Reputation: 894
How to Use Cognito Identity Pool with Unauthenticated Users in Amplify v6 for API Gateway Access
I've been struggling to figure out how to allow unauthenticated users to invoke my SAM backend after migrating from Amplify v5 to v6.
In Amplify v5, this configuration worked for unauthenticated users using temporary credentials provided by Cognito:
import { Amplify, API } from 'aws-amplify';
Amplify.configure({
Auth: {
mandatorySignIn: false,
identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
region: 'XX-XXXX-X',
},
API: {
endpoints: [
{
name: 'MyAPIGatewayAPI',
endpoint: 'https://1234567890-abcdefgh.amazonaws.com/XXX'
},
]
}
});
However, when migrating to Amplify v6, the migration guides only seem to cover authenticated users and don't mention the mandatorySignIn key or any equivalent for handling unauthenticated users.
For example, here’s what the configuration looks like for authenticated users in v6:
// Authentication (Amazon Cognito)
Amplify.configure({
Auth: {
Cognito: {
userPoolClientId: 'abcdefghij1234567890',
userPoolId: 'us-east-1_abcd1234',
loginWith: {
oauth: {
domain: 'abcdefghij1234567890-29051e27.auth.us-east-1.amazoncognito.com',
scopes: ['openid','email','phone','profile','aws.cognito.signin.user.admin'],
redirectSignIn: ['http://localhost:3000/','https://example.com/'],
redirectSignOut: ['http://localhost:3000/','https://example.com/'],
responseType: 'code',
},
username: true,
email: false,
phone: false,
}
}
}
});
And these changes for REST APIs:
// API Rest (Amazon API Gateway)
Amplify.configure({
API: {
REST: {
YourAPIName: {
endpoint: 'https://abcdefghij1234567890.execute-api.us-east-1.amazonaws.com/stageName',
region: 'us-east-1'
}
}
}
});
But when trying to apply similar configurations for unauthenticated users in v6, the API Gateway rejects the requests, indicating that the requests aren't being signed with temporary credentials from the Cognito identity pool:
Amplify.configure({
Auth: {
Cognito: {
identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
}
},
API: {
REST: {
MyAPIGatewayAPI: {
endpoint: 'https://1234567890-abcdefgh.amazonaws.com/XXX',
region: 'XX-XXXX-X'
}
}
}
});
When I downgrade back to v5 and use the original configuration, it works fine, so I know the Cognito identity pool role and permissions are set up correctly. But as soon as I upgrade to v6, the API Gateway denies my endpoint invokes.
Is there a new way to handle unauthenticated user access in Amplify v6 similar to mandatorySignIn?
Upvotes: 1
Views: 131
Answers (1)
Reputation: 894
After some digging, I found that in Amplify v6, the mandatorySignIn option has been replaced by allowGuestAccess for Cognito identity pools when dealing with unauthenticated users. Read more
Here’s how you can adjust your configuration to work with Amplify v6:
Amplify.configure({
Auth: {
Cognito: {
identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
allowGuestAccess: true,
}
},
API: {
REST: {
MyAPIGatewayAPI: {
endpoint: 'https://1234567890-abcdefgh.amazonaws.com/XXX',
region: 'XX-XXXX-X'
}
}
}
});
This change ensures that unauthenticated users receive the necessary temporary credentials from the Cognito identity pool, allowing them to invoke your API Gateway endpoints without issues.
Upvotes: 1
Related Questions
- Access AWS API Gateway method using Cognito Identity pool for unauthorized users using Amplify SDK for Javascript
- Lambda `AssumeRole` as Cognito Identity when authenticated using IAM on API Gateway
- Configuring AWS Amplify to use a proxy server for Cognito
- How to use cognito id token as authorization header for API gateway?
- List Users in a Group Cognito - Amplify - Lambda - API REST
- How to authenticate Guest/Unauthenticated users with API Gateway Cognito Authorizer?
- How to Invoke cognito sign in page when trying to access resource in api gateway
- Using Cognito federated identity with API Gateway and postman