Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS API Gateway: API available for authenticated and guest users only

Tags:

amazon-web-services

amazon-iam

amazon-cognito

api-gateway

I'm quite new to AWS and I try to understand some basic concepts. In my Android app, I use:

  • Cognito User Pool and Identity Pool to allow my users to register and sign in, but also to use the app as guest users
  • API Gateway and AWS Lambda to create webservices that the app can call

My use case is very simple: I want some of the APIs I created in API Gateway to be available for my authenticated users and my guest users, and the other APIs available for my authenticated users only.

For the APIs available for my authenticated users only, I was thinking putting the users in a group of users (thanks to CognitoIdentityServiceProvider.adminAddUserToGroup()), that can have a common role with an IAM strategy attached to it, to allow them to access those APIs. I think it makes sense since I'll have different types of users, so I'll use a group for each type.

But for the APIs available for my authenticated users and my guest users, I'm note quite sure of what I'm supposed to do. Should the APIs be public, so they can be called by anyone including my guest users, or is it possible to make them only available for my authenticated users and my guest users, but without being public? What are the good practices and how can I achieve them?

Thanks for your help.

like image 697
matteoh Avatar asked Jan 30 '26 06:01

matteoh

1 Answers

Here is how I did, using the console:

  1. In API Gateway, click on the resource, then the method (GET, POST...)
  2. Click on Method Request
  3. For Authorization, choose AWS_IAM
  4. In Cognito, choose Manage Identity Pools
  5. Create (or edit) the identity pool you use with your Cognito User Pool
  6. In the Unauthenticated identities block, check Enable access to unauthenticated identities
  7. On the same page (at least if you edit the identity pool), you should also see the Authenticated role and the Unauthenticated role
  8. Go to IAM, and in Roles, find those two roles
  9. For each role, click on it, and in the Permissions tab, click on the policy attached to that role to view it (with the little arrow on the left)
  10. Click on Edit policy, then the JSON tab, then add the following block (you can find the ARN by going to API Gateway, click on your API, click on your resource, click on your method: you'll find the ARN in the Method request block):
{
    "Effect": "Allow",
    "Action": [
        "execute-api:Invoke"
    ],
    "Resource": "<the_arn_of_your_resource_api>"
}
  1. Click on Review policy, then Save changes
like image 137
matteoh Avatar answered Feb 01 '26 21:02

matteoh
Sign in to Comment

Related questions

How do I use Amazon Machine Learning with multi-value data
how to fix (2002, "Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)") on ec2 bitnami?
AWS SNS: SMS started to fail with "Unknown error attempting to reach phone"
Boto and Python on AWS
Can't get API Gateway to work with private VPC link (behind a network load balancer to a Fargate container)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!