Custom Authorizor question

A little confused with authorizers and permissions…

If, in my custom authorizer I am able to add logic that enables me to know whether a user is of a certain role type lets sat a hypothetical USER or ADMIN_USER role type, then how can I use this info to allow a ‘special’ api gateway request (that requires ADMIN_USER invoker ) to execute or not? I know I can return an ‘allow’ or ‘deny’ policy but from the api gateway point of view how do I tell it that only ADMIN_USER can execute it ?

Is the answer to have 2 different custom authorizers e.g. UserAuthorizor and AdminAuthorizer and then for example use AdminAuthorizer for my special api gateway and to use UserAuthorizor for all others ?

What’s the api gateway request? Do you mean the method, such as PUT/POST/DELETE? or the paths that admin users can access specified?

This is the template for the methodArn you can define in policy when calls custom authorizer handler (Amazon API Gateway)


So what you can define for different users are two parts only:

method - such as GET/PUT/POST/DELETE, etc
resourcePath -  define in apigateway path

And read this document as well to see if it is helpful for your question:

yes I meant the methods…

but if I use one authorizer doesnt it mean that this authorizer has to do some sort of checking of a whole list of allowed method arns and allowed roles for those methods? meaning that as time goes by I would need to keep maintaining a mapping of method arns -> roles in the authorizer ?

To do this with Cognito and AWS_IAM authentication on API Gateway you’d use two different Identity pools, one for normal users, one for admins. When you log in via those two pools you receive two different roles. The role policy for normal users only allows access to the normal lambda functions (name the functions user… and match on user*). The admin role policy allows access to normal plus admin functions (name the functions admin… and match on user*, admin*). So now if a normal user tries to call an admin function, AWS won’t let them.

I believe it is free when AWS denies a function call like this, so if someone tries a million requests hacking the admin API it doesn’t cost anything.


If the normal users can only access several normal lambda functions (such as service 1,2 5), the other normal users can access service 2,5,7) what should we do?

Does Cognito support to create as more groups as possible, not only two groups (admin/normal)?

You can make as many Cognito pools are you want. But you will need to come up with some scheme for getting the correct users into the pools.

1 Like