Implementing ABAC using Custom Cognito Attributes.

I'm trying to implement Attribute based authorization using API Gateway, DynamoDB and Cognito. For some reason the authorization works fine, but it doesn't work when I refer to the users' Custom Attribute in the mapping template of the integration request in API gateway.

Any help would be really welcome... I'm quite new to AWS, and I'm stuck with this issue for over a week now...

What I tried:

Custom Cognito user attribute

Create a custom attribute in Cognito. (organisation_id)

Custom mapping:

Cognito -> Identity pools -> User access -> Identity providers: Attributes for access control: Custom mapping:

• Tag key: organisation_id
• Claim: custom:organisation_id

Role settings:

Use default authenticated role

Default authenticated role:

Trust relationships:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "x"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

Permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:Query",
                "dynamodb:GetItem",
                "dynamodb:BatchGetItem"
            ],
            "Resource": "arn:aws:dynamodb:eu-central-1:x:table/Organisations",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": "${aws:PrincipalTag/organisation_id}"
                }
            }
        }
    ]
}

API Gateway API:

• Authorizer: Cognito
  • Resources: /organisation
    • POST:
      • Method request: All empty.
      • Integration request:
        • Type: AWS service Dynamo
        • HTTP method: Post
        • Action type: use action name
        • Action name: Query
        • Execution role: (see below)
        • Credential cache: Do not add caller credentials to cache key
        • Content Handling: Passthrough
        • Request body passthrough: When there are no templates defined
        • URL path parameters: Empty
        • URL query string: empty
        • URL request headers parameters: empty
        • Mapping Template:
        • Content type: application/json
        • Template body:

{
  "TableName": "Organisations",
  "KeyConditionExpression": "PK = :orgId",
  "ExpressionAttributeValues": {
    ":orgId": { "S": "${aws:PrincipalTag/organisation_id}"}
  }
}

When I make a call to the endpoint it doesn't work Logs: Execution failed due to configuration error: Unable to transform request

When I replace the Template body with a fixed organisation_id it works as expected, and returns the data. (depending on the organisation_id of the user)

{
  "TableName": "Organisations",
  "KeyConditionExpression": "PK = :orgId",
  "ExpressionAttributeValues": {
    ":orgId": { "S": "yyy"}
  }
}

Logs: Endpoint request body after transformations: { "TableName": "Organisations", "KeyConditionExpression": "PK = :orgId", "ExpressionAttributeValues": { ":orgId": { "S": "yyy"} } }

Execution Role for API gateway:

Trust relationships:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Permissions:

• AmazonDynamoDBFullAccess
• AmazonAPIGatewayPushToCloudWatchLogs

Could anyone tell me what I'm doing wrong?