Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

How to pass Cognito user info to a Lambda function

0

Hello,

I am using a Cognito user pool authorizer in my REST API.

I am trying to pass the Cognito user information (e.g. username, user group) from the API Gateway to a Lambda function, i.e. passing it in the 'event' or 'context' of the request.

My goal is to query different databases (test/dev/etc.) according to which user group the caller belongs to.

What is a good way to proceed in this case?

I saw the 'invoke with caller credentials' checkbox in the API Gateway, but it cannot be checked with a Cognito UP authorizer. I also tried switching from a Cognito authorizer to IAM, but don't know what execution role to select.

Any help would be greatly appreciated.

Temas
Sin servidorCálculo
Etiquetas
AWS Lambda
Idioma
English
manu-lmad
preguntada hace 4 años3587 visualizaciones
1 Respuesta
0

I found out: I had to check the "Lambda proxy integration" checkbox in the Integration request of the method.

Then the Lambda can fetch the user info from the event object of the lambda handler (e.g. in Python):

event['requestContext']['authorizer']['claims']['cognito:groups']

(or: 'cognito:username', etc.)

Then I could query different databases according to which group the user belongs to.

Additional info: it is also possible to assume the user role from within the Lambda function, to make sure to access only what's the user is allowed to (by default only the Lambda function's role is assumed to execute actions); this is very well explained at https://www.youtube.com/watch?v=GDkkDUnICrs

manu-lmad
respondido hace 4 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante