Who can use Login with Amazon? There are two types of users: (a) Customers using their Amazon account via Login with Amazon to sign into third-party sites/apps instead of creating a new user name and password for each site/app. (b) Third-party site/app developers that integrate with Login with Amazon to reduce registration and authentication friction."
[On behalf of: dkavanagh] I would ask if that first category of users also includes IAM users? There is a special way that IAM users with a password can login to the AWS Mgmt Console which includes the account ID in the URL. I wonder if there is any way to allow those users to authenticate via this mechanism? This is important for our application that uses AssumeRoleWithWebIdentity to get session credentials. David
[On behalf of: dkavanagh] Thanks for getting back to me about this. We have a ec2 compatible user console that we would like to let our users use against AWS, but using easy-to-remember username/password login. We think it will be more secure than keeping copies of their access keys in our product. I've integrated "login with amazon" and can then call AssumeRoleWithWebIdentity to get session tokens. That works just fine for a top level account that has AWS enabled. We'd like to have this work for IAM users as well for all the reasons that AWS allows IAM users with separate roles and policies. Does this make sense? I could elaborate or answer questions if you have any. David
[On behalf of: dkavanagh] Yes, that's correct. To be clear, I work for Eucalyptus on our user console. We have customers who would like to use our console, not only for eucalyptus, but aws resources as well. We're just hoping to make that as seamless as possible.