AWS API gateway for K8s using Cognito with JWT

1
votes

I have AWS K8s cluster(EKS) and I want to use AWS API gateway to protect endpoints and separate authorization logic from microservices. I need to have 2 authentication schemas:

  1. Send login/password and get JWT
  2. OAuth2

There is an integration between API gateway and K8s cluster via ALB Ingress Controller. It looks fine. Then I need to authenticate somehow. AWS provides Cognito as a service to manage users and the possibility to have your own identity provider. I know that we can integrate API gateway authorizer with Cognito, but I can't understand the following things:

  1. How to integrate Cognito with already existed LDAP for example? (SAML?)
  2. Can I use my own already created OAuth2 authentication endpoint?
  3. How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
1
amazon-web-servicesaws-api-gatewayamazon-cognito

1 Answers

0
votes

1 How to integrate Cognito with already existed LDAP for example? (SAML?)

Make use of Cognito Userpools with SAML IDP. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html

2 Can I use my own already created OAuth2 authentication endpoint?

Yes, use Developer Authenticated Identities for Cognito Identity Pools. Users that authenticate from the existing user database will be authorized by identity pools through assuming the authenticated IAM role of the identity pool, in that role set the access level to AWS resources. https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html

3 How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?

Best way to achieve this seeing that API Gateway is being used is to implement a Lambda authorizer in API gateway that uses Cognito Userpools. You will then be able to get the JWT token in that Lambda authorizer, the claims in the authorizer will also be available in the integration request vtl and accessible using $context . i.e. $context.authorizer.claims.sub https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html