Hi, I’m using a Cognito User Pools authorizer to protect a single graphql route in APIG. The APIG is setup with lambda proxy and the lambda has a monolothic apollo server to perform queries against RDS, etc. On the frontend I use Amplify to auth user and then send the generated JWT in the header of the graphql request. The APIG validates the token and executes query. If the JWT is invalid access is denied and the target lambda is not invoked.
Now I want to have guest access to my endpoint. From what I understand, I need to switch the authorizer to aws_iam in order to use an identity pool that associates authenticated and unauthenticated sessions with IAM roles. I was able to get a test working with aws_iam and Sigv4, but now the context in the target lambda does not have user claims from the User Pool JWT.
My questions:
Is there a way to integrate User Pool claims with Identity Pool within the infrastructure setup? (somehow automatically linking user pool with identity pool data)
Or, is using a custom authorizer to decode JWT and passing the claims to the context the only way to get the user claims (email, username, etc) in the target lambda?
If I use a custom authorizer, what happens when there is no JWT present?
If I do switch to aws_iam this is now involving a identity pool instead of going straight to the user pool. So I am guessing the user Id (sub in cognito pool) will have to change. So will I have to update my database to the federated user Id from identity pool instead of using sub from user pool?
Are custom authorizer and aws_iam two separate methods, or can they work together?
to quote Ron Burgundy: “well, that escalated quickly”