Hey guys, I am using serverless stack and cognito, how do I restrict API gateway paths to a certain users, for example if there are admins and non-admins, I want only admins to be able to access the /billing api, Thanks.

This depends on what level you want to prevent the access. If you want to prevent access to even call the endpoint you can use something like a condition policy. I put org IDs in my jwt claims, and forward them the role assumed by the identity pool, and write this as the policy, where org is a uuid. This means unauthorized persons will get 403.

​    ​const​ ​tenantPolicy​ ​=​ ​new​ ​PolicyStatement​(​{ 
 ​      ​sid​: ​'AllowExecuteApiOnSpecificOrgRoute'​, 
 ​      ​effect​: ​Effect​.​ALLOW​, 
 ​      ​actions​: ​[​'execute-api:Invoke'​]​, 
 ​      ​resources​: ​[ 
 ​        ​`arn:aws:execute-api:​${​this​.​region​}​:​${​this​.​account​}​:​${​this​.​api​.​httpApi​.​apiId​}​/$default/GET/\${aws:PrincipalTag/org}/*`​, 
 ​      ​]​, 
 ​    ​}​)

Other options is do it inside the lambda, by looking at the group's, and claims of the user if you are using an API gateway JWT authorizer.

Yeah I second @Simon Reilly’s point. You can also manage the user role urself in the DB. Especially if you are using IAM authorizer for your endpoint, you don’t get the claim details as in the JWT authorizer case.