DIfferent Cognito Pool Authorizer by Api Gateway Stages

Asked 27/2, 2018 at 20:20 Answered 29/5, 2024 at 20:50

Solved amazon-web-services aws-api-gateway amazon-cognito

We have 3 stages on our API Gateway (Development, Testing, Production) they use a Cognito User Pool Authorizer for authorization, each one of the stages has a different User Pool so this configuration must be dynamic.

The problem: How do i configure the Auhtorizer for my API so that each API stage checks the authorization in the correct user pool?

PS: The Authorizer isn't a custom lambda function, it's the default Cognito authorizer.

Aniline answered 27/2, 2018 at 20:20 Comment(3)

If you've found a solution please add it as an answer. – Florettaflorette 25/4, 2018 at 14:14

I didn't found any solution... – Aniline 26/4, 2018 at 20:57

I also haven't found any adequate one to have API Gateway + Lambda back end dev/prod stages where dev stage can be easily updated and prod would be like some manually pushed snapshot of dev. I ended up with having two API Gateways instances for dev and prod, using the same lambdas but without any parametrization (because the last requires manually setting permissions for every lambda). It relies on the idea that lambdas will be changed much more rapidly that API Gateway itself. And for dev $LATEST lamdas versions used, for prod manually selected ones. Lamdas get context by stage variables. – Florettaflorette 27/4, 2018 at 2:44

According to a thread on the AWS forums that has since been "archived", AWS doesn't currently support this.

Your best bet seems to be a multi-stack solution, where instead of stages you have separate APIs for the different environments.

See also this post for some more information.

Togs answered 5/6, 2018 at 12:29 Comment(5)

The more info post is no longer available. – Cocks 5/10, 2020 at 16:51

Oh, that's unfortunate... Thanks for pointing it out @Cocks - I'll just delete it. – Togs 6/10, 2020 at 11:12

If you recall the info or can find another link to something similar it would be great to include it. Have a great day! – Cocks 6/10, 2020 at 16:30

More info post is available again, the forum thread has been archived however – Replica 22/7, 2022 at 14:58

Thanks @CanO'Spam, updated accordingly. – Togs 19/9, 2022 at 18:30

As @Rafael Soratto(Comment) suggested,

Step 1: Create a stage variable and give value the ARN of the AWS cognito pool.

Step 2: In cognito authorizer, rather than writing the cognito pool name write ${stageVariables.yourvariablename}. (Image)

And that's it.

Now, the cognito authorizer will behave according to the API gateway stages.

Ewart answered 16/8, 2022 at 12:47 Comment(0)

You can do using StageVariables

stage variables

authorizer

Majoriemajority answered 11/1, 2022 at 13:59 Comment(1)

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Trovillion 12/1, 2022 at 2:17

It cant be done using stages variables in Api Gateway.

The solution that i have found is having different pool authorizers deployed for every stage. Not ideal bu its okey for me.

Continent answered 22/7, 2022 at 9:43 Comment(2)

Can you share resources to help back this up with some context? – Replica 22/7, 2022 at 14:59

I tried that, works but it's extremely time consuming to setup and manage – Aureole 13/10, 2022 at 9:30

1 - Set stage variables for all your environments on API GW, in name use "cognito_pool_id" (or whatever you prefer) and in value add your cognito pool id for each environment.

2A - In case you already have your Test environment with authorizers all placed in your methods (under your api resources), just go to your current authorizer settings (in case you're already using a cognito authorizer for your methods) and change the static ARN for your stage variable

2B - In case your methods still don't have an authorizer using cognito or you're using a lambda authorizer, well, you gotta create a new authorizer (as we can't change the authorizer type) and set it up for all your methods (I hope you don't have too many methods because it consumes some time).

Here's an example of the ARN using stage var: arn:aws:cognito-idp:your-region:111222333444:userpool/${stageVariables.cognito_pool_id}

Pomfret answered 29/5, 2024 at 20:50 Comment(0)

Recommended topics

Hot tags