Using trusted identity propagation with customer managed applications
Trusted identity propagation enables a customer managed application to request access to data in AWS services on behalf of a user. Data access management is based on a user’s identity, so administrators can grant access based on users' existing user and group memberships. The user's identity, actions performed on their behalf, and other events are recorded in service-specific logs and CloudTrail events.
With trusted identity propagation, a user can sign in to a customer managed application, and that application can pass the user's identity in requests to access data in AWS services.
Important
To access an AWS service, customer managed applications must obtain a token from a trusted token issuer, which is external to IAM Identity Center. A trusted token issuer is an OAuth 2.0 authorization server that creates signed tokens. These tokens authorize applications that initiate requests for access to AWS services (receiving applications). For more information, see Using applications with a trusted token issuer.