Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support COGNITO_USER_POOLS authorizer #1106

batkuip opened this issue Jul 11, 2017 · 3 comments

Support COGNITO_USER_POOLS authorizer #1106

batkuip opened this issue Jul 11, 2017 · 3 comments


Copy link

@batkuip batkuip commented Jul 11, 2017

Terraform Version


Affected Resource(s)

  • aws_api_gateway_authorizer
  • aws_api_gateway_method

Expected Behavior

type="COGNITO_USER_POOLS" supported

Actual Behavior

not supported


Copy link

@peterpostmann peterpostmann commented Jan 29, 2018


I needed a workaround and used this one:

  • Use a null_ressource which creates the authorizer using aws cli
  • Use data "external" to quiery aws for the id of the authorizer
resource "null_resource" "aws_api_gateway_authorizer_myPool" {
  provisioner "local-exec" {
    command = "export AWS_DEFAULT_REGION=${var.region} && 
               aws apigateway create-authorizer 
               --rest-api-id ${} 
               --name 'myPool' --type COGNITO_USER_POOLS 
               --provider-arns '${aws_cognito_user_pool.myPool.arn}' 
               --identity-source 'method.request.header.Authorization'"

  provisioner "local-exec" {
    when    = "destroy"
    command = "export AWS_DEFAULT_REGION=${var.region} && 
               aws apigateway delete-authorizer 
               --rest-api-id ${} 
               --authorizer-id ${}"

data "external" "aws_api_gateway_authorizer_myPool" {
  program = [

using this script


echo {\"id\": \"$(aws apigateway  get-authorizers --rest-api-id $1 | jq -r '.items[] | select(.name == "'$2'") | .id')\"}

This script uses 'jq' for simplicity. It recives a list of authorizers from aws and selects the item where the name matches and returns the id of this entry in json format.

The authorizer can be attached to a gateway method like this:

resource "aws_api_gateway_method" "myMethod" {
  rest_api_id   = "${}"
  resource_id   = "${}"
  http_method   = "POST"
  authorization = "COGNITO_USER_POOLS"
  authorizer_id = "${}"

All of this would have a been a lot easier if one could overright/set variables of the null_resource ;)

Hope someone else my find this useful as well. Looking forward for feedback.

Copy link

@arbabnazar arbabnazar commented Feb 16, 2019

Here is an example is somebody still looking for it:

resource "aws_api_gateway_authorizer" "api_gateway_authorizer" {
  name                   = "demo-authorizer"
  rest_api_id            = "${module.lambda_app.api_gateway_id}"
  identity_source = "method.request.header.Authorization"
  provider_arns = ["${aws_cognito_user_pool.cognito_user_pool.arn}"]
Copy link

@hashibot hashibot bot commented Mar 31, 2020

I'm going to lock this issue because it has been closed for 30 days . This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@hashibot hashibot bot locked and limited conversation to collaborators Mar 31, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.