I have a Single Page Application in Angular, an API Gateway with Lambda for the backend services and Cognito User Pool for Authentication and Authorization.
Access to certain API endpoints depends on the users role. You can attach an IAM role to the group with (execute API invoke for the Api Gateway resources) policies.
However, using Cognito as Authorizer for the API Gateway only checks if the user is Authenticated (by passing the ID Token in the Authorization header, this token is returned from Cognito user pool after a succesfull login), before it can call the API. The group the user is in, won't be used to check it's group and the IAM permission it has.
Is there a good way, to authorize my web users, to call certain API endpoints based on their role, instead of creating a Lambda (custom) Authorizer.
I don't want to use AWS signature V4 for an API Gateway with an IAM Authorizer. I also don't want to create Lambda Authorizer, that validates the ID Token, check the role attached to it and returns a policy based on that role.
Can't I just use the roles I have configured for the Cognito groups, in combination with Cognito Authorizer to have access to the API endpoints based on the attached role / policy for that group?
Or is there another user friendly way?
