Select Page

In today’s digital landscape, building secure and scalable APIs is paramount for any successful application or service. Amazon Web Services (AWS) offers a powerful combination of services to achieve just that. In this blog, we’ll explore the seamless integration of Amazon Cognito, a robust user authentication and authorization service, with AWS Lambda, a serverless compute service, to create secure APIs. By leveraging the authentication capabilities of Cognito and the flexibility of Lambda functions, developers can ensure that their APIs are not only protected from unauthorized access but also effortlessly scalable to meet evolving demands.

Step 1: Setting up Lambda Function:

  1. Begin by creating a Lambda function in the AWS Management Console.
  2. Define the function’s runtime environment and code logic according to your requirements.
  3. Ensure that your Lambda function is properly configured to handle incoming requests and generate appropriate responses.

Create a lambda function:

Step 2: Creating API Gateway

  • Navigate to the API Gateway service in the AWS Management Console and create a new API.
  • Define the resources and methods for your API, specifying the integration with the Lambda function created in the previous step.
  • Configure any additional settings such as request and response mappings as needed.

Create a method in API gateway by integrating it with the lambda function created earlier:

This image shows the integration of API gateway with the lambda function created earlier:

Step 3: Deploying API Gateway

Once your API is configured, deploy it to a stage to generate an Invoke URL. This URL will serve as the endpoint for accessing your API and invoking the associated Lambda function.

Deploy the API by creating new stage:

Step 4: Setting Up Amazon Cognito User Pool

  • Switch to the Amazon Cognito service in the AWS Management Console and create a new User Pool.
  • Configure the user pool settings, including attributes, policies, and authentication methods, to align with your application’s requirements.

Go to Cognito console and click on Create User pool:

In the next step you can set up the password according to your requirements:

Set up the next steps according to your requirements:

On the next step you can choose the email sender according to your requirement 

(We are using ‘Send email with Cognito’ option for this demo)

In the next step give your user pool a name and click on use the Cognito hosted UI

Give a custom domain name:

In the next step review your configurations and click on Create User Pool.

Step 5: Creating User Accounts

  • Access the Hosted UI for your Cognito User Pool and navigate to the sign-up page.
  • Create user accounts by entering the required details and completing the registration process.

Go to the user pool you created and navigate to App integration where you will find the App Client created earlier:

Click on the app client where you will find the Hosted UI URL:

Click on View Hosted UI which will take you to the Hosted UI URL:

Click on Sign up and create a user:

You will get a verification code in your email. After that you can see the created user:

Step 6: Configuring Authorizer in API Gateway

  • Return to the API Gateway console and navigate to the “Authorizers” section.
  • Create a new authorizer and select “Cognito” as the type.
  • Specify the User Pool ID and App Client ID associated with your Cognito User Pool.

Go to the API Gateway console and click on navigate to Authorizers on your left panel and click on create Authorizer:

Step 7: Generating Authorization Token

Access the AWS CloudShell or any other terminal interface and execute the command to obtain the authorization token.

Enter the following command:

aws cognito-idp admin-initiate-auth –user-pool-id <userpoolid> –client-id <clientid> –auth-flow ADMIN_NO_SRP_AUTH –auth-parameters USERNAME=<username>,PASSWORD=<password>

Replace <userpoolid> with the ID of the userpool, <clientid> with the app client ID, <username> <password> with the user name and password created while signing up in Hoted UI.

(This token will be used to authenticate requests to your API endpoints secured with Amazon Cognito.)

Step 8: Integrating Authorizer with API Gateway

  • Edit the method request settings for your API endpoints in API Gateway.
  • Configure the previously created Cognito authorizer to secure access to the endpoints.
  • Save the changes and redeploy your API to apply the updated configuration.

Step 9: Testing the API with Postman

  • Download and install Postman, a popular API testing tool, if you haven’t already.
  • Launch Postman and create a new request.
  • In the request settings, enter the API endpoint URL obtained after deploying the API Gateway.
  • Configure the request headers, including the Authorization header with the authorization token obtained from Amazon Cognito.
  • Optionally, add any necessary request parameters or body content depending on the API’s requirements.
  • Send the request and observe the response from the API.
  • Verify that the response status code is as expected and that the API behaves correctly according to its defined logic.
  • Use Postman’s features to perform additional testing, such as sending different types of requests (e.g., GET, POST, PUT) and exploring response data.
  • Repeat the testing process with different scenarios to ensure that your API functions as intended under various conditions.

By following these sequential steps, you can seamlessly integrate Amazon Cognito with AWS Lambda to enhance the security of your APIs.