API Gateway authentication with Cognito Federated Identities

Question

I want to use Cognito Federated Entity (allowing signin through Google etc), to allow access to API Gateway for a web javascript application. I managed to get the Cognito's sessionToken through signing-in with Google but I'm stuck on the API Gateway configuration for enabling the session token.

Is there a good tutorial for this entire Federated Entity authentication workflow?

Thanks!

Answer 1

Since you want to invoke APIs via authenticated Cognito identity, first

1. Amend the auth role of the identitypool to have api execute policy, you could just attach the managed policy "AmazonAPIGatewayInvokeFullAccess" to the respective role
2. In API gateway under respective method request, add Authorization as "AWS_IAM"

3. You need to sign the request while using "IAM" auth, explained here https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html

4. Instead of #3, you could generate and download the SDK from the stage panel of your API gateway, and make a call to the api via sdk.

Once you obtain the cognito session, you could make a call using the sdk like below

var apigClient = apigClientFactory.newClient({
    accessKey: AWSCognito.config.credentials.accessKeyId,
    secretKey: AWSCognito.config.credentials.secretAccessKey,
    sessionToken: AWSCognito.config.credentials.sessionToken
});

var params = {
    // This is where any modeled request parameters should be added.
    // The key is the parameter name, as it is defined in the API in API Gateway.
};

var body = {};

var additionalParams = {
    // If there are any unmodeled query parameters or headers that must be
    //   sent with the request, add them here.
    headers: {
        'Content-Type': 'application/json'
    },
    queryParams: {}
};

apigClient.<resource><Method>(params, body, additionalParams)
.then(function(result) {
    // 
}).catch(function(err) {
    //
});