Reputation: 2733
Authenticate app to AWS API Gateway with Cognito
Following is my use case -
I am developing an android app. I am trying to use aws api gateway and a lambda function at back of it. but even before i login i want to secure the HTTP calls and authenticate my application. For that i am planning to use cognito with the API Gateway. so first my call will go to cognito which will authenticate the application(not user) and then my call will go to any Lamda function. I want to include all of this in the SDK of api gateway.
Ques 1 - Is it even possible to do this way ( please refer me to some documentation or code)
Ques 2 - Is it recommended. or is there a better way to do it ?
Upvotes: 1
Views: 4240
Answers (2)
Reputation: 710
I know this might be too late. But for people who have this issue, two ways you can secure your API endpoints depending on your scenario.
If you don't currently have a user directory (login/signup system), you can use Cognito User Pool to secure your Apis. The steps are
- in AWS Cognito console, create a Cognito User Pool
- in API Gateway console, create a Cognito User Pool Authorizer
- in your JS code, authenticate the user with the Cognito User Pool which will return return you a user token, then you can use the token in Authorization header when making Ajax calls to the api.
Here's a step-by-step tutorial on the process. I'd recommend start with the Create a Cognito user pool chapter.
http://serverless-stack.com/chapters/create-a-cognito-user-pool.html
The second scenario being if you already have a user directory either with Facebook/Twitter or any other social login. You will need to create a Cognito Identity Pool. You might find this answer useful.
To use a federated identity, you set the API Gateway method to use “AWS_IAM” authorization. You use Cognito to create a role and associate it with your Cognito identity pool. You then use the Identity and Access Management (IAM) service to grant this role permission to call your API Gateway method.
Upvotes: 4
Reputation: 642
Yes this is possible and I think it is the correct way to do it. You can use the use the Android SDK to make the call to Cognito and authenticate, in Cognito you can configure to give the temporary IAM account that is returned a specific role, this role should only have rights to call the API Gateway. Then your client can use these temporary IAM credentials to do calls to the API Gateway using the generated Android SDK (you can generate it from the API Gateway console after deploying your API). You have to configure your API endpoints in API Gateway to be secured by IAM and make sure to create OPTIONS methods on your resources if you need cross domain CORS support.
- Read about Cognito: http://docs.aws.amazon.com/cognito/devguide/
- Read about API Gateway: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
Upvotes: 1
Related Questions
- Authenticate users in AWS Api Gateway with Cognito
- AWS API Gateway Authorizer using Cognito Identity Pool
- AWS Cognito and AWS Api Gateway authorizations of users application
- How can I authenticate my api gateway with cognito?
- How can I use Cognito to authenticate requests to my API without using AWS API Gateway
- How to use AWS Cognito to authenticate API Gateway
- AWS Cognito and API Gateway Authentication
- How do I use AWS cognito response to authenticate API requests
- Assigning IAM to API gateway for sdk using cognito federated authentication
- API gateway and Oauth authentication for unauthenticated cognito