The CloudFormation template

The template starts as usual, with a template version and a description:

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Building Cognito API with AWS CloudFormation

We will then create the RestApi resource, as follows:

Resources:
  MyFirstRestAPI:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: Greeting API
      Description: API for greeting an user
      FailOnWarnings: true

Next, we will create an authorizer of the type COGNITO_USER_POOLS:

CustomCognitoAuthorizer:
  Type: AWS::ApiGateway::Authorizer
  Properties:
      Name: FirstCognitoAuthorizer
      RestApiId: !Ref MyFirstRestAPI
      Type: COGNITO_USER_POOLS
      ProviderARNs:
      - Fn::Sub:
        - arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPoolId}
        - UserPoolId: !ImportValue MyFirstUserPoolId
      IdentitySource: method.request.header.Authorization

The value for the Name property cannot contain spaces, unlike many other name properties. Also, note that we have imported the user pool stack from the first recipe of the chapter, to create the provider ARN.

The resource definition is similar to what you have seen before:

GreetingResource:
  Type: AWS::ApiGateway::Resource
  Properties:
    RestApiId: !Ref MyFirstRestAPI
    ParentId: !GetAtt MyFirstRestAPI.RootResourceId
    PathPart: 'greeting'

The method definition is also similar to what you have seen before, except that now, we specify the AuthorizationType as COGNITO_USER_POOLS, and reference the AuthorizerId from the authorizer resource that we defined previously:

MyMockMethod:
  Type: AWS::ApiGateway::Method
  Properties:
    AuthorizationType: COGNITO_USER_POOLS
    AuthorizerId: !Ref CustomCognitoAuthorizer
    HttpMethod: GET
    Integration:
      Type: MOCK
      IntegrationHttpMethod: GET
      IntegrationResponses:
      - StatusCode: 200
        ResponseTemplates:
          application/json: "{"message": "Welcome $context.authorizer.claims.given_name" }"
      RequestTemplates:
        application/json: "{"statusCode": 200}"
    ResourceId: !Ref GreetingResource
    RestApiId: !Ref MyFirstRestAPI
    MethodResponses:
    - StatusCode: 200

We use context.authorizer.claims.given_name to retrieve the user attribute given_name that we passed to the initiate auth API for retrieving the tokens. The ID token also contains this information, embedded inside of it. 

The Deployment type definition and Output section are similar to what you have seen before:

  MyFirstDeployment:
    DependsOn: MyMockMethod
    Type: AWS::ApiGateway::Deployment
    Properties:
      Description: 'First Deployment'
      RestApiId: !Ref MyFirstRestAPI
      StageDescription:
        Description: 'Dev Stage'
      StageName: 'dev'

Output:
  SampleEndpoint:
    Description: 'Sample Endpoint'
    Value: !Sub
        - https://${API_ID}.execute-api.${AWS::Region}.amazonaws.com/dev/greeting
        - API_ID: !Ref MyFirstRestAPI

Now, you need to run the following API CLI commands (from the previous section):

aws cognito-idp sign-up
aws cognito-idp admin-confirm-sign-up
aws cognito-idp initiate-auth

Finally, you can execute the URL by using a REST client, such as Postman. You need to select the authorization type as Bearer Token, and copy the ID token value that you received in the initiate-auth request into the Token field. Refer to the screenshots in the previous section for the CLI commands. 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.111.208