Amazon.com, Inc.
Credential chaining for shared compute environments

Abstract:

A transform execution service obtains a first request from a client device of a customer to execute a set of instructions. In response to the request, the service provides the set of instructions and a first set of credentials to a cluster of computer nodes. The cluster submits, to the service, a second request to assume an identity of the customer, where the second request demonstrates access to the first set of credentials. In response to the second request, the service provides a second set of credentials to cause the cluster to use the second set of credentials to access an identity management service to obtain a third set of credentials to exercise a set of permissions associated with the customer. The cluster uses the third set of credentials to exercise a subset of the set of permissions to access a set of resources to execute the set of instructions.