I am currently prototyping, and I have a working pure javascript solution to login from a website and obtain a cognito user pool token. My goal is to get an identity pool token to access a REST API running on lambda. My assumption is that setting API gateway to authorize the user should free me from having to do any authorization in the lambda source.
The article, integrating a user pool with an identity pool describes how to do this, but the SDK source I looked at does not include the functions in use. Based on my fruitless search of the web and stackoverflow, I thought it would be nice to have this question answered. I will continue to search for an answer and will post here unless someone beats me to it.
EDIT 1:
Looking at this article, Control Access to a REST API using Amazon cognito, it says:
obtain an identity or access token for the user, and then call the API method with one of the tokens, which are typically set to the request’s Authorization header.
My assumption would be adding in curl:
-H "authorization: Bearer <BASE64 TOKEN>"
, but no luck. I am wondering if I am completely off, or there is just misconfiguration.
EDIT 2:
Addressing comments here so that comments don’t get too long.
Goals:
- I want the pure JS or command line solution to get a baseline when I begin creating my codebase, especially for quick testing.
- I want authorization out of my lambda code.
- The end result should be a simple website using JS/HTML that I can login to using cognito, and then access lambda endpoints directly as a logged in user.
API Gateway deployed with the lambda can authorize incoming requests. There are multiple ways it can be configured. I was looking at doing either:
- Setup AWS_IAM authentication on the lambda endpoints. API Gateway should invoke the lambda with a user role assigned in the identity pool. I believe in this case I need to get an identity pool token using my cognito user pool token. It looks like I need to POST to GetId to do this.
- It looks like there is a different way to directly specify a user pool for authentication. In serverless this looks like:
events:
- http:
path: hello
method: get
authorizer:
name: authorizer
arn: arn:aws:cognito-idp:us-east-2:12345:userpool/us-east-2_UvCsU4UcR
I have never seen this, and I am unsure how it would work under the hood.
The identity pool route seems like it has been around longer and seems straight forward enough assuming I get the correct token and send it in the correct header, but any information on the second configuration would be welcome.
Can you clarify what API gateway has got to do with this? And then subsqequently, what does curl or JS have to do with APUGW? What is your expected input, expected output, and what you’ve tried? What’s the overall problem here?
The overall goal is authorization staying in my IaC (terraform and serverless framework) and not polluting my source code