AWS API Gateway authentication with Cognito and Amplify


Hey, trying to get my head around deploying a fairly complex application using CloudFormation and multiple serverless services.

I have the following under a single AWS account/region:

  • API Gateway - Custom domain (public) for normal users (
  • API Gateway - Custom domain (admin) for admin users (
  • API Gateway - Each custom domain contains around 5-6 services (correct term here would be APIs) each with maybe 2-5 functions per service
  • Cognito user pool for public users
  • Cognito user pool for admin users

Probably can see where I am going here, public users can only access public APIs and admin users can only access admin APIs. Seems simple enough.

In terms of deployment I have a standalone CloudFormation stack which sets up Cognito user pools, IAM roles etc for me. Most importantly the part I need to lock down is this part of the authorised IAM role

          - Effect: Allow
            Action: execute-api:Invoke
            Resource: "*"

Once this stack is deployed I then deploy a number of serverless services which creates the relevant IDs in the API gateway.

If I manually edit this role to the following

- Effect: Allow
  Action": "execute-api:Invoke",
  Resource": "arn:aws:execute-api:eu-west-2:*:gyablli82h/*"

It successfully locks down to a specific API.

My question is how can I deploy the first CloudFormation stack with the correct role without deploying the services beforehand? Because they need to create the API IDs used for the IAM role.