| CPC H04L 63/0838 (2013.01) [H04L 63/20 (2013.01)] | 20 Claims |
|
1. A method for role-based permission delegation in a provider network, the method comprising:
delegating, to an assuming service in the provider network, permission to assume a delegation role, wherein the permission is granted by a customer to a delegating service in the provider network, and wherein the assuming service and the delegating service are discrete units of software or hardware functionality provided by the provider network that can be accessed remotely and acted upon and updated independently of one another;
sending, by the assuming service to a temporary credential service in the provider network, a request to assume the delegation role, the delegation role comprising a permission policy, the permission policy of the delegation role allowing assumption by the assuming service of a customer role under a condition, the customer role comprising a permission policy, the permission policy of the customer role allowing a set of actions on a customer resource, the condition requiring the customer role to be assumed with permission to perform a strict subset of the set of actions on the customer resource, wherein the strict subset of the set of actions is less than all the actions in the set of actions;
sending, by the assuming service acting in the delegation role to the temporary credential service, a request to assume the customer role, the request to assume the customer role requesting permission to perform the strict subset of the set of actions on the customer resource; and
performing, by the assuming service acting in the customer role with permission to perform the strict subset of the set of actions on the customer resource, a particular action in the strict subset of the set of actions on the customer resource.
|