How to use multiple Cognito user pools for a single endpoint with AWS API Gateway?

Question

I've recently implemented an API Gateway as a proxy with a single proxy endpoint.

I'm using Cognito as authorisation mechanism and as long as I have only one user pool everything is fine.

What I am trying to achieve is to be able to allow users from different user pools, but in the AWS Console I just seem to be able to select one Cognito mechanism which is only one user pool.

Is there a way to allow multiple user pool through another mean ? Is there an alternative best practice for this scenario ? I really need users to be in separate user pools so their authentication attributes are not shared and their accounts not mutualised.

Thank you

Answer 1

The console doesn't allow creating multiple cognito pool users but the CLI does, I'm not sure if all programmatic updates (like terraform or cloudformation) can do it, but CLI worked for me. Try this: https://docs.aws.amazon.com/cli/latest/reference/apigateway/create-authorizer.html

Your CLI command might look something similar to this:

    aws apigateway create-authorizer 
    --rest-api-id xxxxxxx 
    --name 'cognito-auth-name' 
    --type COGNITO_USER_POOLS 
    --provider-arns arn:aws:cognito-idp:arn-of-userpool arn:aws:cognito-idp:arn-of-userpool arn:aws:cognito-idp:arn-of-userpool
    --identity-source 'method.request.header.Authorization'