Secure Microservices with API Gateway using Amazon Cognito User Pools
In this article, we are going to secure Microservices with API Gateway using Amazon Cognito User Pools. This will be hands-on lab for securing microservices in Serverless environments with Amazon Cognito.
By the end of the article, we will complete a Hands-on Lab: Secure our API Gateway with Amazon Cognito User Pools.
I have just published a new course — AWS Lambda & Serverless — Developer Guide with Hands-on Labs.
Secure Microservices with API Gateway using Amazon Cognito User Pools
Before we start, its good to understand What is Amazon Cognito — Main Features, User Pools and Identity Pools, Uses Cases and How it Works ?
After that, we can start hands-on example, you can see the services at that we will use for this example at below. Basically we will expose an API with using Amazon API Gateway and AWS Lambda functions. And after that we will secure our API Gateway with using Amazon Cognito.
I will break down the steps when we secure our apis with looking our big picture: this will authentication via Cognito for our Restful microservices.
- A client first log in via Cognito
- After successful login, Cognito returns an id_token to the client;
- The client sends a request to the API Gateway with the received id_token;
- The API Gateway verifies in Cognito whether the id_token is valid;
- Cognito will return to API Gateway a success response when the id_token is valid;
- The API Gateway sends the request to the lambda function;
- The lambda function executes and sends its response to the API Gateway;
- The API Gateway sends the response to the client.
Now we can start developing our hands-on project.
Create Sync Flow with API Gateway and Lambda
We are going to do Create Sync Flow with API Gateway and AWS Lambda. The first setup you will create is visualized in the figure below.
- A client sends a request to the REST API configured in the API Gateway;
- The API Gateway sends the request to the lambda function;
- The lambda function executes and sends its response to the API Gateway;
- The API Gateway sends the response to the client.
With this flow we can start to create serverless services.
Create Lambda Function
Let’s create a lambda function from “Author from scratch” and have a sample function code. To create a Lambda function; https://console.aws.amazon.com/lambda.
Choose Create function.
For Function name
productFunction
Give Microservice Permission
Under Permissions choose Change default execution role.
Select Create a new role from AWS policy templates.
For Role name
productRole
Create an API Gateway
API Gateway also supports HTTP APIs and WebSocket APIs, but an REST API is the best choice for this exercise. The REST API provides an REST HTTP endpoint for your Lambda function.
API Gateway routes requests to your Lambda function, and then returns the function’s response to clients. First of all we should design our API resource and methods:
CRUD Product APIs
GET /product
GET /product/{id}
POST /product
DELETE /product/{id}Now we can create REST API for our example, Create a REST API in API Gateway: Open AWS Console, type API Gateway
Goto API Gateway — create an REST API — productApi — Create Resource — product — Create Methods GET, GetbyId, POST, Delete — Deploy the API
Configure Amazon Cognito User Pool
After created main flow, now we are going to configure Amazon Cognito User Pool. There are 3 steps.
- Configure the Cognito user pool
- Deploy rest api. In my case, I will use a lambda for simplicity.
- Configure the API gateway to use the Cognito user pool for securing the endpoint.
For Configure Cognito user pool, Go to the Cognito dashboard and select “Create user pool.”
Follow the default configurations and complete process
- Password Policy
- No MFA
- Self-service sign up
- Configure Message Delivery
- User Pool and Domain informations
- Initial app clients
API Gateway Authorizer
Now I will configure authorizers that are under the stage option. Here I will select the Cognito type and the pool I created in the first step. This pool name might not show up in the list initially. We might need to reload the page to get the suggestion. The token source will be “Authorization.”
As you can see that we have Configure Amazon Cognito User Pool and add Cognito authorizer to api gateway.
Test — Secure your API Gateway with Amazon Cognito User Pools
In order to test whether the configuration works, you are going to execute some steps.
First, navigate to the Cognito User Pool, choose in the left menu for App client settings, scroll down to the bottom of the page and click the Launch Hosted UI link. Sign in with the user you created. You are redirected to the callback URL you configured and this URL now contains some extra parameters:
- https://xxxxx.com/#id_token=<the ID token>&access_token=<the access token>&expires_in=3600&token_type=Bearer
Copy the value of the ID token.
Navigate to the API Gateway service to your API. Select the GET method of the dev stage in the Stages section. Here you will find the URL of the dev stage. Execute the following command where you replace <the ID token> with the token you copied and replace the URL with your own URL.
I will use Postman to test the API. Initially, I will call it without the authorization header. I got the unauthorized error. This is expected. Now I will use the access token.
- Success
This time I got the data from the endpoint. So, our endpoint is secured, and it verifies the access token for the user that we created in our Cognito user pool.
Step by Step Design AWS Architectures w/ Course
I have just published a new course — AWS Lambda & Serverless — Developer Guide with Hands-on Labs.
In this course, we will learn almost all the AWS Serverless Services with all aspects. We are going to build serverless applications with using AWS Lambda, Amazon API Gateway, Amazon DynamoDB, Amazon Cognito, Amazon S3, Amazon SNS, Amazon SQS, Amazon EventBridge, AWS Step Functions, DynamoDB and Kinesis Streams. This course will be 100% hands-on, and you will be developing a real-world application with hands-on labs together and step by step.
Source Code
Get the Source Code from Serverless Microservices GitHub — Clone or fork this repository, if you like don’t forget the star. If you find or ask anything you can directly open issue on repository.
