AWS API Gateway - get Cognito user groups to custom authorizer

3
votes

I am using a Cognito user pool with user groups and I have an AWS API Gateway with a custom authorizer. The authorizer can generate a valid IAM policy and things go well so far. I would like to generate more specific IAM policies based on user groups but I cannot get the user groups information in the authorizer. My integration request mappings are:

"groups" : "$context.authorizer.claims['cognito:groups']"

but in the authorizer I get

"type": "TOKEN", 
"authorizationToken": "...", 
"methodArn": "arn:aws:execute-api:eu-west-1:...:.../test/GET/bills"

How can I get the user groups attribute in the authorizer?

1
amazon-web-servicesaws-api-gatewayamazon-cognito

1 Answers

3
votes

The puzzle solved: the mappings were OK, but they are actually a "bridge" between the API Gateway and the lambda, so they delivered the information to the "target" lambda function and not to the authorizer, which is a sort of "interceptor" in this case.

The way to get the user groups in the authorizer is to call

CognitoIdentityServiceProvider.adminListGroupsForUser()

which works fine for this purpose.