- Newest
- Most votes
- Most comments
Keep in mind that you can also use the traditional [Authorize] attribute with Cognito in Lambda, assuming you're using the Amazon.Lambda.AspNetCoreServer NuGet package to run ASP.NET Core in Lambda. If that is what you're doing (with a Web API or MVC project that has controllers), you can create a custom AuthorizationHandler that checks the user's claims in their Cognito-issued JWT token.
I wrote a sample app that demonstrates this long ago (2017), which is here: https://github.com/Kirkaiya/ServerlessWebApiWithCognito
The two main files you could adapt are CognitoGroupAuthorizationHandler.cs and CognitoGroupAuthorizationRequirement.cs
As the readme makes clear, that project was created when .NET Core 1.0 was supported in Lambda, so don't follow the rest of the blog's advice on which NuGet packages to use, etc. But the core idea - a custom AuthorizationHandler and an IAuthorizationRequirement implementation - should still work fine. You wire them up in ConfigureServices(IServiceCollection services)
method, check the source code.
If you are using API Gateway in front of the Lambda functions, the general guidance is to use a Lambda authorizer. A Lambda authorizer streamlines the implementation of role-based access control (RBAC) in serverless applications by serving as a middleware between the client and the Lambda function. When a request is made, the authorizer intercepts it and verifies the requester's identity and permissions based on predefined policies or rules. It then grants or denies access to the requested resource accordingly. By abstracting away the access control logic from the application code, Lambda authorizers provide a centralized and scalable approach to enforce security, allowing developers to focus on building the core functionalities of their serverless applications.
See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html.
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Great! Thank you for the details. I will try to port your sample to NET6. Yet questions. I use Lambda NET with 2 entry points Local and AWS. How to test the app in local environment? i.e. I need access to Cognito anyway or it can be somehow simulated? Also, I do not create a Client app now so: how can I test Lambda methods in Swagger ? what to do with Cognito?
@Oleg - The local entry point will be used if you are testing locally - you can just run in debug mode locally (in Visual Studio is the easiest way), and then step thru your code. When the Lambda function is deployed to AWS Lambda, it will use the Lambda entry point.
For testing your function, you can do three different things:
If you have added Swagger, or Swashbuckle, then running your function locally, you can hit the swagger endpoint in your browser, and test out the APIs that way, of course. That should also work with Lambda deployed to AWS, with API Gateway, but might take some configuration and testing.
Now, if you are using the [Authorize] attribute on your controller (or controller action methods), you would need to provide a JWT token. You could either authenticate against Cognito manually, and grab the JWT token out of your browser's local storage, or alternatively generate your own and accept those also in code (I can provide sample code for creating JWT if you want)