Reputation: 286
Cognito User Pool Authorizer defined in openapi without hardcoded values
I have a API Gateway Rest Api resource defined with this template:
AWSTemplateFormatVersion: '2010-09-09'
Description: "Api gateway"
Resources:
ApiGateway:
Type: "AWS::ApiGateway::RestApi"
Properties:
BodyS3Location: "./openapi-spec.yaml"
And the contents of openapi-spec.yaml (based on this example) being:
openapi: "3.0.2"
info:
title: SampleApi
paths:
/test:
get:
summary: Test
responses:
"200":
description: Ok
security:
- UserPool: [ ]
x-amazon-apigateway-integration:
# ....
components:
securitySchemes:
UserPool:
type: apiKey
name: Authorization
in: header
x-amazon-apigateway-authtype: cognito_user_pools
x-amazon-apigateway-authorizer:
type: cognito_user_pools
providerARNs:
### THIS VALUE ###
- "arn:aws:cognito-idp:eu-west-1:123456789012:userpool/eu-west-1_abcd12345"
I'd like to be able to deploy this template in multiple environments/account and having this hardcoded providerARN is limiting that. So my questions are:
How can values for the providerARNs field be passed in dynamically?
If that can't be done, then are there any workarounds to this so that I don't have to hardcode the providerArns here?
Note: Already tried to use stage variables and they don't seem to work here.
Upvotes: 0
Views: 1058
Answers (2)
Reputation: 1
Aswering this question even though it's late cause I struggled myself a lot to find an answer for this problem. I was able to do this by using the Stage Variables feature of api gateway. Your Authorizer declaration in open api spec file would look like this.
Your api gateway declaration will have to declare this stage variable like this in temaplate.yaml
I'm declaring this as parameter in template.yaml file :
Now don't get confused if you see this in your API Gateway->Authorizer:
This is exactly what it should look like. This will actually use the stage variable which is here in your stages->{stage_name}->stage variables:
Upvotes: 0
Reputation: 465
If you don't have an existing Cognito user pool then you would have to define one using AWS::Cognito::UserPool in CloudFormation, then you can simply reference the arn of this user pool using !GetAtt.
But if you have an existing Cognito user pool then you can also import it to a stack using CloudFormation following these steps.
Here's an example:
template.yaml
Resources:
ApiGateway:
Type: "AWS::ApiGateway::RestApi"
Properties:
BodyS3Location: "./openapi-spec.yaml"
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
# ....
openapi-spec.yaml
openapi: "3.0.2"
# ....
components:
securitySchemes:
UserPool:
type: apiKey
name: Authorization
in: header
x-amazon-apigateway-authtype: cognito_user_pools
x-amazon-apigateway-authorizer:
type: cognito_user_pools
providerARNs:
- !GetAtt CognitoUserPool.Arn
Upvotes: 1
Related Questions
- DIfferent Cognito Pool Authorizer by Api Gateway Stages
- API gateway Cognito user pool authorizer - 401 unauthorized
- AWS API Gateway - using Access Token with Cognito User Pool authorizer?
- AWS API Gateway Authorizer using Cognito Identity Pool
- Cognito user pool does not show up API Gateway after setting authorizer
- AWS Api Gateway Authorizer + Cognito User Pool Not Working {"message": "Unauthorized"}
- How to customize cognito user pool authorizer's Unauthorized 401 JSON response in AWS API Gateway
- AWS APIGateway with Cognito Authorizer defined in OpenAPI Spec
- Cognito User Pool AuthorizerId cannot be set in API Gateway Cloudformation
- AWS ApiGateway cognito user pool authorization works without required id token