Integrating Cognito as an Authorizer with Serverless Framework and AWS Lambda using an Existing User Pool

We’ll to see how to integrate Amazon Cognito as an authorizer for your serverless applications using the Serverless Framework and AWS Lambda. This approach allows you to secure your APIs by leveraging an existing Cognito User Pool to manage user authentication and authorization.

Prerequisites

To follow along with this tutorial, you should have:

1. Basic knowledge of AWS services, specifically Amazon Cognito, Lambda, and API Gateway
2. Familiarity with the Serverless Framework
3. An AWS account with the necessary permissions to create and manage resources
4. An existing Amazon Cognito User Pool
5. Node.js and the Serverless Framework installed on your local machine

Step 1: Set up a new Serverless service

To create a new Serverless service, open your terminal and run the following command:

$ serverless create --template aws-nodejs --path cognito-authorizer
$ cd cognito-authorizer

Step 2: Configure the serverless.yml file

Open the serverless.yml file in your favorite text editor and replace its contents with the following configuration:

service: cognito-authorizer
provider:
  name: aws
  runtime: nodejs14.x
  stage: dev
  region: us-east-1
  environment:
    COGNITO_USER_POOL_ID: <your-user-pool-id>
functions:
  hello:
    handler: handler.hello
    events:
      - http:
          path: hello
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId:
              Ref: CognitoAuthorizer
resources:
  Resources:
    CognitoAuthorizer:
      Type: "AWS::ApiGateway::Authorizer"
      Properties:
        AuthorizerResultTtlInSeconds: 300
        IdentitySource: "method.request.header.Authorization"
        Name: CognitoAuthorizer
        RestApiId:
          Ref: "ApiGatewayRestApi"
        Type: COGNITO_USER_POOLS
        ProviderARNs:
          - "arn:aws:cognito-idp:<your-region>:<your-account-id>:userpool/${self:provider.environment.COGNITO_USER_POOL_ID}"

Make sure to replace <your-user-pool-id>, <your-region>, and <your-account-id> with the appropriate values for your existing Cognito User Pool.

Step 3: Create the Lambda function handler

Open the handler.js file and replace its contents with the following code:

'use strict';
module.exports.hello = async (event) => {
  return {
    statusCode: 200,
    body: JSON.stringify(
      {
        message: 'Hello from your Cognito authorized Lambda function!',
        user: event.requestContext.authorizer.claims
      },
      null,
      2
    ),
  };
};

Step 4: Deploy the service

Deploy your service to AWS by running the following command in your terminal:

$ serverless deploy

Upon successful deployment, you will receive an API Gateway endpoint URL. You can now test your secured API using an access token obtained from your Cognito User Pool.

Conclusion

In this article, we demonstrated how to integrate Amazon Cognito as an authorizer with the Serverless Framework and AWS Lambda using an existing Cognito User Pool. This allows you to secure your APIs and manage user authentication and authorization efficiently. By following these steps, you can add an extra layer of security to your serverless applications and ensure only authorized users can access your APIs.