gaishimo
Reputation: 11
IAM policy for API Gateway invocation based on Cognito Identity ID
I want to allow Cognito authenticated users to invoke API Gateway endpoint but restrict them to their own resources like
'/users/<IdentityID>/*'.
I have prepared an IAM role like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:ap-northeast-1:*:MyAPIID/*/*/users/${cognito-identity.amazonaws.com:sub}*"
]
}
}
But on this setting, I get a 403 error when I try to invoke.
If I replace the ${cognito-identity.amazonaws.com:sub} to actual Identity ID (like ap-northeast-1%3Ad8515ae9-62b5-4cba-af5c-195f5d7e1d07), it works.
We cannot use ${cognito-identity.amazonaws.com:sub} on API Gateway resource, can we?
Upvotes: 1
Views: 222
Answers (1)
Jeff Bailey
Reputation: 5775
That is correct. Currently, it's only a shortcut for S3 and DynamoDB.
Upvotes: 1
Related Questions
- AWS API Gateway Authorizer using Cognito Identity Pool
- Amazon API Gateway authorization AWS_IAM
- AWS Cognito + API Gateway, Authorize based on username
- How can integrate Cognito Identity Pool with API Gateway?
- AWS API Gateway: API available for authenticated and guest users only
- AWS Cognito and API Gateway Authentication
- access AWS API gateway using access token from identityserver
- Assigning IAM to API gateway for sdk using cognito federated authentication
- How to call AWS API Gateway Endpoint with Cognito Id (+configuration)?
- How to pass cognito identity id to backend