-1

I'm trying to integrate Cognito using the built-in login dialog with AWS Chalice. This is what I tried:

# This passes in correct arn for my pool, not xxxx
authorizer = CognitoUserPoolAuthorizer(
    'end_users_dev', provider_arns=['arn:aws:cognito-idp:us-west-2:xxxx])

@app.route('/test', cors=True, authorizer=authorizer)
def test():
    return {"result": "Success with authorizer"}

@app.route('/test2', cors=True)
def test2():
    return {"result": "Success without authorizer"}

The second method (test2) works but the first method (test) returns (as expected):

{
    "message": "Unauthorized"
}

Now I attempt to make the test with authorization work by passing in a header:

Authorization: <the token I get passed in from the 
built in login page callback as "id_token">

I can verify the JWT token contents and signature manually and that the user pool is showing up in API Gateway as "Authorization" for the test resource, but I'm still getting the same "Unauthorized" message. What am I missing?

(Note: I also posted this at https://forums.aws.amazon.com/message.jspa?messageID=871715#871715 but haven't received any response in 2 days)

Edwin Evans
  • 2,726
  • 5
  • 34
  • 47

1 Answers1

4

I would check to make sure your IAM policy chalice is running allows access to cognito.

You can add these as needed from the AmazonCognitoPowerUser policy to your policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-identity:*",
                "cognito-idp:*",
                "cognito-sync:*",
                "iam:ListRoles",
                "iam:ListOpenIdConnectProviders",
                "sns:ListPlatformApplications"
            ],
            "Resource": "*"
        }
    ]
}

As see at the link below "

Whenever your application is deployed using chalice, the auto generated policy is written to disk at /.chalice/policy.json. When you run the chalice deploy command, you can also specify the --no-autogen-policy option. Doing so will result in the chalice CLI loading the /.chalice/policy.json file and using that file as the policy for the IAM role. You can manually edit this file and specify --no-autogen-policy if you'd like to have full control over what IAM policy to associate with the IAM role.

"

As seen under the policy section here: https://github.com/aws/chalice

$ chalice gen-policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow",
      "Sid": "9155de6ad1d74e4c8b1448255770e60c"
    }
  ]
}
  • Oh! So it sounds like my best option will be to run chalice gen-policy and then replace the contents in policy.json with the snippet you provided at top? – Edwin Evans Oct 19 '18 at 17:26
  • 1
    Yay! It worked. Note, I already had a policy.json so didn't need to run gen-policy. Awarding bounty. – Edwin Evans Oct 19 '18 at 17:41
  • Hm, it isn't working in one of my environments now. Is there somewhere in Lambda or Gateway console where I can view the policies in AWS UI? (In one case it seems the policy file gets overwritten when deploying and in another it isn't) – Edwin Evans Oct 19 '18 at 19:02
  • yes, you can login to the console to verify the policy on the lambda. But you need to put your custom policy here /.chalice/policy.json and add the --no-autogen-policy flag to the chalice update command. –  Oct 19 '18 at 19:05
  • Ah. Cool. Actually I noticed the reason autogen wasn't working is because I had CognitoUserPoolAuthorizer set up wrong for that environment. Thanks again! – Edwin Evans Oct 19 '18 at 19:10