Reputation: 312
AWS API Gateway - get Cognito user groups to custom authorizer
I am using a Cognito user pool with user groups and I have an AWS API Gateway with a custom authorizer. The authorizer can generate a valid IAM policy and things go well so far. I would like to generate more specific IAM policies based on user groups but I cannot get the user groups information in the authorizer. My integration request mappings are:
"groups" : "$context.authorizer.claims['cognito:groups']"
but in the authorizer I get
"type": "TOKEN",
"authorizationToken": "...",
"methodArn": "arn:aws:execute-api:eu-west-1:...:.../test/GET/bills"
How can I get the user groups attribute in the authorizer?
Upvotes: 3
Views: 1896
Answers (1)
Reputation: 312
The puzzle solved: the mappings were OK, but they are actually a "bridge" between the API Gateway and the lambda, so they delivered the information to the "target" lambda function and not to the authorizer, which is a sort of "interceptor" in this case.
The way to get the user groups in the authorizer is to call
CognitoIdentityServiceProvider.adminListGroupsForUser()
which works fine for this purpose.
Upvotes: 3
Related Questions
- AWS API Gateway: Authorize Cognito user groups
- Authenticate users in AWS Api Gateway with Cognito
- AWS API Gateway Authorizer using Cognito Identity Pool
- How to access the AWS APIGateway based on the cognito user pool group roles
- AWS Cognito and AWS Api Gateway authorizations of users application
- AWS Cognito + API Gateway, Authorize based on username
- AWS Cognito Groups and AWS Api Gateway
- Cognito Groups with IAM Permissions
- Api gateway Cognito User Groups
- AWS API Gateway Custom Authorizer based on User Groups