Authenticate AWS API Gateway Application with Cognito
Following is my use case -
I am developing an android application. I am trying to use aws-api gateway and lambda function on the back. but even before login, I want to secure HTTP requests and authenticate my application. For this I am planning to use cognito with API Gateway. so first my call will go to cognito which will authenticate the app (not the user) and then my call will go to any Lamda function. I want to include all of this in the api gateway SDK.
Ques 1 - Is it possible to do it like this (please refer to some documentation or code)
Ques 2 - Recommended. or is there a better way to do this?
source to share
Yes it is possible and I think this is the correct way to do it. You can use the Android SDK to make a Cognito call and authenticate, in Cognito you can set up a temporary IAM account to which a specific role is returned, this role should only have permission to call the API gateway. Your client can then use these temporary IAM credentials to make calls to the API gateway using the generated Android SDK (you can create it from the API Gateway console after deploying your API). You must configure the API endpoints in the API gateway to be IAM protected, and make sure you create OPTIONS methods on your resources if you need CORS domain support.
- More about Cognito: http://docs.aws.amazon.com/cognito/devguide/
- Read about the API gateway: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
source to share
I know it might be too late. But for people who have this problem, you can secure your API endpoints depending on your scenario.
If you don't have a user directory (login / registration system), you can use the Cognito User Pool to secure your Apis. Steps
- in the AWS Cognito Console, create a Cognito User Pool.
- in the API Gateway console, create an authorized Cognito user pool
- in your JS code, authenticate the user with the Cognito user pool which will return the user token to you, then you can use the token in the authorization header when the Ajax call on the api.
Here's a step-by-step guide to the process. I would suggest starting with the chapter on Creating a Cognito User Pool.
http://serverless-stack.com/chapters/create-a-cognito-user-pool.html
The second scenario is if you already have a custom directory with either Facebook / Twitter or any other social login. You will need to create a pool of Cognito IDs. You may find this answer helpful.
To use a federated identity, you set the API Gateway method to "AWS_IAM" Resolution. You are using Cognito to create a role and associate it with a Cognito ID pool. Then you use Identity and Access Control (IAM) to grant this role permission to call the API gateway method.
source to share