I need some help understanding the options for handling the following scenario:
I have created a serverless service which creates a Cognito User Pool and API endpoints etc. I have two web apps which access the same user pool and API endpoints: a user app and an admin app. I have protected the API endpoints using a Cognito authorizer. So far so good. However, some of the endpoints should be accessible only via the admin app and only admins should be able to log into this app. What are my options for handling this scenario using AWS services/Serverless Framework?
I have already experimented with using AWS IAM authorization which would seem to be one option but I found it very cumbersome to set up (esp the AWS Sig v4 part) and I suspect it is overkill for my needs. I can’t see how I might use a Cognito authorizer as these don’t appear to distinguish between different groups of users in the user pool. I’m wondering whether I could use an API key to protect the admin endpoints whilst continuing to use a Cognito authorizer for the user endpoints? Can the two be combined in one serverless service? And how could I restrict authentication in the admin app to just admins?
I realise this is a common problem so I’m sure there must be some good options out there. Any pointers much appreciated