RBAC for API Gateway endpoints using Cognito user groups
A customer would like to create user groups in cognito (for example admin, customers etc) with specific roles attached to each group. They would like to use these roles policy to determine if user has access to api gateway endpoints like /admin or /home etc. The api gateway uses cognito authorizer and they want to avoid writing a custom lambda authorizer. The application uses Cognito user pool and SAML. Currently the id_token contains cognito:roles attribute in its claims but customer would like to understand how to use this attribute to allow/deny acccess to api. From what I understand this is possible to do with IAM Authorization - here but I dont see this possible with Cognito user pool and groups. What is the correct way to allow or deny access to the api gateway endpoint before it is even processed by the lambda function for the api. Is there an alternate/better way to achieve this using REST API?
- Newest
- Most votes
- Most comments
Hi, You will not be able to implement RBAC using the default Cognito authorizer, to implement RBAC with API Gateway using Cognito token you have two options:
- Using lambda authorizer that validate and decode the token then inspect claims in the token to determine if the call should be allowed or denied. You can use AWS-JWT library to implement this authorizer. The library supports verification of cognito:groups natively, here is an example.
- The other option is to use the ID-Token generated from Cognito user pool to get temporary credentials using Cognito Identity Pool using Role-based access control approach. This allows you to assume the role defined in the token and get temp credentials based on the permissions this role has. then you need to use IAM Authorizer on API Gateway side and use AWS SDK or Amplify to invoke APIs using the temp credentials returned from cognito identity pool.
I believe #1 is easier to implement since API Gateway supports lambda authorizer, #2 could be helpful if you need to implement RBAC to access services other than API Gateway. This recording could be helpful to expand on the options available with approach #2.
There is info on this process in the blogpost "Building fine-grained authorization using Amazon Cognito User Pools groups"
Your customer will need to create a Cognito identity pool, and configure the Cognito user pool as an authentication provider.
By default, Cognito identity pools have just an Authenticated and Unauthenticated role - but when setting up the user pool as the Cognito identity pool's authentication provider, you can specify "Choose role from token" under "Authenticated role selection". This will override the default authenticated role for the identity pool, and instead use the IAM role associated with the user's Cognito user pool group.
You can attach a policy to this role to control access to particular API - here are some examples of setting up this policy
I believe this is the documentation you need.
This is a fairly advanced configuration of API Gateway that relies on the templating feature for Integration requests. These templates are written in Apache VTL and are, in my experience, difficult to troubleshoot. That being said, once it works, it works quite well.
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
how I can use this temporary credential in amplify to call api ?
what is the feature of COGNITO_USER_POOLS authorizer in api gateway ? I think there is confusing here