2.1.8 Cross-Service Authentication in Microservices

Cross-Service Authentication in Microservices

Patterns

PatternMô tảUse Case
IAM RolesService assume role để gọi service khácAWS service-to-service
API Gateway + AuthorizerCentralized auth gatewayExternal-facing APIs
Service Mesh (App Mesh)mTLS giữa servicesECS/EKS microservices
VPC EndpointsPrivate connectivityInternal AWS service calls

IAM Role-based (AWS Services)

Lambda A (Role A) → STS AssumeRole → Role B → Call Service B
  • Lambda execution role cho phép gọi services khác
  • ECS Task Role cho container-level permissions
  • Least privilege: mỗi service chỉ có permissions cần thiết

API Gateway as Auth Gateway

Client → API Gateway → Lambda Authorizer → Validate token
                     → Route to microservice A
                     → Route to microservice B
  • Centralized authentication/authorization
  • Rate limiting, throttling
  • API keys cho usage plans

Service-to-Service với STS

Service A → STS AssumeRole (Role for Service B) → Call Service B API
  • Temporary credentials cho mỗi cross-service call
  • Audit trail qua CloudTrail
  • Role chaining: max 1 hour session
  • Private connectivity giữa VPCs hoặc đến AWS services
  • Không đi qua internet
  • Interface endpoints (ENI) hoặc Gateway endpoints (S3, DynamoDB)

Exam Tip: Microservices auth = IAM Roles + least privilege. API Gateway cho external-facing. VPC Endpoints cho private internal communication. Role chaining max 1 hour.