AWS API gateway - how to do S3 Cognito userpool-restricted folder access?

Question

My application uses Cognito user pools to restrict access so that each user may access their own personal folder read/write in a "private" bucket. In a "public" bucket it is the same, except that everyone has read access to everything and write access only to their own folder. This all works fine when accessed via the JavaScript S3 SDK.

I am now trying to implement access via the API Gateway talking to a Lambda function which accesses S3.

The problem is that it appears that the Cognito Userpool identity is not being used by the Lambda function. If I give the Lambda function role total S3 access then the function is able to access S3 fine and the function works. If however I have the role policies in place to restrict by Cognito Userpool ID as described above, the I get access denied.

It appears to me that the Userpool Cognito Identity is not what the Lambda function is using.

Can anyone suggest the correct configuration for this setup?

thanks

Answer 1

API Gateway and Lambda do not automatically support this use case.

The Lambda function is running with the identity of it's execution role, thus its context won't contain the identity attributes from the Cognito user pool. (The context object in the Lambda function contains the context from Lambda's perspective.)

API Gateway exposes the Cognito user pool identity information via $context.authorizer.claims variable within API Gateway. To access this information from within your Lambda function, you must modify your body mapping template in API Gateway to pass the desired data from $context.authorizer.claims to your Lambda function via the request body. You're Lambda function then reads this information from the request body like any other field.

In this scenario there is no mechanism to automatically restrict permissions to S3 buckets/object on a per Cognito-user basis. You could implement logic within your Lambda function to enforce it using custom code.