问题
I've recently implemented an API Gateway as a proxy with a single proxy endpoint.
I'm using Cognito as authorisation mechanism and as long as I have only one user pool everything is fine.
What I am trying to achieve is to be able to allow users from different user pools, but in the AWS Console I just seem to be able to select one Cognito mechanism which is only one user pool.
Is there a way to allow multiple user pool through another mean ? Is there an alternative best practice for this scenario ? I really need users to be in separate user pools so their authentication attributes are not shared and their accounts not mutualised.
Thank you
回答1:
As of today, the only viable solution to this problem seems to use a Lambda function to authorize users, retrieving their user pool ID in the token information and then comparing to it to a list of allowed user pools in order to give them access or not.
回答2:
The console doesn't allow creating multiple cognito pool users but the CLI does, I'm not sure if all programmatic updates (like terraform or cloudformation) can do it, but CLI worked for me. Try this: https://docs.aws.amazon.com/cli/latest/reference/apigateway/create-authorizer.html
Your CLI command might look something similar to this:
aws apigateway create-authorizer
--rest-api-id xxxxxxx
--name 'cognito-auth-name'
--type COGNITO_USER_POOLS
--provider-arns arn:aws:cognito-idp:arn-of-userpool arn:aws:cognito-idp:arn-of-userpool arn:aws:cognito-idp:arn-of-userpool
--identity-source 'method.request.header.Authorization'
回答3:
There are multiple ways of "Controlling and Managing Access to a REST API in API Gateway" and User Pool as Authorizer is one of them. In your case, I would go with IAM Permissions by attaching a policy to an IAM user representing the API caller, to an IAM group containing the user, or to an IAM role assumed by the user.
As a reference, I'm suggesting IAM Permissions instead of Lambda authorizers as I don't see a need to "control access to REST API methods using bearer token authentication as well as information described by headers, paths, query strings, stage variables, or context variables request parameters" in your request.
回答4:
I found Abhay Nayak answer useful, it helped me to achieve my scenario:
- Allowing authorization for a single endpoint, using JWTs provided by different Cognitos, from different aws accounts. Using cognito user pool authorizer, not custom lambda authorizer.
Here is the authorizer and endpoint from my serverless .yml template:
functions:
service:
handler: service.service
events:
- http:
path: service
method: get
authorizer:
type: COGNITO_USER_POOLS
authorizerId:
Ref: ApiGatewayAuthorizer
resources:
Resources:
ApiGatewayAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
AuthorizerResultTtlInSeconds: 300
Name: API_AUTH_cognito_authorizer
IdentitySource: method.request.header.Authorization
RestApiId:
Ref: ApiGatewayRestApi
Type: COGNITO_USER_POOLS
ProviderARNs:
- arn:aws:cognito-idp:us-east-1:account1:userpool/userpool1
- arn:aws:cognito-idp:us-east-1:account1:userpool/userpool2
- arn:aws:cognito-idp:us-east-1:account2:userpool/userpool3
- arn:aws:cognito-idp:us-east-1:account2:userpool/userpool4
来源:https://stackoverflow.com/questions/58453901/how-to-use-multiple-cognito-user-pools-for-a-single-endpoint-with-aws-api-gatewa