We have an existing microservice that deals with access control, its spring boot with a postgres RDS db, the model and code in there deal with roles and groups and all that stuff. Not IAM but a custom access management solution.
You can imagine that when a request is made to a service, it will call this access control service to decide whether or not to action the request. i.e. is the requester actually allowed to ask me to do this
it has been proposed that we use API Gateway with a lambda authorizer - on the face of it this sounds reasonable, however given the fine grained nature of the read access controls, the lambda authorizer would need to call the existing access control service over HTTP. Although i don't see any reason why this would not work, it seems like it would be a) slow and b) possibly a misuse of lambda authorizers ?
The examples I have seen use dynamo db which stores canned policies for fine grained access control and that would be called directly from the lambda, we would need to call the spring boot service over http and fashion an IAM response given what it says.
Would you recommend/not recommend this approach ? I am fairly new to AWS.