AWS Cognito and AWS Api Gateway authorizations of users application

2
votes

I am using AWS Cognito for authentication related to my application. Because I am also using AWS Api Gateway to consume Lambdas in my application, I need to set security levels on the Gateway.

In my application there will be many users, and in turn, there will be different roles (such as admin, marketing, management, etc). It should be noted that these users are application users, but not AWS IAM users.

I created several groups of AWS Cognito users, and in turn, I have several users in those groups. For example, users of the admin group can enter any exposed api. The marketing ones can only list a few things, but they cannot access the APIs to create, for example.

I would like to know how I can do to make Api Gateway allow or deny access to certain application users, but based on the AWS Cognito user pool.

PS: I have dealt with IAM roles in these groups, I have dealt with federated identities, but I don't know if I'm on the right path.

3
amazon-web-servicesaws-api-gatewayamazon-cognito

3 Answers

1
votes

Step1: Create OAuth scope for your user pool in AWS Cognito. Cognito->User Pool->App Integration->Resource server. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html

Step2: In AWS API Gateway use Authorisation as your AWS Cognito user pool and use the OAuth Scopes to set the resource servers that the user pool has access to. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

For example your admin group will probably will have access to all the resource servers but your marketing group may have restricted access. So, if someone from your marketing group makes request to the API gateway and if he does not have access to a particular resource server they will get a 403 response. Hope this helps.

0
votes

Use Cognito User Pools, and groups, in combination with Cognito Identity Pools to provide fine grained, role based access control.

This AWS blog post gives a detailed tutorial on how to set up fine grained role based access control using Cognito User Pools and Cognito Identity pools. It uses DynamoDB and S3 as examples, but you can apply the same principals to control access to almost any AWS service.

0
votes

Below I show how I have parameterized everything in cognito:

  1. I have a group of users in cognito.
  2. I have a user assigned to that group in code.

  3. The role of the group is as follows, which denies all access to api gateway:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": "*"
        }
    ]
}

  4. I created an Identity Pool in cognito, which receives Amazon Cógnito, and I selected "choose a role from a token" and then "Deny".

However, when I log in from postman and get the id of the token, and then access with said data pointing from postman to an Api Gateway URL, all the data of that endpoint is returned, which is not correct, since I denied it the access.