By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

API Gateway: AWS Service integration using IAM authorization

0

I'm using AWS Service integration to connect API Gateway to DynamoDB.

E.g. PUT orders/{id} -> AWS Service: DynamoDB, Action: UpdateItem (using a mapping template to transform the HTTP body to a UpdateItem request).

Works fine. Now I'd like to secure the table so that a user can only access their own records. I've created a Cognito Identity Pool to limit a user's access and I've configured the method to use AWS IAM for auth. But I don't see a way to tell the integration to use that as the Execution role. As far as I can see, you have to hard-code that.

Is there a way to use the IAM role as the execution role?

Workaround

I'm aware that I can put a Lambda in the middle, getting it to make the DynamoDB call using the user's IAM credentials, but that's an extra hop and more code to look after. If anybody know a way to go IAM -> Gateway -> Dynamo that would be much better.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon Cognito
Language
English
ANeeson
asked a year ago176 views
1 Answer
1

Something worth trying - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_items.html

Amazon DynamoDB: Allows item-level access to DynamoDB based on an Amazon Cognito ID

profile pictureAWS
EXPERT
Indranil Banerjee AWS
answered a year ago
  • ANeeson
    a year ago

    Interesting suggestion. thanks! +1

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content