Secure AWS API Gateway Using Cognito
Instead of using IAM roles and policies to secure your API, you can do so using user pools in Amazon Cognito.
Please create the appropriate Amazon Cognito User Pools prior to beginning this tutorial.
Integrate the Cognito User Pool with the API Gateway API
Go to the Amazon API Gateway Console. Using the left-hand navigation bar, select the SecurePets API.
Then, select Authorizers for the SecurePets API.
On the Authorizers column near the center of the screen, choose Create and indicate that you are creating a Cognito User Pool Authorizer.
To configure your authorizer:
Choose the Cognito region in which you created your User Pool.
Customize the Authorizer name field, if desired (it will be automatically populated with the name of the chosen User Pool, so you can opt to leave it as is)
Customize the Identity token source field. By default, this field is set to
method.request.header.Authorization
, which sets the name of the incoming request header containing the API caller's identity token toAuthorization
.If desired, add a regular expression to the App client ID regex field to validate client IDs associated with the User Pool.
When you've finished configuring your authorizer, click Create to integrate the User Pool with your API.
Enable the User Pool Authorizer on Methods
For each method that you want the User Pool to act as an authorizer, you must enable the User Pool to do so for that particular method.
To enable the User Pool authorizer on the GET
method:
After selecting the SecurePets API, select the
GET
method listed under/pets
.Click on Method Request.
Under Authorization Settings, click on the edit icon next to the Authorization field.
Choose the appropriate Cognito User Pool authorizer from the list. Click the checkmark icon to save your selection.
Repeat this process for any additional methods for which you want the Cognito User Pool to act as an authorizer (GET
and PURCHASE
for /pets
, as well as POST
for /purchase
).