Are custom authorizers necessary/only way to authorize against the AWS API Gateway

Question

I have the cognito identity flow working for developer authenticated identities and get back the AccessKeyId, SecretAccessKey and SessionToken(although I think this one is not needed). I then use these credentials to authenticate my api-gatweay but I keep getting 403 Forbidden. (the underlying role for the credentials that I am generating have full access)

I see there is a way to have a custom authorizer lambda to do this, but I am wondering if there is another way to do this. The reason I'm wondering this is if I use my own personal access and secret key for my post request to the api-gateway, it works!!

Answer 1

You won't be able to use a custom authorizer to authenticate an AWS signature. Custom authorizers are for non-AWS auth solutions.

Also, you need to use the SessionToken when signing the request, maybe that's the problem. Your personal credentials work because they are long-term, but Cognito vends short-term session credentials.

How to use the session token -> http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#RequestWithSTS

The generated SDKs from API Gateway have a signer built-in if you're building a mobile app in iOS, Android, or JavaScript -> http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-generate-sdk.html

If you have AWS_IAM authorization enabled on a method and you're making signed requests to that method using the Cognito credentials, you should get a descriptive error message with a 403 response if there is a problem with the signature.