How to setup lambda to be invoked only by Cognito User Group (aws-sam)

Stack Overflow Asked on December 9, 2021

I would like to know how to set up a Lambda Function (AdminFunction) so that it can only be invoked by users in a specified group (AdminUserGroup). My YAML is:

  AdminUserGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      GroupName: "AdminUserGroup"
      Description: Contains Staff Users
      Precedence: 0
      UserPoolId:
        Ref: UserPool

  AdminFunction:
    Type: AWS::Serverless::Function
    Properties:
      Description: admin functions
      CodeUri: admin/
      Handler: index.lambdaHandler
      Runtime: nodejs12.x
      Environment:
        Variables:
          USERPOOL_ID: !Ref UserPool
          VALUE_A: !Ref SomePropA
          VALUE_B: !Ref SomePropB
          USER_GROUP_ADMIN: !Ref AdminUserGroup
          TABLE_NAME: !Ref DynamoTable
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref DynamoTable
      Events:
        Users:
          Type: Api
          Properties:
            Path: /admin/{proxy+}
            Method: ANY
            Auth:
              Authorizer: << ONLY ADMIN USERS >>

amazon web services aws lambda aws sam aws userpools

Add your own answers!

Ask a Question

Get help from others!