Search code examples
amazon-web-servicesauthenticationaws-api-gatewayamazon-cognitoaws-identitypools

How to integrate cognito identity pool with another AWS account for API Gateway access


I have a working project in AWS Account A which authenticates users using cognito user pool. Have successfully limited access to certain API Gateway endpoints (using AWS_IAM authorizers) by using fine grained roles, policies, and identity pool. This is all working fine. Now, I am trying to figure how to get API Gateway end point in another AWS account (Account B) to use these same credentials (AccesskeyId, SecretAccessKey and SessionToken) from Account A to be able to hit the API Gateway end point in account B without creating an identity pool id etc in Account B.

I tried one approach where I added another resource to existing policy in Account A for one of the policies which is attached to a role to which a user is attached. Like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:us-east-1:<Account A id>:<api gateway resourceId account A>/*/*/*",
                "arn:aws:execute-api:us-east-1:<Account B id>:<api gateway resourceId account B>/*/*/*"
            ]
        }
    ]
}

so by adding the second resource arn:aws:execute-api:us-east-1:<Account B id>:<api gateway resourceId account B>/*/*/* my end points in Account B seems to work when a user who authenticates in Account A, gets the credentials (AccesskeyId, SecretAccessKey and SessionToken) and using the same credentials can access the endpoints in Account B. To make this work, on Account B api gateway, I had to enable AWS_IAM authorizer as well.

So was wondering if this is a valid approach for cross account authorization? Are there any other ways where we don't have to manually update these policies specifically? Any thoughts?


Solution

  • IMO approach is valid, make sure that APIs resource policy allows only assumed identity role to perform actions (assuming this is your use case).

    You can also change the authorization type to Cognito and use the Cognito user access token and scopes to authorize access. Then you do not need to manage policies, see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-cross-account-cognito-authorizer.html.