What I want to implement:

I have a Cognito User-Pool and I have some Users and some Groups. I want that certain Users have access to API Gateway functions, some Users can access some functions and others have no access.

What I did:

I created three groups and assigned the Users to each of the groups. I gave each of the groups an IAM role and gave each roled spezific policies. The permission for the group for all users looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "execute-api:*",
            "Resource": "*"
        }
     ]
}

I created Lambda functions and API Gateway Resources through the Serverless framework. I set the authorizer to a Cognito User-Pool authorizer.

(I tried a couple different things like using federated identities but that didnt seem to work as well)

What is my result:

All Users have full access to the API Gateway. The given permissions do not seem to make any difference to the access of each user.

Help: What did I do wrong? How can I achieve my goal?

The roles attached to a user pool group only come into picture when you generate credentials for the user using Cognito Federated Identity. Adding groups to a user pool

IAM roles and their permissions are tied to the temporary AWS credentials that Amazon Cognito identity pools provide for authenticated users. Users in a group are automatically assigned the IAM role for the group when AWS credentials are provided by Amazon Cognito Federated Identities using the Choose role from token option.

So basically

1. create an identity pool attached to your user pool.
2. change authorization for API gateway to IAM
3. after login to user pool, user id_token to generate the federated identity
4. use this identity (secret key + access key + token) for authorization with API gateway.

Now your roles should be honored. But mind you - you will be required to generate AWS SigV4 credentials on your own as for some reason this is not provided out of the box. I ended up using aws-sign-web for use in browser.

PS: your role seems to give blanket access to API gateway. you will need to fix that as well. e.g. sample role I used to limit access to one API endpoint

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": "execute-api:Invoke",
        "Resource": [
            "arn:aws:execute-api:us-east-2:<aws account id>:<API id>/*/*/acc/*"
        ],
        "Effect": "Allow"
    }
]
}

Sample code to generate federated identity

function getAccessToken(idToken, idenPoolId, userPool) {
        let region = idenPoolId.split(":")[0];
        let provider = "cognito-idp." + region + ".amazonaws.com/" + userPool;
        let login = {};

        login[provider] = idToken;

        // Add the User's Id Token to the Cognito credentials login map.
        let credentials = new AWS.CognitoIdentityCredentials({
            IdentityPoolId: idenPoolId,
            Logins: login
        });

        //call refresh method in order to authenticate user and get new temp credentials
        credentials.get((error) => {
            if (error) {
                console.error(error);

                //let response = {
                //  statusCode: 500,
                //  body: JSON.stringify(error)
                //};

                return null;

            } else {
                console.log('Successfully logged!');
                console.log('AKI:'+ credentials.accessKeyId);
                console.log('AKS:'+ credentials.secretAccessKey);
                console.log('token:' + credentials.sessionToken);

                let response = JSON.stringify({
                    'AKI': credentials.accessKeyId,
                    'AKS': credentials.secretAccessKey,
                    'token': credentials.sessionToken
                });

                return response;
            }
        });
    }

I have a much better solution, and you don't need the IAM.

Simply save the pair of {username, serviceName} in a S3 or DB. So every time, you get the request for a service:

1. Check if the user is authorized (from Cognito).
2. Check if the user is authorized for the service (S3, MySQL, RDS, etc.).

Why I think it is better

Because adding/removing users from services, you don't need to login as an admin to IAM. And hopefully later on, you can create a dashboard for management.

Work Flow

1. UserA sends a request to your securityApi.

2. SecurityApi checks the token is authorized (user is valid or not).

3. If the UserA is valid, the securityApi, sends the username of the user (can get it from the payload of the token) and the service name to a DB, to see if the user has access to the user. For example for Mysql (use RDS for this):

   SELECT username from ServiceX LIMIT 1 WHERE username = "xyz"; 
   

4. If the second or third steps passed the user is 1. valid user and 2. has the right to use the service. If the user is failed in step 2 or 3, the user is not authorized to use the service.