API Gateway: AWS Service integration using IAM authorization


I'm using AWS Service integration to connect API Gateway to DynamoDB.

E.g. PUT orders/{id} -> AWS Service: DynamoDB, Action: UpdateItem (using a mapping template to transform the HTTP body to a UpdateItem request).

Works fine. Now I'd like to secure the table so that a user can only access their own records. I've created a Cognito Identity Pool to limit a user's access and I've configured the method to use AWS IAM for auth. But I don't see a way to tell the integration to use that as the Execution role. As far as I can see, you have to hard-code that.

Is there a way to use the IAM role as the execution role?


I'm aware that I can put a Lambda in the middle, getting it to make the DynamoDB call using the user's IAM credentials, but that's an extra hop and more code to look after. If anybody know a way to go IAM -> Gateway -> Dynamo that would be much better.

1 Answer

Something worth trying - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_items.html

Amazon DynamoDB: Allows item-level access to DynamoDB based on an Amazon Cognito ID

profile pictureAWS
answered a year ago
  • Interesting suggestion. thanks! +1

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions