Obtain permissions to create Amazon Cognito user pool authorizers for a REST API - Amazon API Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Obtain permissions to create Amazon Cognito user pool authorizers for a REST API

To create an authorizer with an Amazon Cognito user pool, you must have Allow permissions to create or update an authorizer with the chosen Amazon Cognito user pool. The following IAM policy document shows an example of such permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:POST"
            ],
            "Resource": "arn:aws:apigateway:*::/restapis/*/authorizers",
            "Condition": {
                "ArnLike": {
                    "apigateway:CognitoUserPoolProviderArn": [
                        "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_aD06NQmjO",
                        "arn:aws:cognito-idp:us-east-1:234567890123:userpool/us-east-1_xJ1MQtPEN"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:PATCH"
            ],
            "Resource": "arn:aws:apigateway:*::/restapis/*/authorizers/*",
            "Condition": {
                "ArnLike": {
                    "apigateway:CognitoUserPoolProviderArn": [
                        "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_aD06NQmjO",
                        "arn:aws:cognito-idp:us-east-1:234567890123:userpool/us-east-1_xJ1MQtPEN"
                    ]
                }
            }
        }
    ]
}

Make sure that the policy is attached to an IAM group that you belong to or an IAM role that you're assigned to.

In the preceding policy document, the apigateway:POST action is for creating a new authorizer, and the apigateway:PATCH action is for updating an existing authorizer. You can restrict the policy to a specific region or a particular API by overriding the first two wildcard (*) characters of the Resource values, respectively.

The Condition clauses that are used here are to restrict the Allowed permissions to the specified user pools. When a Condition clause is present, access to any user pools that don't match the conditions is denied. When a permission doesn't have a Condition clause, access to any user pool is allowed.

You have the following options to set the Condition clause:

  • You can set an ArnLike or ArnEquals conditional expression to permit creating or updating COGNITO_USER_POOLS authorizers with the specified user pools only.

  • You can set an ArnNotLike or ArnNotEquals conditional expression to permit creating or updating COGNITO_USER_POOLS authorizers with any user pool that isn't specified in the expression.

  • You can omit the Condition clause to permit creating or updating COGNITO_USER_POOLS authorizers with any user pool, of any Amazon account, and in any region.

For more information on the Amazon Resource Name (ARN) conditional expressions, see Amazon Resource Name Condition Operators. As shown in the example, apigateway:CognitoUserPoolProviderArn is a list of ARNs of the COGNITO_USER_POOLS user pools that can or can't be used with an API Gateway authorizer of the COGNITO_USER_POOLS type.