Shared API Gateway COGNITO_USER_POOLS Authorizer across services

Serverless Framework
1

I would like to reuse the same COGNITO_USER_POOLS Authorizer across multiple micro-services as in the same format as the API Gateway using Resource Outputs.

I am able to successfully create the resource in the same serverless deployment as the apigateway. But having trouble loading it and making it available for separate micro-services…

I tried using the “name” I created in the original service in each micro-service. But I get the error:
"Function “CustomAuthorizerName” doesn’t exist in this Service…

possible to use the same authorizer across each micro-service? When I export the Authorizer Ref, I only get an Authorizer ID not ARN.

Any advice to share a COGNITO_USER_POOLS Authorizer across multiple services? Many thanks!!

2

You need to output from the arn for the user pool from the stack that creates it then set the authorizer in the other stack using that ARN. To get the ARN for a user pool you need to use Fn::GetAtt. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html

3

Thaks @buggy. Appreciate the help!!
As noted, I have the resource working just fine, it is attaching that resource to -http events on later microservices that is the problem.

I create the resource like this:

resources:
  Resources:
    MyCognitoAuthorizer: # using this as authorizer for all endpoints
      Type: AWS::ApiGateway::Authorizer
      Properties:
        Name: MyCognitoAuthorizer
        AuthorizerResultTtlInSeconds: 60
        IdentitySource: method.request.header.Authorization
        IdentityValidationExpression: Bearer (.*)
        ProviderARNs:
          - arn:aws:cognito-idp:us-east-1:###accountid###:userpool/###userpoolid###
        RestApiId:
          'Fn::ImportValue': apiGateway-restApiId
        Type: COGNITO_USER_POOLS

  Outputs:
    apiGatewayAuthorizerId:
      Value:
        Ref: MyCognitoAuthorizer
      Export:
        Name: apiGateway-authorizerId

And that works great. The problem is when I run the next microservice, I cant reference MyCognitoAuthorizer because it is not part of that service, I cant use the output because its only the authorizer ID. So the question is, how do I make the resource “known” to the other microservices. like in this example which is in a separate file/microservice:

functions:
  apiSpecialRead:
    environment:
      DEBUG: 'false'
    events:
      - http:
          path: /special_path
          method: get
          cors: ${self:custom.global.cors}
          authorizer: ###WHAT GOES HERE###

I tried placing the ARN of the user pool in the “###WHAT GOES HERE###” and it worked for the first service, the second service failed.

4

Long version: https://serverless.com/framework/docs/providers/aws/events/apigateway#share-authorizer

If I understand the docs correctly then the short version is:

functions:
  apiSpecialRead:
    environment:
      DEBUG: 'false'
    events:
      - http:
          path: /special_path
          method: get
          cors: ${self:custom.global.cors}
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: ${cf:YOUR-OTHER_STACK.apiGateway-authorizerId}

Just replace YOUR-OTHER_STACK with the name of your other stack.

2 Likes
5

That is working now. I will love you forever.

Thank you!

1 Like