How to setup lambda to be invoked only by Cognito User Group (aws-sam)

Question

I would like to know how to set up a Lambda Function (AdminFunction) so that it can only be invoked by users in a specified group (AdminUserGroup). My YAML is:

  AdminUserGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      GroupName: "AdminUserGroup"
      Description: Contains Staff Users
      Precedence: 0
      UserPoolId:
        Ref: UserPool

  AdminFunction:
    Type: AWS::Serverless::Function
    Properties:
      Description: admin functions
      CodeUri: admin/
      Handler: index.lambdaHandler
      Runtime: nodejs12.x
      Environment:
        Variables:
          USERPOOL_ID: !Ref UserPool
          VALUE_A: !Ref SomePropA
          VALUE_B: !Ref SomePropB
          USER_GROUP_ADMIN: !Ref AdminUserGroup
          TABLE_NAME: !Ref DynamoTable
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref DynamoTable
      Events:
        Users:
          Type: Api
          Properties:
            Path: /admin/{proxy+}
            Method: ANY
            Auth:
              Authorizer: << ONLY ADMIN USERS >>

https://stackoverflow.com/questions/60030613/sam-template-api-authorizor-to-use-existing-cognito-user-pool — Nandita Sharma, Jul 24 '20 at 06:23
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-cognitoauthorizer.html — Nandita Sharma, Jul 24 '20 at 06:24
Re: above comments, I already have a "CognitoAuthorizer" I'd like to limit to a Usergroup — petey, Oct 22 '20 at 17:23

How to setup lambda to be invoked only by Cognito User Group (aws-sam)

0 Answers0