This pattern creates an Amazon Gateway API (v2) and two Lambda functions protected by JwtAuthorizer and Cognito for user management.
Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/apigw-http-api-cognito-lambda-cdk
Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the AWS Pricing page for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.
- Create an AWS account if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
- AWS CLI installed and configured
- Git Installed
- AWS Cloud Development Kit (AWS CDK) installed
-
Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
git clone https://github.com/aws-samples/serverless-patterns
-
Change directory to the pattern directory:
cd apigw-http-api-cognito-lambda-cdk -
Install dependencies
npm install
-
Deploy the stack to your default AWS account and region. The output of this command should give you the HTTP API URL.
cdk deploy
-
Note the outputs from the CDK deployment process. These contain the resource names and/or ARNs which are used for testing.
This pattern creates an Amazon API Gateway API HTTP API and two endpoints. The first endpoint is unprotected (no authentication/authorization) and integrate with a unprotected accessible Lambda function. The second endpoint is protected by a JWTAuthorizer that use Coginto as IDP and it integrates with a protected accessible Lambda function.
Pre-requisites
- Update the variables with the outputs of your stack.
API_URL="<your api URL>" POOL_ID="<your pool ID>" CLIENT_ID="<your client ID>"
- Set the variables for the fake user to be created
EMAIL="[email protected]" PASSWORD="S3cuRe#FaKE*"
Unprotected endpoint
To test the unprotected endpoint, send a HTTP GET request command to the HTTP API unprotected endpoint. Be sure to update the endpoint with outputs of your stack. The response payload should shows Hello Unprotected Space.
curl ${API_URL}/unprotectedProtected endpoint To test the protected endpoint:
- First sign-up the fake user against Cognito.
aws cognito-idp sign-up \ --client-id ${CLIENT_ID} \ --username ${EMAIL} \ --password ${PASSWORD}
- Confirm the fake user to Cognito
aws cognito-idp admin-confirm-sign-up \ --user-pool-id ${POOL_ID} \ --username ${EMAIL}
- Then you send the authentication data and Cognito will return the token.
TOKEN=$(aws cognito-idp initiate-auth \ --client-id ${CLIENT_ID} \ --auth-flow USER_PASSWORD_AUTH \ --auth-parameters USERNAME=${EMAIL},PASSWORD=${PASSWORD} \ --query 'AuthenticationResult.AccessToken' \ --output text)
- Send an HTTP GET request to the API Gateway with the JWT token, which will verify the token call the protected Lambda function.
curl -H "Authorization: ${TOKEN}" ${API_URL}/protected
- The result payload should display
Hello Protected Space!
Run the given command to delete the resources that were created. It might take some time for the CloudFormation stack to get deleted.
cdk destroyCopyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0