'How to use multiple Cognito user pools for a single endpoint with AWS API Gateway?

I've recently implemented an API Gateway as a proxy with a single proxy endpoint.

I'm using Cognito as authorisation mechanism and as long as I have only one user pool everything is fine.

What I am trying to achieve is to be able to allow users from different user pools, but in the AWS Console I just seem to be able to select one Cognito mechanism which is only one user pool.

Is there a way to allow multiple user pool through another mean ? Is there an alternative best practice for this scenario ? I really need users to be in separate user pools so their authentication attributes are not shared and their accounts not mutualised.

Thank you



Solution 1:[1]

As of today, the only viable solution to this problem seems to use a Lambda function to authorize users, retrieving their user pool ID in the token information and then comparing to it to a list of allowed user pools in order to give them access or not.

Solution 2:[2]

The console doesn't allow creating multiple cognito pool users but the CLI does, I'm not sure if all programmatic updates (like terraform or cloudformation) can do it, but CLI worked for me. Try this: https://docs.aws.amazon.com/cli/latest/reference/apigateway/create-authorizer.html

Your CLI command might look something similar to this:

    aws apigateway create-authorizer 
    --rest-api-id xxxxxxx 
    --name 'cognito-auth-name' 
    --type COGNITO_USER_POOLS 
    --provider-arns arn:aws:cognito-idp:arn-of-userpool arn:aws:cognito-idp:arn-of-userpool arn:aws:cognito-idp:arn-of-userpool
    --identity-source 'method.request.header.Authorization'

Solution 3:[3]

I found Abhay Nayak answer useful, it helped me to achieve my scenario:

  • Allowing authorization for a single endpoint, using JWTs provided by different Cognitos, from different aws accounts. Using cognito user pool authorizer, not custom lambda authorizer.

Here is the authorizer and endpoint from my serverless .yml template:

functions:
  service:
    handler: service.service
    events:
      - http:
          path: service
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId:
              Ref: ApiGatewayAuthorizer


resources:
  Resources:
    ApiGatewayAuthorizer:
      Type: AWS::ApiGateway::Authorizer
      Properties:
        AuthorizerResultTtlInSeconds: 300
        Name: API_AUTH_cognito_authorizer
        IdentitySource: method.request.header.Authorization
        RestApiId:
          Ref: ApiGatewayRestApi
        Type: COGNITO_USER_POOLS
        ProviderARNs:
          - arn:aws:cognito-idp:us-east-1:account1:userpool/userpool1
          - arn:aws:cognito-idp:us-east-1:account1:userpool/userpool2
          - arn:aws:cognito-idp:us-east-1:account2:userpool/userpool3
          - arn:aws:cognito-idp:us-east-1:account2:userpool/userpool4

Solution 4:[4]

There are multiple ways of "Controlling and Managing Access to a REST API in API Gateway" and User Pool as Authorizer is one of them. In your case, I would go with IAM Permissions by attaching a policy to an IAM user representing the API caller, to an IAM group containing the user, or to an IAM role assumed by the user.

As a reference, I'm suggesting IAM Permissions instead of Lambda authorizers as I don't see a need to "control access to REST API methods using bearer token authentication as well as information described by headers, paths, query strings, stage variables, or context variables request parameters" in your request.

Solution 5:[5]

Using python boto3,

import boto3
api_client=boto3.client('apigateway', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region_name)
api_client.update_authorizer( restApiId='restAPIID', authorizerId='AuthosizerID', patchOperations=[ { 'op': 'add', 'path': '/providerARNs', 'value': 'COGNITO_USER_POOL_ARN' } ])

enter image description here

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Daniel
Solution 2
Solution 3
Solution 4 r.pedrosa
Solution 5 msnfreaky