0
0
AwsHow-ToBeginner · 4 min read

How to Use Cognito Authorizer in AWS API Gateway

To use a Cognito authorizer, configure your AWS API Gateway to use an Amazon Cognito User Pool as the authorizer. This setup lets API Gateway verify user tokens issued by Cognito before allowing access to your API endpoints.
📐

Syntax

The basic syntax to define a Cognito authorizer in AWS API Gateway involves specifying the type as COGNITO_USER_POOLS, the providerARNs which are the ARNs of your Cognito User Pools, and the identitySource which is usually the Authorization header.

json
{
  "type": "COGNITO_USER_POOLS",
  "name": "MyCognitoAuthorizer",
  "providerARNs": [
    "arn:aws:cognito-idp:region:account-id:userpool/user-pool-id"
  ],
  "identitySource": "method.request.header.Authorization"
}
💻

Example

This example shows how to create a Cognito authorizer in AWS API Gateway using AWS CLI and attach it to a GET method on a resource.

bash
aws apigateway create-authorizer \
  --rest-api-id a1b2c3d4 \
  --name MyCognitoAuthorizer \
  --type COGNITO_USER_POOLS \
  --provider-arns arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_Abc123XYZ \
  --identity-source method.request.header.Authorization

aws apigateway update-method \
  --rest-api-id a1b2c3d4 \
  --resource-id x1y2z3 \
  --http-method GET \
  --patch-operations op=replace,path=/authorizationType,value=COGNITO_USER_POOLS

aws apigateway update-method \
  --rest-api-id a1b2c3d4 \
  --resource-id x1y2z3 \
  --http-method GET \
  --patch-operations op=replace,path=/authorizerId,value=authorizer-id-from-create
Output
Authorizer created with ID: authorizer-id-from-create Method updated to use Cognito authorizer
⚠️

Common Pitfalls

  • Not setting the Authorization header correctly in client requests causes authorization failures.
  • Using the wrong Cognito User Pool ARN or region leads to token validation errors.
  • Forgetting to deploy the API after changes means updates won't take effect.
  • Setting the authorizer type incorrectly (e.g., using CUSTOM instead of COGNITO_USER_POOLS) causes authorization to fail.
json
Wrong way:
{
  "type": "CUSTOM",
  "name": "MyCognitoAuthorizer",
  "providerARNs": ["arn:aws:cognito-idp:region:account-id:userpool/user-pool-id"]
}

Right way:
{
  "type": "COGNITO_USER_POOLS",
  "name": "MyCognitoAuthorizer",
  "providerARNs": ["arn:aws:cognito-idp:region:account-id:userpool/user-pool-id"]
}
📊

Quick Reference

  • type: Must be COGNITO_USER_POOLS
  • providerARNs: List of Cognito User Pool ARNs
  • identitySource: Usually method.request.header.Authorization
  • Attach authorizer to API methods and deploy API
  • Clients must send valid JWT tokens in Authorization header

Key Takeaways

Use the Cognito User Pool ARN as the provider in your API Gateway authorizer.
Set the authorizer type to COGNITO_USER_POOLS to enable token validation.
Clients must send the JWT token in the Authorization header for access.
Always deploy your API after adding or updating the authorizer.
Check region and user pool IDs carefully to avoid token validation errors.

Related by keyword

How to Trigger AWS Lambda from API Gateway EasilyLambdaGateway Endpoint vs Interface Endpoint in AWS: Key Differences and UsageVPCInternet Gateway vs NAT Gateway: Key Differences and UsageVPCWhat is Internet Gateway in AWS: Simple Explanation and Use CasesVPCWhat is NAT Gateway in AWS: Simple Explanation and Use CasesVPC

Up next

Provisioned Concurrency in AWS Lambda: What It Is and How It WorksReserved Concurrency in AWS Lambda: What It Is and How It WorksHow to Configure Route Table in AWS: Step-by-Step GuideHow to Configure VPC Flow Logs in AWS: Step-by-Step Guide

More in API Gateway

How to Cache in AWS API Gateway for Faster ResponsesHow to Configure CORS in AWS API Gateway EasilyHow to Create HTTP API in AWS API GatewayHow to Create REST API in AWS API Gateway