Okay everyone I got it working. Here is what I did.

In the AWS Console

• Create a lambda function
• Create a user pool
  • Create a user for yourself and verify the email. We will change the password later
  • Create a client app. Uncheck the client secret checkbox
• Create a federated identity (that uses the user pool)
• Create/Edit Authed and Unauthed roles
  • On the Authed role, go to IAM and add a managed policy to allow full access to invoke APIG
• Create an API Gateway resource and a method (ANY)
  • Use lambda as the integration, proxy requests to it
  • Enable CORS on resource
  • Set Authorization to AWS_IAM

In your code

Auth and get creds. There are a number of ways to do this. Now that you have a user pool you can use the front-end library amazon-cognito-identity-js this will allow you to authenticate and get a JWT (call authenticate() with the above library). With the JWT you can use the CognitoIdentityCredentials and config.credentials.get to actually populate the AccessKeyId and SecretAccessToken and SessionToken.

FINALLY use Postman (NOT THE CHROME APP, you must download the desktop app) to call your APIG and there you go!

I have some code samples and blog posts coming soon. I have to clean up my code a lot and move hardcoded stuff to text inputs.