Guidance on Cognito

Hey,
I’m building an application in which I plan to use the Cognito service. The app itself consists of gateway lambda functions, which are publicly available, but do jwt token checks for authentication. (Did not want to use the gateway authentication as it seemed way too tedious, I want everything in the .yml, without manual labor in the AWS console.)
In the .yml I’ve created a user pool/client and everything works fine, but I also need to add Facebook/Google/etc login options. So I added a identity pool for those (and the previously mentioned user pool). Here where I’m a bit confused - I have to add roles for the identity pool, but to my understanding I don’t need the roles, all I need is to get a token which I can then validate in my lambda functions.

The js aws sdk seems to hide a lot of stuff aswell…

What do you thing about such an approach? Is it OK, and how do I move forward?

I am not an expert, but I tried to explain somethings.
I think you should have a look at [3] which lists different authorizers.

Cognito needs these roles to give authenticated users IAM - “Rights”/Policies. E.g. direct access a s3-bucket.
You can also give unauthenticated users permissons via an IAM-Role.
Authentication example (see [1]).

These should be the two roles - one for authenticated users and the other one for unauthenticated users.

Also if you use AWS_IAM as authorizer for lambda, only users that are authenicated can access the lambda function.[see 2]

See also 3 and 4 for more on authorizers

[1]Authentication example via javascript (use case 4):

[2] API Gateway - allow AWS_IAM as authorizer · Issue #2186 · serverless/serverless · GitHub

[3] Serverless authorizers - custom REST authorizer - DEV Community

[4] Serverless Framework - AWS Lambda Events - API Gateway

1 Like

Thanks, great links!
Now that I’m thinking about it, using AWS_IAM makes more sense than validating the request inside every single lambda function.