I want to call the AWS API Gateway Endpoint , which is protected by AWS_IAM using the generated JavaScript API SDK .
I have a Cognito UserPool and a Cognito Identity Pool . Both are correctly synchronized through ClientId .
I use this code for Sign in and get Cognito Identity
AWS.config.region = 'us-east-1'; // Region AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here }); AWSCognito.config.region = 'us-east-1'; AWSCognito.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here }); var poolData = { UserPoolId: 'us-east-1_XXXXXXXX', ClientId: 'XXXXXXXXXXXXXXXXXXXXXXXX' }; var userPool = new AWSCognito.CognitoIdentityServiceProvider.CognitoUserPool(poolData); var authenticationData = { Username: 'user', Password: '12345678', }; var authenticationDetails = new AWSCognito.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData); var userData = { Username: 'user', Pool: userPool }; var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData); cognitoUser.authenticateUser(authenticationDetails, { onSuccess: function (result) { console.log('access token + ' + result.getAccessToken().getJwtToken()); AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXX', IdentityId: AWS.config.credentials.identityId, Logins: { 'cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXX': result.idToken.jwtToken } }); AWS.config.credentials.get(function (err) { // now I'm using authenticated credentials if(err) { console.log('error in autheticatig AWS'+err); } else { console.log(AWS.config.credentials.identityId); } }); }, onFailure: function (err) { alert(err); } });
All this succeeds, and now I have authorized Cognito Identity .
Now I'm trying to call API Gateway Endpoint to execute the Lambda Function that it points to.
var apigClient = apigClientFactory.newClient({ accessKey: AWS.config.credentials.accessKeyId, //'ACCESS_KEY', secretKey: AWS.config.credentials.secretAccessKey, //'SECRET_KEY', sessionToken: AWS.config.credentials.sessionToken, // 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token region: 'us-east-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1 }); var params = { // This is where any modeled request parameters should be added. // The key is the parameter name, as it is defined in the API in API Gateway. }; var body = { // This is where you define the body of the request, query: '{person {firstName lastName}}' }; var additionalParams = { // If there are any unmodeled query parameters or headers that must be // sent with the request, add them here. headers: {}, queryParams: {} }; apigClient.graphqlPost(params, body, additionalParams) .then(function (result) { // Add success callback code here. console.log(result); }).catch(function (result) { // Add error callback code here. console.log(result); });
But, unfortunately, this fails. The OPTIONS request succeeds with 200 , but the POST does not work with 403 .
I am sure there is no CORS problem here.
I am sure the problem is with IAM Roles and AWS Resource Configurations .
My question is basically, can you provide me with all the necessary AWS Resource Configurations and IAM Roles that are needed for this to work?
I have resources
- Gateway APIs - with API endpoints deployed
- Lambda function - called by the endpoint
- Cognito User Pool - application synchronized with the identifier pool
- Cognito Identity Pool - with an authorized and unauthorized role assigned to it.
- IAM roles - for the lambda function and the authorized and unauthorized role of the Cognito identifier pool.
But I do not know how these resources need to be configured correctly in order to make this work.
thanks