AWS API Gateway Cognito user pool authorizer

1,632 views
Skip to first unread message

Borja López Altarriba

unread,
Mar 3, 2017, 7:22:42 AM3/3/17
to Terraform
I'm trying to create Cognito user pool authorizer at AWS API Gateway but reading Terraform docs (https://www.terraform.io/docs/providers/aws/r/api_gateway_authorizer.html) only is available type 'TOKEN'.

To double-check, I see is available using AWS CLI API Gateway docs (http://docs.aws.amazon.com/cli/latest/reference/apigateway/create-authorizer.html), just need to use type 'COGNITO_USER_POOLS'. 

I haven't found any Github issue related to this, so I want to know if it's just Terraform docs are not updated or if Terraform doesn't support this authorizer. Anyone knows anything about this? I will appreciate any help.

Thank you!

Hvit Draken

unread,
Jul 24, 2017, 7:18:18 AM7/24/17
to Terraform
Hi All,

Also would love to find out if this can be done through terraform, as the only way we can this at the moment  is to import the swagger files. 

Looking at the output from cognito authoriser i've set up, we get something along the lines of:

"authType": "cognito_user_pools",
    "identitySource": "method.request.header.Authorization",
    "name": "Test",
    "providerARNs": [
        "arn:aws:cognito-idp:<region>:<account>:userpool/<region>_<pool_id>"
    ],
    "type": "COGNITO_USER_POOLS",
    "id": "<id>"

which makes you think you should be able to set something up like the below but there is still something missing here as it looking for the providerARN and i cant' see how you able to specify it through this module:
* aws_api_gateway_authorizer:<pool_name. Error creating API Gateway Authorizer: BadRequestException: The list of providerARNs cannot be empty.


resource "aws_api_gateway_authorizer" "<pool_name>" {
  rest_api_id                                  = "${aws_api_gateway_rest_api.rest-api.id}"
  name                                          = "<pool_name>"
  authorizer_uri                             = "arn:aws:cognito-idp:<region>:<account>:userpool/<region>_<pool_id>" 
  identity_source                          = "method.request.header.Authorization"
  type                                           = "COGNITO_USER_POOLS"
  identity_validation_expression  = "<id>"
}

has anyone been able to get this to work?

Best
H


Peter Postmann

unread,
Jan 28, 2018, 7:44:13 PM1/28/18
to Terraform
Hi,

i found this via Google. There is an open issue for this on Github. I also documented my workarround there:
https://github.com/terraform-providers/terraform-provider-aws/issues/1106#issuecomment-361112140
Reply all
Reply to author
Forward
0 new messages