A little confused with authorizers and permissions…
If, in my custom authorizer I am able to add logic that enables me to know whether a user is of a certain role type lets sat a hypothetical USER or ADMIN_USER role type, then how can I use this info to allow a ‘special’ api gateway request (that requires ADMIN_USER invoker ) to execute or not? I know I can return an ‘allow’ or ‘deny’ policy but from the api gateway point of view how do I tell it that only ADMIN_USER can execute it ?
Is the answer to have 2 different custom authorizers e.g. UserAuthorizor and AdminAuthorizer and then for example use AdminAuthorizer for my special api gateway and to use UserAuthorizor for all others ?
but if I use one authorizer doesnt it mean that this authorizer has to do some sort of checking of a whole list of allowed method arns and allowed roles for those methods? meaning that as time goes by I would need to keep maintaining a mapping of method arns -> roles in the authorizer ?
To do this with Cognito and AWS_IAM authentication on API Gateway you’d use two different Identity pools, one for normal users, one for admins. When you log in via those two pools you receive two different roles. The role policy for normal users only allows access to the normal lambda functions (name the functions user… and match on user*). The admin role policy allows access to normal plus admin functions (name the functions admin… and match on user*, admin*). So now if a normal user tries to call an admin function, AWS won’t let them.
I believe it is free when AWS denies a function call like this, so if someone tries a million requests hacking the admin API it doesn’t cost anything.
If the normal users can only access several normal lambda functions (such as service 1,2 5), the other normal users can access service 2,5,7) what should we do?
Does Cognito support to create as more groups as possible, not only two groups (admin/normal)?