Configure cross-account Amazon Cognito authorizer for a REST API using the API Gateway console - Amazon API Gateway
Configure cross-account Amazon Cognito authorizer using the API Gateway console

Configure cross-account Amazon Cognito authorizer for a REST API using the API Gateway console

You can now also use a Amazon Cognito user pool from a different AWS account as your API authorizer. Each account can be in any region where Amazon API Gateway is available. The Amazon Cognito user pool can use bearer token authentication strategies such as OAuth or SAML. This makes it easy to centrally manage and share a central Amazon Cognito user pool authorizer across multiple API Gateway APIs.

In this section, we show how to configure a cross-account Amazon Cognito user pool using the Amazon API Gateway console.

These instructions assume that you already have an API Gateway API in one AWS account and a Amazon Cognito user pool in another account.

Configure cross-account Amazon Cognito authorizer using the API Gateway console

Log in to the Amazon API Gateway console in the account that has your API in it, and then do the following:

Old REST API console
Note

We've redesigned the API Gateway console. The old console experience will no longer be available starting December 2023.

  1. Locate your API and choose Authorizers.

  2. Choose Create New Authorizer.

  3. For Create Authorizer, type an authorizer name in the Name input field.

  4. For Type, choose the Cognito option.

  5. For Cognito User Pool, copy-paste the full ARN for the user pool that you have in your second account.

    Note

    In the Amazon Cognito console, you can find the ARN for your user pool in the Pool ARN field of the General Settings pane.

  6. Type the name of a header in Token Source. The API client must include a header of this name to send the authorization token to the Amazon Cognito authorizer.

  7. Optionally, provide a RegEx statement in Token Validation input field. API Gateway performs initial validation of the input token against this expression and invokes the authorizer upon successful validation. This helps reduce chances of being charged for invalid tokens.

  8. Choose Create to create the new Amazon Cognito authorizer for your API.

New REST API console

  1. Create a new API, or select an existing API in API Gateway.

  2. In the main navigation pane, choose Authorizers.

  3. Choose Create authorizer.

  4. To configure the new authorizer to use a user pool, do the following:

    1. For Authorizer name, enter a name.

    2. For Authorizer type, select Cognito.

    3. For Cognito user pool, enter the full ARN for the user pool that you have in your second account.

      Note

      In the Amazon Cognito console, you can find the ARN for your user pool in the Pool ARN field of the General Settings pane.

    4. For Token source, enter Authorization as the header name to pass the identity or access token that's returned by Amazon Cognito when a user signs in successfully.

    5. (Optional) Enter a regular expression in the Token validation field to validate the aud (audience) field of the identity token before the request is authorized with Amazon Cognito. Note that when using an access token this validation rejects the request due to the access token not containing the aud field.

    6. Choose Create authorizer.