Amazon API Gateway
Developer Guide

Configure Cross-Account Amazon Cognito Authorizer Using the API Gateway Console

You can now also use a Amazon Cognito user pool from a different AWS account as your API authorizer. Each account can be in any region where Amazon API Gateway is available. The Amazon Cognito user pool can use bearer token authentication strategies such as OAuth or SAML. This makes it easy to centrally manage and share a central Amazon Cognito user pool authorizer across multiple API Gateway APIs.

In this section, we show how to configure a cross-account Amazon Cognito user pool using the Amazon API Gateway console.

These instructions assume that you already have an API Gateway API in one AWS account and a Amazon Cognito user pool in another account.

Configure Cross-Account Amazon Cognito Authorizer Using the API Gateway Console

Log in to the Amazon API Gateway console in your first account (the one that has your API in it) and do the following:

  1. Locate your API and choose Authorizers.

  2. Choose Create New Authorizer.

  3. For Create Authorizer, type an authorizer name in the Name input field.

  4. For Type, choose the Cognito option.

  5. For Cognito User Pool, copy-paste the full ARN for the user pool that you have in your second account.

    Note

    In the Amazon Cognito console, you can find the ARN for your user pool in the Pool ARN field of the General Settings pane.

  6. Type the name of a header in Token Source. The API client must include a header of this name to send the authorization token to the Amazon Cognito authorizer.

  7. Optionally, provide a RegEx statement in Token Validation input field. API Gateway performs initial validation of the input token against this expression and invokes the authorizer upon successful validation. This helps reduce chances of being charged for invalid tokens.

  8. Choose Create to create the new Amazon Cognito authorizer for your API.