US 12,452,244 B2
Virtual service authorization
Gregory Branchek Roth, Seattle, WA (US); Eric Jason Brandwine, Haymarket, VA (US); and Graeme David Baer, Bellevue, WA (US)
Assigned to Amazon Technologies, Inc., Seattle, WA (US)
Filed by Amazon Technologies, Inc., Seattle, WA (US)
Filed on Feb. 11, 2021, as Appl. No. 17/173,584.
Application 17/173,584 is a continuation of application No. 14/576,141, filed on Dec. 18, 2014, granted, now 10,924,482.
Prior Publication US 2022/0029993 A1, Jan. 27, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/62 (2013.01)
CPC H04L 63/0892 (2013.01) [H04L 63/10 (2013.01); H04L 63/12 (2013.01); G06F 21/62 (2013.01); G06F 2221/2141 (2013.01)] 22 Claims
OG exemplary drawing
 
1. A computer-implemented method, comprising:
obtaining, from a user, a first application programming interface (API) request formatted in accordance with a customer-defined syntax that is formatted in a way that does not comply with a second syntax, the first API request being digitally signed and provided with a digital signature and comprising:
a first identifier of a resource hosted by a service of a computing resource service provider for the user of the computing resource service provider; and
a first representation of an operation to perform with respect to the resource;
using data from the first API request to verify the user submitting the first API request including at least the digital signature of the first API request;
as a result of verifying submission of the first API request, obtaining a policy, at the service hosted by the computing resource service provider, applicable to the first API request that indicates constraints for authorization of the first API request and comprises a set of request-mapping rules, the constraints for authorization including identifying an authorized role associated with one or more users including the user submitting the first API request;
determining attributes of the first API request to utilize in connection with the policy;
using the policy to determine one or more operations, based at least in part on the attributes, that are authorized to be performed by the user by comparing at least one operation associated with the first API request to authorized operations specified by the policy to determine if the at least one operation associated with the first API request is authorized;
applying, at the service hosted by the computing resource service provider, the set of request-mapping rules to the obtained first API request to generate a second API request that complies with the second syntax of another service of the computing resource service provider and that comprises:
a second identifier of the resource; and
a second representation of the operation; and transmitting the second API request to the other service.