Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS SAM API with Cognito User Pools authorizer

How can I create an API with AWS SAM that does authorization using Cognito User Pools authorizer?

Theres AWS::ApiGateway::Authorizer. But ...

{
  "Type" : "AWS::ApiGateway::Authorizer",
  "Properties" : {
    "AuthorizerCredentials" : String,
    "AuthorizerResultTtlInSeconds" : Integer,
    "AuthorizerUri" : String,
    "IdentitySource" : String,
    "IdentityValidationExpression" : String,
    "Name" : String,
    "ProviderARNs" : [ String, ... ],
    "RestApiId" : String,
    "Type" : String
  }
}

it looks like RestApiId refers to the API which uses this authorizer? But with AWS SAM, my APIs are defined like

Resources:
  Ec2Index:
    Type: AWS::Serverless::Function
    Properties:
      Handler: ec2/index.handler
      Runtime: nodejs6.10
      CodeUri: ./src
      FunctionName: 'ApiEc2IndexHandler'
      Description: 'List EC2 resources'
      Timeout: 30
      Role: 'arn:aws:iam::598545985414:role/awsmanagement-lambda-management'
      Events:
        Ec2Index:
          Type: Api
          Properties:
            Path: /ec2
            Method: get

I dont get how do I associate them together?

like image 403
Jiew Meng Avatar asked Aug 16 '17 15:08

Jiew Meng


People also ask

Which option allows you to assign the user pool to the API in the Amazon API gateway console?

Instead of using the API Gateway console, you can also enable an Amazon Cognito user pool on a method by specifying an OpenAPI definition file and importing the API definition into API Gateway.

How do I create a Cognito authorizer in API gateway?

Step 3: Configure Cognito Authorizer for API Gateway Go to “Resources” and select “GET” method. Select “Method Request” configuration on right pane. Select “Cognito_Authorizer” in “Authorization” drop-down. That should automatically add a new field “OAuth Scopes”.

Have created a Cognito user pool for your API named Mylambda in the Amazon API gateway console which option allows you to assign the user pool to the API?

Answer: Choose (or create) a method on your API. Explanation: Choose Method Request.


2 Answers

You can now reference the implicitly created api gateway with 'ServerlessRestApi'. So in your SAM template add this piece of regular Cloudformation and everything will work fine

ApiCognitoAuthorizer:          
  Type: AWS::ApiGateway::Authorizer
  Properties:
    IdentitySource: 'method.request.header.Authorization'
    Name: ApiCognitoAuthorizer
    ProviderARNs:
      - 'arn:aws:cognito-idp:{region}:{userpoolIdentifier}'
    RestApiId: !Ref ServerlessRestApi
    Type: COGNITO_USER_POOLS
like image 67
simones Avatar answered Sep 22 '22 01:09

simones


I'm not certain you can specify an authorizer in SAM but you can embed Swagger in SAM files which can do this. It's a new feature as of Feb. 17 [ref].

I'm definitely not an expert on Swagger or SAM but it seems like you would want something like:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Simple API Endpoint configured using Swagger specified inline and backed by a Lambda function
Resources:
   Ec2Index:
     Type: AWS::Serverless::Api
    Properties:
        StageName: <stage>
        DefinitionBody:
            swagger: 2.0
            info:
              title:
                Ref: AWS::StackName
            securityDefinitions:
              cognitoUserPool:
                type: apiKey,
                name: "Authorization"
                in: header
                x-amazon-apigateway-authtype: cognito_user_pools
                x-amazon-apigateway-authorizer:
                  type: cognito_user_pools
                  providerARNs:
                    - arn:aws:cognito-idp:${AWS::Region}:{AWS::AccountId}:userpool/<user_pool_id>
            paths:
              "/ec2":
                get:
                  security:
                    - cognitoUserPool: []
                  x-amazon-apigateway-integration:
                    httpMethod: POST
                    type: aws_proxy
                    uri:
                      Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Ec2IndexLamb.Arn}/invocations
                  responses: {}
            swagger: '2.0'
   Ec2IndexLamb:
    Type: AWS::Serverless::Function
    Properties:
      Handler: ec2/index.handler
      Runtime: nodejs6.10
      CodeUri: ./src
      FunctionName: 'ApiEc2IndexHandler'
      Description: 'List EC2 resources'
      Timeout: 30
      Role: 'arn:aws:iam::598545985414:role/awsmanagement-lambda-management'
      Events:
        Ec2Index:
          Type: Api
          Properties:
            Path: /ec2
            Method: get

References:

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html#apigateway-enable-cognito-user-pool

https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/inline_swagger/template.yaml


Edit: Fixed Swagger 2.0 syntax for the 'security' section, it should be a list.

like image 37
John Jones Avatar answered Sep 23 '22 01:09

John Jones