cognito-api-lambda

Amazon API Gateway with Amazon Cognito User Pools as Authorizer

This is an Amazon API Gateway with Amazon Cognito User Pools project for Python development with CDK.

The cdk.json file tells the CDK Toolkit how to execute your app.

This project is set up like a standard Python project. The initialization process also creates a virtualenv within this project, stored under the .venv directory. To create the virtualenv it assumes that there is a python3 (or python for Windows) executable in your path with access to the venv package. If for any reason the automatic creation of the virtualenv fails, you can create the virtualenv manually.

To manually create a virtualenv on MacOS and Linux:

$ python3 -m venv .venv

After the init process completes and the virtualenv is created, you can use the following step to activate your virtualenv.

$ source .venv/bin/activate

If you are a Windows platform, you would activate the virtualenv like this:

% .venv\Scripts\activate.bat

Once the virtualenv is activated, you can install the required dependencies.

(.venv) $ pip install -r requirements.txt

At this point you can now synthesize the CloudFormation template for this code.

(.venv) $ export CDK_DEFAULT_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
(.venv) $ export CDK_DEFAULT_REGION=$(aws configure get region)
(.venv) $ cdk synth --all

Use cdk deploy command to create the stack shown above,

(.venv) $ cdk deploy --require-approval never --all

To add additional dependencies, for example other CDK libraries, just add them to your setup.py file and rerun the pip install -r requirements.txt command.

Testing the Cognito JWT Authorizer

Let's test if our lambda function is protected by the authorizer. In order to test the flow we have to:

1. Register a Cognito User, using the aws cli

   aws cognito-idp sign-up \
     --client-id your-user-pool-client-id \
     --username "[email protected]" \
     --password "user-password"
   

   Note: You can find UserPoolClientId with the following command:

   aws cloudformation describe-stacks --stack-name your-cloudformation-stack-name | jq -r '.Stacks[0].Outputs | map(select(.OutputKey == "UserPoolClientId")) | .[0].OutputValue'
   

2. Confirm the user, so they can log in:

   aws cognito-idp admin-confirm-sign-up \
     --user-pool-id your-user-pool-id \
     --username "[email protected]"
   

   At this point if you look at your cognito user pool, you would see that the user is confirmed and ready to log in:

   Note: You can find UserPoolId with the following command:

   aws cloudformation describe-stacks --stack-name your-cloudformation-stack-name | jq -r '.Stacks[0].Outputs | map(select(.OutputKey == "UserPoolId")) | .[0].OutputValue'
   

3. Log the user in to get an identity JWT token

   aws cognito-idp initiate-auth \
     --auth-flow USER_PASSWORD_AUTH \
     --auth-parameters USERNAME="[email protected]",PASSWORD="user-password" \
     --client-id your-user-pool-client-id
   

4. Hit our Api to test the Authorizer; use the token to invoke our API endpoint which will call the function (if the token is valid)
   

• First we will send an anonymous request, without providing the Authorization header. The expected behavior would be to get a 401 Unauthorized response:

  curl --location --request GET 'your-api-url/hello'
  

  The response is:

  {"message":"Unauthorized"}
  

• Let's try to send along the Authorization header:

  MY_ID_TOKEN=$(aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME="[email protected]",PASSWORD="user-password" --client-id your-user-pool-client-id | jq -r '.AuthenticationResult.IdToken')
  curl --location --request GET 'your-api-url/hello' --header "Authorization: ${MY_ID_TOKEN}"
  

  The response comes straight from our Lambda function:

  "Hello from Lambda!"
  

• Note: You can find your-api-url with the following command:

  aws cloudformation describe-stacks --stack-name your-cloudformation-stack-name | jq -r '.Stacks[0].Outputs | map(select(.ExportName == "ApiGatewayRestApiEndpoint")) | .[0].OutputValue'
  

Clean Up

Delete the CloudFormation stack by running the below command.

(.venv) $ cdk destroy --force --all

Useful commands

• cdk ls list all stacks in the app
• cdk synth emits the synthesized CloudFormation template
• cdk deploy deploy this stack to your default AWS account/region
• cdk diff compare deployed stack with current state
• cdk docs open CDK documentation

Enjoy!

References

• Add a Cognito Authorizer to API Gateway V2 in AWS CDK
• Amazon APIGateway backed by Lambda and protected by Cognito User Pools
• How do I set up an Amazon Cognito user pool as an authorizer on an API Gateway REST API?
• Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM
• Curl Cookbook