Create AWS Cognito User Pool Authorizer for API Gateway

Create AWS Cognito Authorizer for API Gateway — Quick Start

The blog will provide you a quick start of how to use AWS Cognito as a security layer for AWS API Gatway. It is dividing into two parts:

  1. Creation of a user pool in AWS Cognito.
  2. Creation and configuration of authorizer in API Gateway.

1. Creating a User Pool in AWS Cognito

  • Create a User Pool, by clicking on “Create a user pool” in AWS Cognito Console.

  • Give a name to user pool and then click on Review Defaults” to save the pool name.
  • On left side bar click on “Attributes”.
  • Select “Email address or phone number” and under it check “Allow email addresses”.

— Click on Next Step” button, on the bottom of the page, to save settings.

  • Now click on Review” link on sidebar and than click on Create Pool”

  • After the pool is created, click on the App Client” under the General Settings” in the sidebar.

  • Now we are going to create an app client. To do this, click on “Add an app client” on the web browser.

  • Give app client a name and select “Enable username-password (non-SRP) flow for app-based authentication (USER\PASSWORD_AUTH)”_ option. After this, click on Create app client” to create a client and then click on “Return to pool details”. Note the app client id” we will use later to access the verification process of cognito.

  • Also note the Pool Id” on the General Settings” page as we need it for using verification process of cognito.

Now we are done with creating a user pool in AWS Cognito.

2. Creating and Configuring Authorizer in API Gateway

  • I’m assuming that an API is created. So I will create an authorizer for my methods. We can do this by clicking on the “Authorizers” under the API in sidebar as shown in the screenshot.

  • Now click on Create New Authorizer” to create a new authorizer.

  • Now give the authorizer a name, select a type of Cognito, select the region in which the user pool was created, select the user pool and in Token Source type Authorization”. and then click on Create”.

  • Now select a method on which authorizer is to be applied and then click on “Method Request”.

  • Now set the “Authorization” to the created authorizer.

And you are all done. Also enable the CORS for this API to be accessed by other applications.

NOTE: Using “App client id” and Pool Id” your application will send the user authentication details to AWS Cognito. AWS Congnito will authenticate the client and if the client is authentic, it will generate the API Access Token. Using this token, the client can invoke the APIs — only those APIs which the client has permissions to invoke.


Amazon Cognito identity pools provide temporary AWS credentials for users who are guests

Amazon Cognito User Pools - Amazon Cognito