By using AWS re:Post, you agree to the Terms of Use

AppSync Cognito Group and Secret Access


I have an API with three different access modes: IAM, Cognito Users, and Cognito applications (using a secret). I am able to configure everything fine, for example, here's a field:

type SomeMutation @aws_iam @aws_cognito_user_pools {
    update(input: MutationInput!): Boolean!
    @aws_cognito_user_pools(cognito_groups: ["EDITORS"])

However, I'd also like to allow a specific server side application client to access this API. This is a client that has a client_id and client_secret, and can get a token using those values. If I don't limit based on groups, the calls from this client work fine, but as soon as I create a group restriction, the app client is no longer authorized. Ideally, I'd like to be able to configure the authorization as follows (by including an authorized client_id):

type SomeMutation @aws_iam @aws_cognito_user_pools {
    update(input: MutationInput!): Boolean!
    @aws_cognito_user_pools(cognito_groups: ["EDITORS"], cognito_clients: ["abcdefg"])

But I don't see any indication that this kind of control is possible. Will I have to write some custom authentication?

1 Answers


For answering this query I would like to touch upon the usage of Cognito Userpool Groups firstly ->

  • In regards to Userpool Groups native functionality, you can use groups to control permissions to your resources using an IAM role.

  • When you create a group in Amazon Cognito, you specify an IAM role by providing the role’s ARN. When group members sign in using Amazon Cognito, they can receive temporary credentials from the identity pools.

  • Also note that individual users can be in multiple groups but you can assign precedence values to each group. The group with the better (lower) precedence will be chosen and its associated IAM role will be applied.

Please feel free to read more about the UserPool Groups on our AWS Doc here [1].

To summarize - The native functionality of Cognito Userpool groups is seen when integration Cognito Identity Pool with Userpool to determine which IAM role credentials are vended out.

Now in regards to using groups for API permission control, as you may know that a group is actually a part of ID token or access token. Hence, you can choose to decode the JWT token [2] and create a custom authorizer based on the fields you are interested in.

For example, here's an ID token with groups field ("cognito:groups") -

  "at_hash": "D-XXXXXXXXXXXXXXXXxOw",
  "cognito:groups": [
  "email_verified": true,
  "cognito:preferred_role": "arn:aws:iam::7XXXXXXXXXXXX:role/AdmXXXXXXXXple",
  "iss": "",
  "cognito:username": "test1",
  "cognito:roles": [
  "token_use": "id",
  "auth_time": 1654193387,

Now, as you might know you can submit an ID or access tokens with requests to Amazon API Gateway and use an Amazon Cognito user pool authorizer for a REST API.

I have mentioned about the flow in detail on another RePost Query as well which you can check here.

If you are looking to use an authorization in terms of fields such as clients etc, then you want to look at Lambda authorizers [3] formerly known as custom authorizer. Basically, a Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller's identity.

Also please note if you are looking for any custom solution/code queries, then these are best answered by the Cognito developer team who you can reach out using Github directly.

We also have the dedicated AWS Solutions Architect team which addresses the architecture and design level queries for custom solutions. I would suggest you reach out directly to our Sales team as they can help you to get in touch with our Solutions Architect (SA) team.

You can request for a member of the sales (Business Development) team to contact you using any of the following methods:

> Via form:
> Via Live Chat:
> Phone support:   +1 (833) 662-9873 - 6:30am - 4:00pm (Pacific) Monday - Friday.

Finally, if you run into any issues while trying to implement the solution or run into any errors, please feel free to open a support case with premium support team so that you can share your AWS resources for troubleshooting. Please note that development/architectural queries go out of scope for the Premium Support team as we are only expertised in troubleshooting of break fixes and errors with the AWS service when customers run into errors during implementation phase. In cases of finding a viable solution for considering scalability, security and limitations, reaching out to the Solution Architects or Dev team can help in assessing the viability and building of the solution as per your requirements.





answered 3 months ago
  • That really doesn't answer the question in regards to AppSync. I understand how Cognito works, and yes, I can use my own authorization logic to validate it. My question was whether it was possible to validate both groups and application clients, but to the best of my understanding, that isn't possible.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions