We have a SaaS application that accesses our users' AWS account for creating S3 buckets. Since we operate in a SaaS environment, our users are not comfortable giving their permanent security credentials. We created the following method to generate temporary credentials :-
- Create AWS Cognito User Pool with a client
- Create AWS Identity pool with a policy for the relevant resources
We ask our users to pass the User Pool Client ID and Identity Pool ID and then generate temporary credentials from the token received after the user logs into AWS cognito. Source code here.
Unfortunately this is a major blocker in terms of UX. We want to make this process as seamless as how GitHub has implemented their OAuth mechanism.
We have already tried the AWS Cognito route but right now we are exploring IAM cross account access. We are able to generate temporary credentials but are unable to revoke it when required.
Is there a better way of implementing this?
