Cognito, API Gateway and Lambda assuming the identity of the cognito user


I’m building a React app, using API Gateway, lambda and cognito (basically starting from the tutorial). I would like to setup fine grained access control to my DynamoDb (i.e. through IAM policies that restrict access to DynamoDb tables based upon the logged-in user - like

AFAIK, a lambda function assumes a service role, as defined in the serverless.yml file, that has in itself nothing to do with the AIM policy that is attached to the logged in cognito user. I know that using an aim_authorizer, I can get info on the logged in user.

My question: is it possible to have the lambda do AWS calls on behalf of the given cognito user, thus honoring the IAM policies attached to that user? (a bit similar as to how the serverless-stack tutorial interacts with S3)

All suggestions welcome.

Were you able to get this working?

bumping this. I am trying the same thing and despite several attempts keep coming up empty on getting it to work. I can have API-Gateway and Cognito passing in the user policy to lambda associated with the user that prompted the lambda execution, but can’t do anything with they said policy