Hey guys, I'm looking at the best practices guide and trying to absorb what I can from it for my own use case. Basically I have an iOS client and I'm using the Amplify Auth library to handle user sign ups and authentication. After authenticating the user, I pull the

idToken

from the session and use that in the

Authorization

header in subsequent requests. My lambda functions are built using the serverless framework and are based heavily off the ones described in the

notes-api

here: https://github.com/AnomalyInnovations/serverless-stack-demo-ext-api/tree/master/services/notes-api From this point, the

requestContext

pulled off of the

event

object in the lambda seems to have the claims object correctly populated, however, the fields in the identity object all appear to be

null

including

cognitoIdentityId

(I'm assuming this is the equivalent of a user ID?) which I want to use as the partition key in DynamoDB. My questions are: 1.) Is this the correct way to achieve the intended result? 2.) API Gateway seems to give me the option to use AWS IAM or the Cognito User Pool itself as an Authorizer in the method request. The example serverless.yml files seem to use AWS IAM. Is that the correct Authorizer to use here or should I use the Cognito User Pool? 3.) The documentation for AWS IAM seems to suggest signing requests using something called Signature V4. Is this different than using a token in the headers as I am attempting to do? 4.) When using AWS IAM, I get a 403 back from API gateway with an error message similar to the following:

Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter.

This message does not happen when using the Cognito User Pool as my authorizer. Is this expected behavior? From doing a Google search, it appears that my request needs to be signed using the aforementioned Signature V4 system to get around this. 5.) From searching, many posts seem to suggest that I need to enable the

Invoke with caller credentials

setting in the integration request portion of the API Gateway set up. This option is greyed out when using the Cognito User Pool option and is only available if I use AWS IAM. Is this something I need to get the identity information? 6.) Not really a question but I did also try using a mapping template to map the cognito identity ID from the context to a custom field, which was suggested by some posts I read, and that also returned null. Sorry for the lengthy post! I've been blocked by my lack of understanding of Cognito and API Gateway for the last few days and I'm trying to figure out how to properly set these things up so I can move forward. Thanks for any help!

Hey @Aman Saran, from reading your post, I sense some confusion. It’s not clear you are trying to use AWS IAM or JWT for API auth. It might be helpful if you decide on that first. B/c the way you sign the request is different; the Lambda payload is different (ie. event); the request headers are different, etc.

Hey @Frank, thanks that clears things up a bit. I was attempting to use AWS IAM with a JWT approach as I did not fully understand the difference with AWS IAM

Yeah, if you just want to protect ur API endpoint, u can use either. But if you want ur frontend users to interact with the other AWS resources (ie. uploading directly to an S3 bucket), IAM auth is probably easier.

haha yeah good call. Thanks for your help, man!