Open in app

Sign up

Sign in

Write

Sign up

Sign in

Towards AWS

Where Cloud Experts, Heroes, Builders, and Developers share their stories, experiences, and solutions.

Follow publication

Member-only story

DevOps Automation: Secure API Gateway with Cognito and a Custom Domain in Route53 Using Terraform

Joel Wembo
Towards AWS
Published in
14 min readApr 8, 2024

--

As an alternative to using IAM roles and policies or Lambda authorizers (formerly known as custom authorizers), you can use an Amazon Cognito user pool to control who can access your API in Amazon API Gateway.

AWS Cognito Architecture

Abstract

The web application client-server pattern is widely adopted. The access control allows only authorized clients to access the backend server resources by authenticating the client and providing granular-level access based on who the client is.

This Article is about how to implement DevOps automation to set up a secure API Gateway with Cognito for authentication and a custom domain using Route 53 with SSL Certificate with Terraform for infrastructure as code, Terraform Cloud for state management, and Github Actions for CI/CD pipelines automation.

API Gateway can support both REST and HTTP API. API Gateway has integration with Amazon Cognito, whereas it can also have control access to HTTP APIs with a JSON Web Token (JWT) authorizer, which interacts with Amazon Cognito. The lambda function can be integrated with API Gateway. The client is responsible for authenticating with Amazon Cognito to obtain the access token.

  1. The client starts authentication with Amazon Cognito to obtain the access token.
  2. The client sends a REST API or HTTP API request with a header that contains the access token.
  3. The API Gateway is configured to have:
  • Amazon Cognito user pool as the authorizer to validate the access token in REST API requests, or
  • A JWT authorizer, interacts with the Amazon Cognito user pool to validate the access token in HTTP API request.

Table of Contents

· Abstract
· Table of Contents
· Prerequisites
· What is Cognito ?
· Why Github Actions ?
· 1. Create AWS Access Keys
· 2. Terraform Cloud Configuration
· 3. CI/CD Workflows Setup with Github Actions
· 4. backend.tf
· 5. acm_certificate.tf
· 6. provider.tf
· 7. lambda function and path
· 8. Cognito
· 9. Set Up Custom Domain
· 10. Create Route53 Hosted Zone
· 11. Validate and Test your solution
· 12. Check result in app.terraform.io
· 13

--

--

Towards AWS
Towards AWS
Follow

Published in Towards AWS

7.6K Followers
Last published 1 day ago

Where Cloud Experts, Heroes, Builders, and Developers share their stories, experiences, and solutions.

Follow
Joel Wembo
Joel Wembo
Follow

Written by Joel Wembo

1.3K Followers
283 Following

Cloud Solutions Architect @ prodxcloud. Expert in Django, AWS, Azure, Kubernetes, Serverless Computing & Terraform. https://www.linkedin.com/in/joelotepawembo

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech