Hi, You will not be able to implement RBAC using the default Cognito authorizer, to implement RBAC with API Gateway using Cognito token you have two options:
- Using lambda authorizer that validate and decode the token then inspect claims in the token to determine if the call should be allowed or denied. You can use AWS-JWT library to implement this authorizer. The library supports verification of cognito:groups natively, here is an example.
- The other option is to use the ID-Token generated from Cognito user pool to get temporary credentials using Cognito Identity Pool using Role-based access control approach. This allows you to assume the role defined in the token and get temp credentials based on the permissions this role has. then you need to use IAM Authorizer on API Gateway side and use AWS SDK or Amplify to invoke APIs using the temp credentials returned from cognito identity pool.
I believe #1 is easier to implement since API Gateway supports lambda authorizer, #2 could be helpful if you need to implement RBAC to access services other than API Gateway. This recording could be helpful to expand on the options available with approach #2.
There is info on this process in the blogpost "Building fine-grained authorization using Amazon Cognito User Pools groups"
Your customer will need to create a Cognito identity pool, and configure the Cognito user pool as an authentication provider.
By default, Cognito identity pools have just an Authenticated and Unauthenticated role - but when setting up the user pool as the Cognito identity pool's authentication provider, you can specify "Choose role from token" under "Authenticated role selection". This will override the default authenticated role for the identity pool, and instead use the IAM role associated with the user's Cognito user pool group.
You can attach a policy to this role to control access to particular API - here are some examples of setting up this policy
I believe this is the documentation you need.
This is a fairly advanced configuration of API Gateway that relies on the templating feature for Integration requests. These templates are written in Apache VTL and are, in my experience, difficult to troubleshoot. That being said, once it works, it works quite well.
RBAC for API Gateway endpoints using Cognito user groupsAccepted Answerasked 10 months ago
Cognito User Pool Groups and retrieving IAM from LambdaAccepted Answerasked 5 years ago
AWS API Gateway with Amazon Cognito User Pools as authorizerAccepted Answerasked 2 years ago
AppSync Cognito Group and Secret Accessasked 4 months ago
Cognito groups- allow admin group to remove a user from a Cognito groupasked 3 months ago
Restrict access to the users in groups via scope in cognito user poolAccepted Answerasked 9 months ago
cognito - pure api authenticationasked 2 months ago
Add new user to user pool groups as Adminasked 2 days ago
AWS Amplify and AWS Cognito: Assignment of users to multiple rolesasked 10 months ago
Cognito: Require Federated AD Group to be returned in Access TokenAccepted Answerasked 2 years ago