AWS AppSync unauthenticated access WITHOUT Amplify - amazon-cognito

Does anyone know how to configure AWS IAM/Cognito/AppSync to allow access to the AppSync API for unauthenticated users, without using Amplify? I see a lot of examples of how to configure it WITH Amplify and API keys (they expire).
I already have:
a Cognito Identity Pool with roles for authenticated and unauthenticated access
the role for unauthenticated acces modified to allow read access to the AppSync resources (wildcards)
An AppSync API with AIM as the default authentication method
What I miss in documentation and examples is:
how to connect AppSync to this specific Identity Pool
how to make an unauthenticated call using Postman or JavaScript in a browser

How to make an unauthenticated call using Postman?
According to appsync docs:
Unauthenticated APIs require more strict throttling than authenticated
APIs. One way to control throttling for unauthenticated GraphQL
endpoints is through the use of API keys. An API key is a hard-coded
value in your application that is generated by the AWS AppSync service
when you create an unauthenticated GraphQL endpoint.
So having ABC123 as the api key, you can send a query this way:
$ curl -XPOST -H "Content-Type:application/graphql" -H "x-api-key:ABC123" -d '{ "query": "query { movies { id } }" }' https://YOURAPPSYNCENDPOINT/graphql
Edit: Sorry didnt realize it was Identity pool, not user pools. Leaving here anyway. This below is for USER POOLS
How to connect AppSync to this specific Identity Pool?
When you create the default authorization mode in your appsync or when you add Additional authorization providers, you set the requirements for any mode you specify. In the case of AMAZON_COGNITO_USER_POOLS you set the following:
AWS Region
user pool
default action
The way you create the resources may vary from one tech to another, for example, using the aws cli:
$ aws appsync --region us-west-2 create-graphql-api --authentication-type AMAZON_COGNITO_USER_POOLS --name userpoolstest --user-pool-config '{ "userPoolId":"test", "defaultEffect":"ALLOW", "awsRegion":"us-west-2"}'
For more explanation check appsync documentation (link provided), the examples are from there.

Related

How to get rest API of AWS Cognito

In our project we are using API Gateway to get authenticated by Cognito User Pool.
Now, we are checking instead of hiting API Gateway can we directly hit Cognito for authenticating users.
So, wanted to check if there is any API of AWS cognito-idp admin-initiate-auth to get the tokens without using the CLI command?
Please refer to the link here. You will also find more information about using this API in one of the language-specific AWS SDKs.
For a complete list of all Amazon Cognito API references, refer here

API Gateway with Cognito and LoginWithAmazon

I am creating a REST API on API Gateway and want to use Cognito (User Pool) with LWA for authentication.
Anyone calling the API should be able to use their Amazon account credentials to get access token from Cognito and pass the access token while calling API gateway.
I want to know is it possible for callers to use a curl command or use postman to generate access token via Cognito? I checked that once the access token are generated we can call API gateway using Postman.
Any suggestion/idea on this would be helpful.

Aws Cognito : how to get the token for API command line testing?

I am attempting to authenticate a REST API in AWS API Gateway, which is protected by AWS Cognito through the command line to do some security testing of the API. So, i'm supposed to send the authentication token to get an answer, except i just can't figure out how to get that token!
Our Cognito User Pool is configured for Authorisation Code Grant Flow and Implicit Grant, but not for Client Credentials. Everything I found out during my research was about Client Credentials, so if anyone had a command line that actually works with these parameters it would be really nice!
If you have a REST API in AWS API Gateway that has Cognito Authentication enabled, you would need to pass the JWT Token generated by Cognito in the HTTP Request Header. To retrieve the JWT Token, you could either try a login operation from the Cognito Hosted UI, or you could alternatively try the AWS provided InitiateAuth or AdminInitiateAuth API calls. To give further clarity, if you select the Implicit Grant Flow, you get only an ID Token and an Access Token back. However, if you select the Authorization Code Grant Flow, you get a code back, which you could convert to JWT Tokens while leveraging Cognito's TOKEN Endpoint. An example for the AdminInitiateAuth API call(via the AWS CLI) as stated in the AWS Cognito Documentation is given as follows:
aws cognito-idp admin-initiate-auth --user-pool-id us-west-2_aaaaaaaaa --client-id 3n4b5urk1ft4fl3mg5e62d9ado --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=jane#example.com,PASSWORD=password
These API calls/the Hosted UI Authentication Mechanism would give you an OIDC compliant ID Token and an Access Token after you login successfully. After you retrieve the Token, you could pass the token to the Token Source that you have set-up while creating the REST API Authorizer in AWS API Gateway. To know more about passing a certain parameter to a cURL request header, you could have a look at this StackOverflow question.

Can AWS MFA work as follows?

In order to log into AWS MFA is required. But if I had a program running on an EC2 instance that invoked AWS services via API calls, would such a program also need to authenticate using MFA or would this not be required because we are already "in?"
MFA is only required when logging into the AWS web console with a username/password. When you make API calls you would use an IAM access key, or even better (since your program is running on EC2) an IAM instance profile, which doesn't require MFA.
API calls can be made to require MFA as well using an IAM policy. However, if you were to deploy such policy, you could also exclude VPC-internal subnets from the MFA requirement so that MFA would only be required when accessing the AWS API endpoints from the outside.
Here's a link to my repository which contains an example enforcement policy (see example-mfa-policies/EnforceMFA.txt): https://github.com/vwal/awscli-mfa

How can I allow limited access to API created in aws API gateway?

I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.