Configure cross-account Amazon Cognito authorizer for a REST API using the API Gateway console
You can now also use a Amazon Cognito user pool from a different Amazon account as your API authorizer. The Amazon Cognito user pool can use bearer token authentication strategies such as OAuth or SAML. This makes it easy to centrally manage and share a central Amazon Cognito user pool authorizer across multiple API Gateway APIs.
In this section, we show how to configure a cross-account Amazon Cognito user pool using the Amazon API Gateway console.
These instructions assume that you already have an API Gateway API in one Amazon account and a Amazon Cognito user pool in another account.
Configure cross-account Amazon Cognito authorizer using the API Gateway console
Log in to the Amazon API Gateway console in the account that has your API in it, and then do the following:
-
Create a new API, or select an existing API in API Gateway.
-
In the main navigation pane, choose Authorizers.
-
Choose Create authorizer.
-
To configure the new authorizer to use a user pool, do the following:
-
For Authorizer name, enter a name.
-
For Authorizer type, select Cognito.
-
For Cognito user pool, enter the full ARN for the user pool that you have in your second account.
Note
In the Amazon Cognito console, you can find the ARN for your user pool in the Pool ARN field of the General Settings pane.
-
For Token source, enter
Authorizationas the header name to pass the identity or access token that's returned by Amazon Cognito when a user signs in successfully. -
(Optional) Enter a regular expression in the Token validation field to validate the
aud(audience) field of the identity token before the request is authorized with Amazon Cognito. Note that when using an access token this validation rejects the request due to the access token not containing theaudfield. -
Choose Create authorizer.
-