Configure ApiGateway v2 authorizers

I’m trying to setup simple authorizer based on this doc. Also using serverless plugin serverless-pseudo-parameters.

My serverless configuration for authorizer:

provider:
...
  logs:
    httpApi: true
  httpApi:
    cors: true
    authorizers:
      simpleAuthorizer:
        identitySource: $request.header.Authorization
        issuerUrl:
          - Fn::Join:
              - '/'
              - - https://cognito-idp.#{AWS::Region}.amazonaws.com
                - "#{CognitoUserPool}"
        audience:
          - "#CognitoUserPoolClient"

My configuration for simple lambda:

functions:
  ping:
    name: ${self:provider.stage}-ping
    handler: test.handler
    events:
      - httpApi:
          method: GET
          path: /test
          authorizer:
            name: simpleAuthorizer

My configuration of user pool and user pool client:

resources:
  Resources:
    CognitoUserPool:
      Type: AWS::Cognito::UserPool
      Properties:
        UserPoolName: ${self:service}-${self:provider.stage}-user
        UsernameAttributes:
          - email
        Policies:
          PasswordPolicy:
            MinimumLength: 6
            RequireLowercase: False
            RequireNumbers: True
            RequireSymbols: False
            RequireUppercase: True
        Schema:
          - Name: email
            Required: false
            DeveloperOnlyAttribute: false
            Mutable: true
            AttributeDataType: String

    CognitoUserPoolClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
        ClientName: cognito-example-client
        GenerateSecret: False
        UserPoolId: "#{CognitoUserPool}"

User pool, user pool client, HTTP API, lambda successfully created, but I can’t see a authorizer at the AWS console of API Gateway service. Thanks for any help.

Hey @SavelevArtemD! I just deployed the following serverless.yaml. I think the only difference is putting curly braces around CognitoUserPoolClient for the audience.

service: test

plugins:
  - serverless-pseudo-parameters

provider:
  name: aws
  runtime: nodejs12.x
  logs:
    httpApi: true
  httpApi:
    cors: true
    authorizers:
      simpleAuthorizer:
        identitySource: $request.header.Authorization
        issuerUrl: "https://cognito-idp.#{AWS::Region}.amazonaws.com/#{CognitoUserPool}"
        audience:
          - "#{CognitoUserPoolClient}"

functions:
  ping:
    name: ${self:provider.stage}-ping
    handler: test.handler
    events:
      - httpApi:
          method: GET
          path: /test
          authorizer:
            name: simpleAuthorizer

resources:
  Resources:
    CognitoUserPool:
      Type: AWS::Cognito::UserPool
      Properties:
        UserPoolName: ${self:service}-${self:provider.stage}-user
        UsernameAttributes:
          - email
        Policies:
          PasswordPolicy:
            MinimumLength: 6
            RequireLowercase: False
            RequireNumbers: True
            RequireSymbols: False
            RequireUppercase: True
        Schema:
          - Name: email
            Required: false
            DeveloperOnlyAttribute: false
            Mutable: true
            AttributeDataType: String

    CognitoUserPoolClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
        ClientName: cognito-example-client
        GenerateSecret: False
        UserPoolId: "#{CognitoUserPool}"

And everything seemed to get deployed. Looking at the stack in the CloudFormation Console I see this:

Then if I click the link in the row for HttpApi and then navigate to the “Authorization” section and select the endpoint I see this

So it looks like everything is deploying successfully on my end.

Running sls --version I get:

Framework Core: 1.69.0
Plugin: 3.6.11
SDK: 2.3.0
Components: 2.30.10

Hopefully this helps. Let me know if you can’t get it working.

Best,
Grant


Plug: The complexity of getting Cognito working with serverless is the reason I founded JustAuthenticateMe. It’s a super simple authentication-as-a-service that’s straightforward to set up. Check it out at https://www.justauthenticate.me/

Thanks a lot!
I solved my problem by simple updating servreless (completely forgot I used the version 1.63.0)