| CPC H04L 67/51 (2022.05) [G06F 9/45558 (2013.01); H04L 63/0853 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45595 (2013.01)] | 19 Claims |
|
1. A method, comprising:
providing, on a first cloud platform provided by a first cloud provider, a masquerading instance metadata service configured to process instance metadata service requests that originate from a workload that is deployed on the first cloud platform and that accesses a first cloud service operating on the first cloud platform using first access credentials that are associated with a customer and that are determined according to a canonical identity that is associated with the customer and that is associated with the first access credentials;
providing a request routing element; and
configuring the request routing element to detect a communication from the workload and selectively route the communication to the masquerading instance metadata service according to whether the communication is an instance metadata service request, wherein the communication comprises data identifying the canonical identity;
wherein the masquerading instance metadata service sends, from the first cloud platform, to a second cloud service operating on a second cloud platform different from the first cloud platform and provided by a second cloud provider different from the first cloud provider, a first request that identifies the workload according to a logical identity associated with the canonical identity;
wherein the masquerading instance metadata service returns, to the workload, after receiving a response to the first request, valid credentials to the second cloud service, wherein the valid credentials are second access credentials associated with the customer allowing access by the customer to the second cloud service from the first cloud service and wherein the second access credentials are associated with the canonical identity and are invalid for accessing the first cloud service;
wherein detecting the communication from the workload and selectively routing the communication to the masquerading instance metadata service comprises:
determining, according to a destination indicated by destination data in the communication, whether the communication is an instance metadata service request according to whether the destination in the destination data is a predetermined target location that is outside of the first cloud platform or is associated with the instance metadata service; and
intercepting the communication in response to determining that the communication is an instance metadata service request requesting credentials from the second cloud platform associated, at the second cloud platform, with an identity of the workload and further in response to determining that the destination indicated by the destination is other than the first cloud platform, and avoiding sending the communication to the second cloud platform; and
wherein the workload successfully consumes, from the first cloud service, the second cloud service operating in the second cloud platform using the valid credentials.
|