sign requests with sigv4 from a lambda
As AWS continues to dominate the IT landscape, APIs will be created more and more frequently using AWS API Gateway. API GW implements authorization using Signature 4. For many B2B applications, consumers of these APIs will themselves be running in AWS and more commonly AWS Lambda. A common developer challenge will be to correctly sign requests from one AWS infrastructure to be authorized by another AWS infrastructure.
Both parties must take steps to allow this B2B authorization. One option is to create a User in the infrastructure offering the API. Often IT teams call these "service accounts", intended to only be used by application code, not an actual human. The app consuming the API will sign requests with the credentials generated by the API business. There is a security risk when credentials are passed around between developers, operations teams, and project managers.
Another option, potentially more secure, is to whitelist the AWS account consuming the API. The infrastructure for the company offering the API will need to be modified slightly, which may not be scalable if a high number of partners integrate. A combination of IAM and Resource policies can allow the Lambda role credentials to be used to sign requests with SigV4 and authorize access. This code repo illustrates how to sign requests when a consuming account has been whitelisted by the API offeror.