Hey guys, we have an existing userpool and identity pool in our main aws account and currently looking to set up SST in another aws account and have its apis authorized by this existing userpool and identity pool. We are using ApiAuthorizationType.AWS_IAM. In older posts, it was mentioned that importing an existing identity pool was not supported by cdk. Was wondering if anyone found a way to get around this or have alternative solutions/ideas?   Thanks!

Guide for Rest API, assume it's applicable for HTTP API. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-cross-account-cognito-authorizer.html If you are using AWS_IAM Auth then the X-Signature is your authentication header. Would the authorizer on your API not need to be a cognito authorizer? Just clarify are you using aws cognito, or are you try to give cross account IAM access to AWS users, not cognito pool users?

Hey Simon, I looked into this guide before, but was under the assumption that this setups a JWT based auth instead of IAM with identity pool. We are using aws cognito where we have a cognito user pool that plugs into a cognito identity pool and want to use that to auth api access in a new SST. Probably does not need the added complexity of doing this cross account. Just wondering how we can avoid recreating the userpools / identity pools in cdk or running with the JWT route with userpool instead of identity pool (IAM). Let me know if this makes sense.

Yeah makes sense. I don't think you can have an identity pool do this unless as part of its policy it assumes a role in the account the API is in. The other option might be a resource policy on the API itself, that states the cross account cognito identity Arn can act as a principle and grants invoke API to that principle. Does that make sense?