Is it really not possible to federate to an IAM role, from a Cognito client credential flow access token? Due to missing audience claim. Paging knowledgeable @ben11kehoe @__steele.

Yay, great to see this out! We describe how to enforce data and service access control at scale, without constraining developer velocity(too much). For us it turned out to be a mix of RBAC and ABAC and combinations of the two. Mixing #okta and #aws is a great for authn and authz.

@anrizal.

We wrote a bit on how we approach application design when thinking about data management at scale! Give it a read, and provide comments/feedback

RT @AWSBlogs: New Big Data post by Alessandro Fior, Anwar Rizal, Hassen Riahi, Jonatan Selsing, Kumari Ramar and Moses Arthur:. How Novo No….

Fantastic experience working with @aws to fix #bugs. I found that #EventBridge API destination client credential flow using AWS #Cognito to hit #AppSync, was not working. The teams were responsive and fixed the issue within weeks👏. Now we have async AppSync invocations in EDAs.

This is fantastic. The tie to the credential process functionality means that in cases where the PKI infrastructure is already setup, this becomes an extremely convenient way to federate. Even for laptops. I very much look forward to digging into this! Well done, #AWS.

Is there a good way to get success/failure-type responses in event-driven architectures across service boundaries that crosses accounts, without having to build a response messaging flow? Or are there other ways to track message effects in larger systems. @donkersgood @boyney123.

We have switched over to #oauth client credential flow, which works like a charm, but most guides are based on the other pattern. Which will get you in bind.

Using API key as auth for #EventBridge API destination is basically built for breakage if you provision with IaC. There is no good way to rotate key used - especially when the key itself is generated by something like #appsync. This feel like it could use polishing #awswishlist.

Fantastic updates from the AppSync team. GraphQL is so powerful, but the developer experience is one of the hardest parts! More of this, please!.

Thanks a lot @jeffbarr for spending your time with us in the Copenhagen AWS user group. Really fantastic to hear your perspective on blogging and the #aws leadership principles. And thanks Antonio Lagrotteria for organising!.

#serverlesspresso

Had a blast at #awssummitstockholm. I got to speak at a large stage, talk to great vendors, order coffee from #ServerlessEspresso and chat with @NMoutschen about using EventBridge and API destinations with rule transforms. Thanks a lot for a great event, #aws.

Come and join me and Stefan Krist when we talk a bit about how you can think about data at scale, tomorrow at #AWSSummit Stockholm in session AN-01. The room fits … quite a few people …

RT @theburningmonk: The no. 1 question I get about #serverless is around testing - how should I test these cloud-hosted functions? Should I….

I’m am once again fighting with ABAC and #awscognito. It would be fantastic if principal tags could be applied dynamically with pretokengeneration hook, instead of more static resolutions from cognito attribute maps. #awswishlist.

I’m restarting my speaking career, after leaving academia. Come to #stockholm #awssummit to hear me and Stefan talk how data and AWS go hand in hand. I will present how we @novonordisk think about data at scale!

Also, is this not one of the lowest bars for executing code in an AWS account using a IAM principal for the session? Using this should be treated with some care.

Hmm, lambda function URLs #FURLs. I think this will probably open avenues of mistakes that have previously been protected behind “how you publish” lambda execution functionality. I hope adequate proactive protection is on accounts from AWS side.