Using aws apigateway with cognito
TypeScriptTo integrate AWS API Gateway with Amazon Cognito, we'll create an API Gateway, define a method for it, and set up an authorizer that uses Amazon Cognito User Pools to authenticate API requests. AWS API Gateway is a service that allows you to create, publish, maintain, and secure APIs, while Amazon Cognito provides user sign-up, sign-in, and access control.
Here are the general steps we will undertake in the Pulumi program:
- Create an Amazon Cognito User Pool to manage user sign-up and sign-in.
- Create an API Gateway Rest API to define the entry point for the API.
- Set up an API Gateway Authorizer that references the Cognito User Pool for authentication.
- Define a resource and method on the API Gateway that requires authorization through the Cognito User Pool.
Let's begin by crafting a Pulumi TypeScript program to accomplish this:
import * as aws from "@pulumi/aws"; // Create a Cognito User Pool const userPool = new aws.cognito.UserPool("myUserPool", { // Define attributes like how the user will sign in. autoVerifiedAttributes: ["email"], }); // Create a Cognito User Pool Client: Needed to connect from the API gateway to the user pool const userPoolClient = new aws.cognito.UserPoolClient("myUserPoolClient", { userPoolId: userPool.id, }); // Create an API Gateway Rest API const api = new aws.apigateway.RestApi("myApi", { // The name of the API description: "API Gateway with Cognito authorizer", }); // Create a resource under the API, such as /user const userResource = new aws.apigateway.Resource("userResource", { restApi: api.id, parentId: api.rootResourceId, pathPart: "user", }); // Create an API Gateway Authorizer using the Cognito User Pool const authorizer = new aws.apigateway.Authorizer("myAuthorizer", { restApi: api.id, type: "COGNITO_USER_POOLS", providerArns: [userPool.arn], }); // Create a GET method on the /user resource that requires authorization const userMethod = new aws.apigateway.Method("userMethod", { restApi: api.id, resourceId: userResource.id, httpMethod: "GET", // Only allow access to authenticated users authorization: "COGNITO_USER_POOLS", authorizerId: authorizer.id, }); // Deploy the API Gateway to make it available const deployment = new aws.apigateway.Deployment("apiDeployment", { restApi: api.id, // Setting stageName deploys the API to a stage directly stageName: "prod", }, { dependsOn: [userMethod] }); // Ensure the method is set up before deployment // Output the invoke URL of the API Gateway export const invokeUrl = deployment.invokeUrl.apply(invokeUrl => `${invokeUrl}${userResource.pathPart}`);
Explanation of the resources:
aws.cognito.UserPool
: Creates a new Amazon Cognito User Pool where your application’s users will sign up and sign in.aws.apigateway.RestApi
: Defines the base "Rest API" resource in API Gateway which acts as a container for your API resources.aws.apigateway.Resource
: Represents a resource that can be a parent to other resources. A resource must have one parent (which can be the root resource) and a path part that is unique for that parent.aws.apigateway.Authorizer
: Handles authentication via Amazon Cognito User Pools.aws.apigateway.Method
: Represents a request method and integrates with an AWS service or other HTTP endpoints.aws.apigateway.Deployment
: Deploys the API Gateway Rest API to a stage, making the API available.
The last line in the script exports the invocation URL for the API Gateway, appending the resource path part. This way, you can call the API at this URL, and it will require a valid token from the Cognito User Pool to access the
/user
resource.