Hello everyone,
I’m looking for advice on secure, scalable, and seamless API authorization best practices across multiple cloud platforms.
Here’s the setup:
I have an API Gateway deployed in AWS, protected by IAM authorization.
These APIs handle highly sensitive operations — they perform CRUD actions on secrets and passwords stored in a central AWS Secrets Manager.
Our customers run workloads across multiple CSPs — including Azure, GCP, and other AWS accounts.
Each customer’s workloads are managed by separate teams and are frequently updated, with new workloads added during onboarding.
So far:
I previously allowed access to AWS resources within my AWS Organization, but that approach was too broad and not align…
Hello everyone,
I’m looking for advice on secure, scalable, and seamless API authorization best practices across multiple cloud platforms.
Here’s the setup:
I have an API Gateway deployed in AWS, protected by IAM authorization.
These APIs handle highly sensitive operations — they perform CRUD actions on secrets and passwords stored in a central AWS Secrets Manager.
Our customers run workloads across multiple CSPs — including Azure, GCP, and other AWS accounts.
Each customer’s workloads are managed by separate teams and are frequently updated, with new workloads added during onboarding.
So far:
I previously allowed access to AWS resources within my AWS Organization, but that approach was too broad and not aligned with least-privilege practices.
Now, I plan to deploy a dedicated IAM role in each AWS account (via StackSets) and allow those roles to invoke the APIs securely.
Where I need help:
I’m looking for a similar or better approach for Azure and GCP workloads.
Long-lived credentials (like static keys or service accounts) are not acceptable due to security policies.
Using Managed Identities / Workload Identities directly attached to compute isn’t feasible in this setup.
In short —
What’s the best, secure, and scalable way for services running on Azure and GCP workloads to invoke AWS API Gateway endpoints protected by IAM, without maintaining long-lived credentials?
Any design suggestions, reference architectures, or best practices from real implementations would be greatly appreciated.
Thanks in advance!