Control access to REST APIs using Amazon Cognito user pools as an authorizer
As an alternative to using IAM roles and policies or Lambda authorizers (formerly known as custom authorizers), you can use an Amazon Cognito user pool to control who can access your API in Amazon API Gateway.
To use an Amazon Cognito user pool with your API, you must first create an authorizer of the
COGNITO_USER_POOLS
type and then configure an API method to use that
authorizer. After the API is deployed, the client must first sign the user in to the user
pool, obtain an identity or access token for the user, and then call the API method with one of
the tokens, which are typically set to the request's Authorization
header. The
API call succeeds only if the required token is supplied and the supplied token is valid,
otherwise, the client isn't authorized to make the call because the client did not have
credentials that could be authorized.
The identity token is used to authorize API calls based on identity claims of the signed-in user. The access token is used to authorize API calls based on the custom scopes of specified access-protected resources. For more information, see Using Tokens with User Pools and Resource Server and Custom Scopes.
To create and configure an Amazon Cognito user pool for your API, you perform the following tasks:
-
Use the Amazon Cognito console, CLI/SDK, or API to create a user pool—or use one that's owned by another AWS account.
-
Use the API Gateway console, CLI/SDK, or API to create an API Gateway authorizer with the chosen user pool.
-
Use the API Gateway console, CLI/SDK, or API to enable the authorizer on selected API methods.
To call any API methods with a user pool enabled, your API clients perform the following tasks:
-
Use the Amazon Cognito CLI/SDK or API to sign a user in to the chosen user pool, and obtain an identity token or access token. To learn more about using the SDKs, see Code examples for Amazon Cognito using AWS SDKs.
-
Use a client-specific framework to call the deployed API Gateway API and supply the appropriate token in the
Authorization
header.
As the API developer, you must provide your client developers with the user pool ID, a client ID, and possibly the associated client secrets that are defined as part of the user pool.
Note
To let a user sign in using Amazon Cognito credentials and also obtain temporary credentials to
use with the permissions of an IAM role, use Amazon Cognito Federated Identities. For each API resource endpoint HTTP method, set the
authorization type, category Method Execution
, to AWS_IAM
.
In this section, we describe how to create a user pool, how to integrate an API Gateway API with the user pool, and how to invoke an API that's integrated with the user pool.
Topics
- Obtain permissions to create Amazon Cognito user pool authorizers for a REST API
- Create an Amazon Cognito user pool for a REST API
- Integrate a REST API with an Amazon Cognito user pool
- Call a REST API integrated with an Amazon Cognito user pool
- Configure cross-account Amazon Cognito authorizer for a REST API using the API Gateway console
- Create an Amazon Cognito authorizer for a REST API using AWS CloudFormation