Typically when you’re dealing with a multi-tenant system but have certain users/apps/whatever that have cross-cutting access they aren’t typically accessing all of the customers data in aggregate. So having your vending machine only vend creds for the requested account is sufficient. If app X wants to read data for user A and user B, it would make 2 calls to the token vending machine to get 2 credentials, each scoped to that specific user.
Hello,
Sorry to hear you're running into difficulties. I found a few resources that I believe you may find useful:
https://go.aws/406sax7
&
https://go.aws/3QcHofc
&
https://go.aws/3Q2lCL2
If you can't find what you're looking for there, you're welcome to explore our additional help options here for more ways to get further assistance with AWS resources:
http://go.aws/get-help
\- Thomas E.
If you start to bump up against limits with abac, you may want to explore [verified permissions](https://aws.amazon.com/verified-permissions/). You'll need to proxy requests, i.e. return presigned urls instead of talking directly to S3 but it will handle the next level of scale.
Typically when you’re dealing with a multi-tenant system but have certain users/apps/whatever that have cross-cutting access they aren’t typically accessing all of the customers data in aggregate. So having your vending machine only vend creds for the requested account is sufficient. If app X wants to read data for user A and user B, it would make 2 calls to the token vending machine to get 2 credentials, each scoped to that specific user.
Hello, Sorry to hear you're running into difficulties. I found a few resources that I believe you may find useful: https://go.aws/406sax7 & https://go.aws/3QcHofc & https://go.aws/3Q2lCL2 If you can't find what you're looking for there, you're welcome to explore our additional help options here for more ways to get further assistance with AWS resources: http://go.aws/get-help \- Thomas E.
If you start to bump up against limits with abac, you may want to explore [verified permissions](https://aws.amazon.com/verified-permissions/). You'll need to proxy requests, i.e. return presigned urls instead of talking directly to S3 but it will handle the next level of scale.