How to get AWS AccessToken from Cognito, using Dev Authenticated Identities

Question

I am using a Cognito Identity Pool with Developer Authenticated Identities Authflow Setup - this auth flow was chosen because we are not able to use Cognito User Pools for some business reasons. Hence I implemented a User Identity Provider Service myself using API Gateway with an auth endpoint, which fires a Lambda function.

So I generated a temporary AccessKey and SecretKey by running cognitoidentity.getOpenIdTokenForDeveloperIdentity and afterwards cognitoidentity.getCredentialsForIdentity and got temporary AWS Credentials (temporary AccessKey and SecretKey).

Now I want to generate an AccessToken in order to authenticate my requests on AWS API Gateway on which I am using IAM authorization (so it needs an AccessToken to authorize requests).

My question is - how do I generate an AccessToken?

Answer 1

I don't think you need to generate an AccessToken. Take a look at the API Gateway IAM Auth docs:

Note: To manually authenticate requests that are sent to API Gateway using another tool or environment, you must use the Signature Version 4 signing process. For more information, see Signing Requests in the API Gateway REST API Reference.

Following the link above, you'll see:

Amazon API Gateway requires that you authenticate every request you send by signing the request. To sign a request, you calculate a digital signature [...]

Take a look also at this question, which is about doing the signing above: Integrating an ID Pool with API Gateway

I haven't done this myself, but I'd be very surprised if you had to do the above manually from the front-end. There should be a client you can use to handle signing for you, just like Postman does in the example in the AWS doc above. I.e. you give the client IAM credentials, and the client makes API requests when you ask it to, handling the signing auto-magically using the IAM credentials you provided. For example, AWS Amplify seems to be able to do this for you.