Context I have an api-gateway with a custom authorizer that validates a JWT. The authorizer gives back broad resource permissions. Something like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:us-east-1:XXX:XXX/*"
}
]
}
Question I would like to add another authorizer (call it cognito authorizer) for some endpoints that require a different type of authentication. But I am unsure how the authorizer caching works, the scenario I am afraid of:
- User calls the endpoint /animals with the custom authorizer, api-gw stores the IAM-policy together with the caching key (in this case, the authorization header)
- User calls the endpoint */cars that is protected by the custom authorizer, cache hit and IAM policy allows calling the endpoint without hitting the authorizer again
- User calls the endpoint /cognito, with the same credentials as for /animals. Does the cognito authorizer get called, or can it potentially just evaluate the cached IAM policy tied to custom authorizer? Thus bypassing and cognito checks?
Is the cache policy tied to some key + authorizerId? Meaning if I try to call another endpoint in my api-gw with a different authorizer, the cache is never hit? When I try it, it seems to hit the cognito authorizer and there is no cache hit, but I cant find official docs backing it up.
Thanks!
