- Newest
- Most votes
- Most comments
Hi, You will not be able to implement RBAC using the default Cognito authorizer, to implement RBAC with API Gateway using Cognito token you have two options:
- Using lambda authorizer that validate and decode the token then inspect claims in the token to determine if the call should be allowed or denied. You can use AWS-JWT library to implement this authorizer. The library supports verification of cognito:groups natively, here is an example.
- The other option is to use the ID-Token generated from Cognito user pool to get temporary credentials using Cognito Identity Pool using Role-based access control approach. This allows you to assume the role defined in the token and get temp credentials based on the permissions this role has. then you need to use IAM Authorizer on API Gateway side and use AWS SDK or Amplify to invoke APIs using the temp credentials returned from cognito identity pool.
I believe #1 is easier to implement since API Gateway supports lambda authorizer, #2 could be helpful if you need to implement RBAC to access services other than API Gateway. This recording could be helpful to expand on the options available with approach #2.
There is info on this process in the blogpost "Building fine-grained authorization using Amazon Cognito User Pools groups"
Your customer will need to create a Cognito identity pool, and configure the Cognito user pool as an authentication provider.
By default, Cognito identity pools have just an Authenticated and Unauthenticated role - but when setting up the user pool as the Cognito identity pool's authentication provider, you can specify "Choose role from token" under "Authenticated role selection". This will override the default authenticated role for the identity pool, and instead use the IAM role associated with the user's Cognito user pool group.
You can attach a policy to this role to control access to particular API - here are some examples of setting up this policy
I believe this is the documentation you need.
This is a fairly advanced configuration of API Gateway that relies on the templating feature for Integration requests. These templates are written in Apache VTL and are, in my experience, difficult to troubleshoot. That being said, once it works, it works quite well.
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
how I can use this temporary credential in amplify to call api ?
what is the feature of COGNITO_USER_POOLS authorizer in api gateway ? I think there is confusing here