| 发明名称 | Use of metadata for computing resource access | ||
| 摘要 | Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information. | ||
| 申请公布号 | US8973108(B1) | 申请公布日期 | 2015.03.03 |
| 申请号 | US201113149619 | 申请日期 | 2011.05.31 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Roth Gregory B.;O'Neill Kevin Ross;Brandwine Eric Jason;Pratt Brian Irl;Behm Bradley Jeffery;Fitch Nathan R. |
| 分类号 | H04L29/06;H04L9/32 | 主分类号 | H04L29/06 |
| 代理机构 | Kilpatrick Townsend & Stockton LLP | 代理人 | Kilpatrick Townsend & Stockton LLP |
| 主权项 | 1. A computer-implemented method for controlling access to one or more computing resources, comprising: receiving, by a computer system of one or more computer systems, the computer system having one or more computing devices, a request for a session credential subsequent to successful completion of an authentication process by a user, the session credential including information enabling the user to delegate access to a specified delegatee, the information having data identifying the specified delegatee; generating, with the one or more computer systems, a session credential that encodes information identifying a type of the authentication process successfully completed by the user and one or more policies applicable to the specified delegatee; transmitting the session credential to the specified delegatee, the session credential being opaque to the specified delegatee and provided from the user to the specified delegatee; receiving the generated session credential in connection with a request from the specified delegatee to access the one or more computing resources, the one or more computing resources being distinct from the one or more computer systems generating the session credential; determining the type of authentication process successfully completed by the user, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the information encoded by the session credential; and determining, based at least in part on the information identifying the type of authentication process and the one or more policies applicable to the specified delegatee encoded by the session credential, whether to fulfill the request; andwhen determined to fulfill the request, providing to the specified delegatee the requested access to the one or more computing resources. | ||
| 地址 | Reno NV US | ||