Serverless Stack

Trying to figure out how to control access to specific routes on my API using Cognito groups but I'm not getting anywhere with the AWS docs. Anyone have any good recommendations on how to achieve this?

Hey <@U03C1Q3QRFC>, I haven’t done this, but might be worth looking into the <https://docs.serverless-stack.com/constructs/Api#using-cognito-user-pool-as-the-jwt-authorizer|User Pool JWT authorizer> and <https://docs.serverless-stack.com/constructs/Api#adding-lambda-authorization|Lambda authorizer>.

Thanks <@U01JVDKASAC> - I'm going to give it a go

With the JWT authorizer, see if you can include the Cognito group info in the JWT token’s scope, and then see if you can have the authorizer grant/reject the request based on the scope. I haven’t done something like this, u might need to google along this line.

With the Lambda authorizer, u can pretty much do anything. It’s a bit more work as you’d need to create the function.

Got it working! Found an example of someone using a pretokenGeneration trigger to map the user's cognito groups to scopes. <https://aws.amazon.com/blogs/security/how-to-secure-api-gateway-http-endpoints-with-jwt-authorizer/|link>  Then secured the route by setting authorizationScopes on the  ApiHttpRouteProps of the handlers in the API Stack.

Thanks again for the help. So thankful for the support.