3

I am using a Cognito user pool with user groups and I have an AWS API Gateway with a custom authorizer. The authorizer can generate a valid IAM policy and things go well so far. I would like to generate more specific IAM policies based on user groups but I cannot get the user groups information in the authorizer. My integration request mappings are:

"groups" : "$context.authorizer.claims['cognito:groups']"

but in the authorizer I get

"type": "TOKEN", 
"authorizationToken": "...", 
"methodArn": "arn:aws:execute-api:eu-west-1:...:.../test/GET/bills"

How can I get the user groups attribute in the authorizer?

Improve this question

1 Answer 1

Reset to default
3

The puzzle solved: the mappings were OK, but they are actually a "bridge" between the API Gateway and the lambda, so they delivered the information to the "target" lambda function and not to the authorizer, which is a sort of "interceptor" in this case.

The way to get the user groups in the authorizer is to call

CognitoIdentityServiceProvider.adminListGroupsForUser()

which works fine for this purpose.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Call that from where? In the Authorizer?
@AaronMcMillin Yes, I call that in the authorizer.
How did you get Cognito username to call adminListGroupsForUser() within authorizer.js?
@Ohsik username if a part of the token payload.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.