Hello, sorry if this question seems a bit noobish but I am looking for a solution to set up authorization for a specific use case.
In the application I am currently developing, normal users will use cognito user pools to access a GraphQL endpoint and the usual sign up/sign in/ forgot password functionalities will be required. No surprise there.
There are several other endpoints which will NOT be accessible to normal users, but only to external partners.
We do not need to store information such as emails, phone, … In a sense, our ‘users’ in this case are companies, which would use a single shared account. Knowing which partner pushed which information could be done via the accountId present in the http headers.
For this specific use case, I was thinking about simply using an aws_iam account with a very restricted set of policies to call our protected functions, along with a aws_iam authorizer.
Does this seem like a workable solution? Is there another authorizer solution which seem like a better fit for the second use case?