Interesting idea! I’m guessing you could use a similar approach with AssumeRoleWithWebIdentity since it supports session policies. We use OAuth 2.0 for user authentication, whereas AssumeRoleWithWebIdentity requires OpenID Connect. Furthermore, our code runs asynchronously as part of a data pipeline without an authenticated user context.

Since we use AWS IAMRoles for our container tasks, credentials come from the metadata service, and aren’t hardcoded anywhere.