1

Following is my use case -

I am developing an android app. I am trying to use aws api gateway and a lambda function at back of it. but even before i login i want to secure the HTTP calls and authenticate my application. For that i am planning to use cognito with the API Gateway. so first my call will go to cognito which will authenticate the application(not user) and then my call will go to any Lamda function. I want to include all of this in the SDK of api gateway.

Ques 1 - Is it even possible to do this way ( please refer me to some documentation or code)

Ques 2 - Is it recommended. or is there a better way to do it ?

Robin Green
  • 32,079
  • 16
  • 104
  • 187
Subham Tripathi
  • 2,683
  • 6
  • 41
  • 70

2 Answers2

4

I know this might be too late. But for people who have this issue, two ways you can secure your API endpoints depending on your scenario.

If you don't currently have a user directory (login/signup system), you can use Cognito User Pool to secure your Apis. The steps are

  1. in AWS Cognito console, create a Cognito User Pool
  2. in API Gateway console, create a Cognito User Pool Authorizer
  3. in your JS code, authenticate the user with the Cognito User Pool which will return return you a user token, then you can use the token in Authorization header when making Ajax calls to the api.

Here's a step-by-step tutorial on the process. I'd recommend start with the Create a Cognito user pool chapter.

http://serverless-stack.com/chapters/create-a-cognito-user-pool.html

The second scenario being if you already have a user directory either with Facebook/Twitter or any other social login. You will need to create a Cognito Identity Pool. You might find this answer useful.

To use a federated identity, you set the API Gateway method to use “AWS_IAM” authorization. You use Cognito to create a role and associate it with your Cognito identity pool. You then use the Identity and Access Management (IAM) service to grant this role permission to call your API Gateway method.

Community
  • 1
  • 1
Frank
  • 670
  • 8
  • 12
1

Yes this is possible and I think it is the correct way to do it. You can use the use the Android SDK to make the call to Cognito and authenticate, in Cognito you can configure to give the temporary IAM account that is returned a specific role, this role should only have rights to call the API Gateway. Then your client can use these temporary IAM credentials to do calls to the API Gateway using the generated Android SDK (you can generate it from the API Gateway console after deploying your API). You have to configure your API endpoints in API Gateway to be secured by IAM and make sure to create OPTIONS methods on your resources if you need cross domain CORS support.

Marcel Panse
  • 572
  • 1
  • 6
  • 13
  • sry i am troubling you again but how to authenticate my application even before i login ? – Subham Tripathi Sep 08 '15 at 13:54
  • You login against Cognito, you have to connect Cognito with an identity provider (for example google/facebook/twitter). You won't hit your API or lambda's before authentication, this is all handled by Cognito. – Marcel Panse Sep 08 '15 at 14:41
  • sorry if i have not made myself clear .. what i want to do is first authenticate applciation ( at the time of bootstrap of application) and then use cognito to authenticate user i want to wrap cognito inside the api gateway. so i am confused on how to do it. taking from your comment "You login against Cognito, " but i have to authenticate application first . Sorry if it sounds dumb – Subham Tripathi Sep 08 '15 at 14:55
  • 3
    @SubhamTripathi You can create a CognitoCachingCredentialsProvider without logging in (this is sometimes referred to as "guest" access). This would give you something close to "application authentication". – Bob Kinney Sep 08 '15 at 20:55
  • @BobKinney can i assume that there is no direct way of authenticating app. And what role can signed request play in my use case and is my way of achieving the use case is correct ? – Subham Tripathi Sep 09 '15 at 03:28
  • @SubhamTripathi You would be responsible for authenticating the application. Unfortunately at this time Amazon Cognito offers no such capabilities. If you are willing to accept the risks of enabled unauthenticated access to your API your use case is well suited to Amazon Cognito and API Gateway. – Bob Kinney Sep 09 '15 at 05:25