How do I allow API Gateway REST API users to run Lambda using the execution role from an Amazon Cognito user pool group?

3 minute read

My Amazon API Gateway REST API with AWS Lambda proxy integration has Amazon Cognito user pool authentication. How do I allow users to run my Lambda function using the AWS Identity and Access Management (IAM) role for their user pool group?


Note: In addition to Amazon Cognito user pools, you can also configure an identity pool to authorize access to your API. For more information, see Role-based access control.

Before you set up users to run Lambda with their Amazon Cognito role, be sure that you've set up the following:

To allow users to run Lambda with their Amazon Cognito permissions, follow these steps:

1.    Use the API Gateway console to establish your Amazon Cognito user pool as an authorizer. Then, assign the Amazon Cognito user pool as the authorizer for the method of your API. For instructions, see Integrate a REST API with an Amazon Cognito user pool.

2.    Open the AWS Lambda console.

3.    Choose the Lambda function that was configured as a proxy resource for your API.

4.    Configure the Lambda function, and add the following code snippet. This code snippet gets the Amazon Cognito role from event details and then assumes the role.

Note: To run this code snippet, your Lambda IAM role must have permissions to access Amazon CloudWatch Logs. The role must also have the AssumeRole API call to run the assume_role command.

import boto3
client = boto3.client('sts')
def lambda_handler(event, context):
    response = client.assume_role(
    response2api = {"statusCode": 200,"headers": { },"body": "Success"}
    return response2api

A user can belong to more than one Amazon Cognito user pool group, and each group can have a different IAM role. If a user belongs to two or more groups, then the cognito:roles claim returns a list of roles. The cognito:preferred_role claim in the user's ID token inherits the IAM role of the group with the highest priority (lowest precedence value). For more information, see Role-based access control.

To get the cognito:preferred_role, use the following code snippet:

role = event['requestContext']['authorizer']['claims']['cognito:preferred_role']

To verify that users can run Lambda with their Amazon Cognito role, follow these steps:

1.    Open your client application, and then log in as a user in the Amazon Cognito user pool.

2.    Make a call to your API using the ID token you receive after you log in.
Note: Make sure that you use the id_token value from the returned tokens.

3.    Verify that you can access the same resources defined in the Amazon Cognito user pool role.

4.    Optionally, check CloudWatch Logs to verify that the assume_role command was successful.

Note: If you use an API Gateway Lambda authorizer to authorize access to your API, then use the user pool token that's validated by the authorizer. You must validate the token before you assume the token's role.

Related information

Control access to a REST API using Amazon Cognito user pools as authorizer

Build an API Gateway REST API with Lambda integration

AWS Lambda execution role

AWS OFFICIALUpdated a year ago