receiving a first request from the device associated with the second user account to assume the role, the request digitally signed using a long-term key associated with the second user account, the first request including the role identifier; in response to the first request, at least providing a session token and a session key to the device associated with the second user account; receiving a second request from the device for access to at least a subset of the set of resources, the second request including the session token and digitally signed using a digital signature generated from the session key; and extracting the session key from the session token; validating the digital signature generated from the session key using the extracted session key; and satisfying the second request by providing access to a set of resources associated with the first user account. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
one or more processors; and memory storing executable instructions that, if executed by the one or more processors, cause the system to; create a role associated with a first user account of a plurality of user accounts, the role having a corresponding set of policies associated with the role, the role including a role identifier, the first user account associated with a first region, the role corresponding to access to a set of resources associated with the first user account; make the role identifier available to a device associated with a second user account of the plurality of user accounts, the second user account associated with a second region different than the first region, the second user account not having access to the set of resources associated with the first user account; receive a first request from the device associated with the second user account to assume the role, the request digitally signed using a long-term key associated with the second user account, the first request including the role identifier; in response to the first request, at least provide a session token and a session key to the device associated with the second user account; receive a second request from the device for access to at least a subset of the set of resources, the second request including the session token and digitally signed using a digital signature generated from the session key; and extract the session key from the session token; validate the digital signature generated from the session key using the extracted session key; and satisfy the second request by providing access to a set of resources associated with the first user account. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
create a role associated with a first user account of a plurality of user accounts, the role having a corresponding set of policies associated with the role, the role including a role identifier, the first user account associated with a first region, the role corresponding to access to a set of resources associated with the first user account; make the role identifier available to a device associated with a second user account of the plurality of user accounts, the second user account associated with a second region different than the first region, the second user account not having access to the set of resources associated with the first user account; receive a first request from the device associated with the second user account to assume the role, the request digitally signed using a long-term key associated with the second user account, the first request including the role identifier; in response to the first request, at least provide a session token and a session key to the device associated with the second user account; receive a second request from the device for access to at least a subset of the set of resources, the second request including the session token and digitally signed using a digital signature generated from the session key; and extract the session key from the session token; validate the digital signature generated from the session key using the extracted session key; and satisfy the second request by providing access to a set of resources associated with the first user account. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
Specification