AWS Cognito Custom Lambda Authorizer in API Gateway for RBAC.
First create the user pool as i have explained in one my previous blogs.
Now create one table in dynamo db by name access_control with column names as email,roles and urls.
Now create the lambda function which will act as lambda authorizer. The code is located at https://github.com/vineetkarandikar/aws-samples/blob/main/vineet-medium-lambda-authorizer.js
The lambda authorizer contains third party library cognito-verify-token which will verify JWT token passed by client.I have modified it slightly to suit my need.The code for it is at https://github.com/vineetkarandikar/aws-samples/blob/main/verify-cognito-token/index.js
The code in lambda authorizer first check the validity of token and then fetches the URL list from dynamo db for a email id retrieved from JWT token and matches the requested URL with list of URLs allowed for that particular email.If true the request is allowed else rejected.
Here is our custom lambda authorizer using cognito service.
Currently AWS Cognito does not have RBAC because the scopes option in cognito user pool does not work when we add new scopes and when we request access token the default scope “scope”: “aws.cognito.signin.user.admin”, is assigned to every user which is glitch.