AWSTemplateFormatVersion: 2010-09-09 Description: A sample API gateway with Cognito authentication Resources: MyLambda: Type: AWS::Lambda::Function Properties: Runtime: nodejs18.x Description: Test Lambda Role: !GetAtt LambdaFunctionRole.Arn Handler: index.handler Code: ZipFile: | exports.handler = async (event, context) => { return { isBase64Encoded: false, body: JSON.stringify({ Authenitcation: "success" }), headers: { 'Access-Control-Allow-Origin': '*', }, statusCode: 200, }; } LambdaFunctionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" MyAppApiCWRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: - apigateway.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" MyAppUserPool: Type: AWS::Cognito::UserPool Properties: AdminCreateUserConfig: AllowAdminCreateUserOnly: true AutoVerifiedAttributes: - email LambdaConfig: {} Schema: - AttributeDataType: String Mutable: true Name: given_name Required: true - AttributeDataType: String Mutable: true Name: family_name Required: true - AttributeDataType: String Mutable: true Name: email Required: true UserPoolName: my-app-user-pool MyAppUserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: UserPoolId: Ref: MyAppUserPool AllowedOAuthFlows: - implicit AllowedOAuthScopes: - openid CallbackURLs: - http://localhost:3000 ClientName: my-app-api-client ExplicitAuthFlows: - ALLOW_ADMIN_USER_PASSWORD_AUTH - ALLOW_REFRESH_TOKEN_AUTH - ALLOW_USER_PASSWORD_AUTH ReadAttributes: - email - family_name - given_name SupportedIdentityProviders: - COGNITO MyAppUserPoolDomain: Type: AWS::Cognito::UserPoolDomain Properties: Domain: my-app-user-pool UserPoolId: Ref: MyAppUserPool MyAppApi: Type: AWS::ApiGateway::RestApi Properties: Name: my-test-api MyAppApiDeployment: Type: AWS::ApiGateway::Deployment Properties: RestApiId: Ref: MyAppApi Description: Automatically created by the RestApi construct DependsOn: - MyAppApiPostMethod MyAppApiDeploymentStage: Type: AWS::ApiGateway::Stage Properties: RestApiId: Ref: MyAppApi DeploymentId: Ref: MyAppApiDeployment StageName: dev MyAppApiAccount: Type: AWS::ApiGateway::Account Properties: CloudWatchRoleArn: Fn::GetAtt: - MyAppApiCWRole - Arn DependsOn: - MyAppApi MyAppApiResource: Type: AWS::ApiGateway::Resource Properties: ParentId: Fn::GetAtt: - MyAppApi - RootResourceId PathPart: app RestApiId: Ref: MyAppApi MyAppApiPermission: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: !GetAtt MyLambda.Arn Principal: apigateway.amazonaws.com SourceArn: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":execute-api:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":" - Ref: MyAppApi - "/" - Ref: MyAppApiDeploymentStage - "/POST/app" MyAppApiTestInvokePermission: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: !GetAtt MyLambda.Arn Principal: apigateway.amazonaws.com SourceArn: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":execute-api:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":" - Ref: MyAppApi - "/test-invoke-stage/POST/app" MyAppApiPostMethod: Type: AWS::ApiGateway::Method Properties: HttpMethod: POST ResourceId: Ref: MyAppApiResource RestApiId: Ref: MyAppApi AuthorizationType: COGNITO_USER_POOLS AuthorizerId: Ref: MyAppCognitoAuthorizer Integration: IntegrationHttpMethod: POST Type: AWS_PROXY Uri: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":apigateway:" - Ref: AWS::Region - ":lambda:path/2015-03-31/functions/" - !GetAtt MyLambda.Arn - "/invocations" MyAppCognitoAuthorizerRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: apigateway.amazonaws.com Version: "2012-10-17" MyAppCognitoAuthorizerPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: cognito-idp:* Effect: Allow Resource: - Fn::GetAtt: - MyAppUserPool - Arn Version: "2012-10-17" PolicyName: MyAppCognitoAuthorizerPolicy Roles: - Ref: MyAppCognitoAuthorizerRole ApiCognitoAuthorizer: Type: AWS::ApiGateway::Authorizer Properties: RestApiId: Ref: MyAppApi Type: COGNITO_USER_POOLS AuthorizerCredentials: Fn::GetAtt: - MyAppCognitoAuthorizerRole - Arn AuthorizerUri: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":cognito-idp:*:" - Ref: AWS::AccountId - ":userpool/" - Ref: MyAppUserPool IdentitySource: method.request.header.Authorization Name: CognitoAuthorizer ProviderARNs: - Fn::GetAtt: - MyAppUserPool - Arn MyAppApiCognitoAuthorizerRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: apigateway.amazonaws.com Version: "2012-10-17" Policies: - PolicyDocument: Statement: - Action: cognito-idp:* Effect: Allow Resource: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":cognito-idp:*:" - Ref: AWS::AccountId - ":userpool/" - Ref: MyAppUserPool Version: "2012-10-17" PolicyName: MyAppApiAuthorization MyAppCognitoAuthorizer: Type: AWS::ApiGateway::Authorizer Properties: RestApiId: Ref: MyAppApi Type: COGNITO_USER_POOLS AuthorizerCredentials: Fn::GetAtt: - MyAppApiCognitoAuthorizerRole - Arn AuthorizerUri: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":cognito-idp:*:" - Ref: AWS::AccountId - ":userpool/" - Ref: MyAppUserPool IdentitySource: method.request.header.Authorization Name: MyAppCognitoAuthorizer ProviderARNs: - Fn::GetAtt: - MyAppUserPool - Arn Outputs: MyAppApiEndpoint: Value: Fn::Join: - "" - - "https://" - Ref: MyAppApi - ".execute-api." - Ref: AWS::Region - "." - Ref: AWS::URLSuffix - "/" - Ref: MyAppApiDeploymentStage - "/app"