Hello everyone,

I’m looking for advice on secure, scalable, and seamless API authorization best practices across multiple cloud platforms.

Here’s the setup:

I have an API Gateway deployed in AWS, protected by IAM authorization.

These APIs handle highly sensitive operations — they perform CRUD actions on secrets and passwords stored in a central AWS Secrets Manager.

Our customers run workloads across multiple CSPs — including Azure, GCP, and other AWS accounts.

Each customer’s workloads are managed by separate teams and are frequently updated, with new workloads added during onboarding.

So far:

I previously allowed access to AWS resources within my AWS Organization, but that approach was too broad and not aligned with least-privilege practices.

Now, I plan to deploy a dedicated IAM role in each AWS account (via StackSets) and allow those roles to invoke the APIs securely.

Where I need help:

I’m looking for a similar or better approach for Azure and GCP workloads.

Long-lived credentials (like static keys or service accounts) are not acceptable due to security policies.

Using Managed Identities / Workload Identities directly attached to compute isn’t feasible in this setup.

In short —

What’s the best, secure, and scalable way for services running on Azure and GCP workloads to invoke AWS API Gateway endpoints protected by IAM, without maintaining long-lived credentials?

Any design suggestions, reference architectures, or best practices from real implementations would be greatly appreciated.

Thanks in advance!