Api created with Chalice and a Cognito authorizer returns “Unauthorized”
I'm trying to integrate Cognito using the built-in login dialog with AWS Chalice. This is what I tried:
# This passes in correct arn for my pool, not xxxx
authorizer = CognitoUserPoolAuthorizer(
'end_users_dev', provider_arns=['arn:aws:cognito-idp:us-west-2:xxxx])
@app.route('/test', cors=True, authorizer=authorizer)
def test():
return {"result": "Success with authorizer"}
@app.route('/test2', cors=True)
def test2():
return {"result": "Success without authorizer"}
The second method (test2) works but the first method (test) returns (as expected):
{
"message": "Unauthorized"
}
Now I attempt to make the test with authorization work by passing in a header:
Authorization: <the token I get passed in from the
built in login page callback as "id_token">
I can verify the JWT token contents and signature manually and that the user pool is showing up in API Gateway as "Authorization" for the test resource, but I'm still getting the same "Unauthorized" message. What am I missing?
(Note: I also posted this at https://forums.aws.amazon.com/message.jspa?messageID=871715#871715 but haven't received any response in 2 days)
aws-api-gateway amazon-cognito chalice
edited Nov 13 '18 at 10:14
Ryan
911313
asked Oct 11 '18 at 17:14
Edwin EvansEdwin Evans
1,83242438
add a comment |
I'm trying to integrate Cognito using the built-in login dialog with AWS Chalice. This is what I tried:
# This passes in correct arn for my pool, not xxxx
authorizer = CognitoUserPoolAuthorizer(
'end_users_dev', provider_arns=['arn:aws:cognito-idp:us-west-2:xxxx])
@app.route('/test', cors=True, authorizer=authorizer)
def test():
return {"result": "Success with authorizer"}
@app.route('/test2', cors=True)
def test2():
return {"result": "Success without authorizer"}
The second method (test2) works but the first method (test) returns (as expected):
{
"message": "Unauthorized"
}
Now I attempt to make the test with authorization work by passing in a header:
Authorization: <the token I get passed in from the
built in login page callback as "id_token">
I can verify the JWT token contents and signature manually and that the user pool is showing up in API Gateway as "Authorization" for the test resource, but I'm still getting the same "Unauthorized" message. What am I missing?
(Note: I also posted this at https://forums.aws.amazon.com/message.jspa?messageID=871715#871715 but haven't received any response in 2 days)
aws-api-gateway amazon-cognito chalice
edited Nov 13 '18 at 10:14
Ryan
911313
asked Oct 11 '18 at 17:14
Edwin EvansEdwin Evans
1,83242438
add a comment |
I'm trying to integrate Cognito using the built-in login dialog with AWS Chalice. This is what I tried:
# This passes in correct arn for my pool, not xxxx
authorizer = CognitoUserPoolAuthorizer(
'end_users_dev', provider_arns=['arn:aws:cognito-idp:us-west-2:xxxx])
@app.route('/test', cors=True, authorizer=authorizer)
def test():
return {"result": "Success with authorizer"}
@app.route('/test2', cors=True)
def test2():
return {"result": "Success without authorizer"}
The second method (test2) works but the first method (test) returns (as expected):
{
"message": "Unauthorized"
}
Now I attempt to make the test with authorization work by passing in a header:
Authorization: <the token I get passed in from the
built in login page callback as "id_token">
I can verify the JWT token contents and signature manually and that the user pool is showing up in API Gateway as "Authorization" for the test resource, but I'm still getting the same "Unauthorized" message. What am I missing?
(Note: I also posted this at https://forums.aws.amazon.com/message.jspa?messageID=871715#871715 but haven't received any response in 2 days)
aws-api-gateway amazon-cognito chalice
edited Nov 13 '18 at 10:14
Ryan
911313
asked Oct 11 '18 at 17:14
Edwin EvansEdwin Evans
1,83242438
I'm trying to integrate Cognito using the built-in login dialog with AWS Chalice. This is what I tried:
# This passes in correct arn for my pool, not xxxx
authorizer = CognitoUserPoolAuthorizer(
'end_users_dev', provider_arns=['arn:aws:cognito-idp:us-west-2:xxxx])
@app.route('/test', cors=True, authorizer=authorizer)
def test():
return {"result": "Success with authorizer"}
@app.route('/test2', cors=True)
def test2():
return {"result": "Success without authorizer"}
The second method (test2) works but the first method (test) returns (as expected):
{
"message": "Unauthorized"
}
Now I attempt to make the test with authorization work by passing in a header:
Authorization: <the token I get passed in from the
built in login page callback as "id_token">
I can verify the JWT token contents and signature manually and that the user pool is showing up in API Gateway as "Authorization" for the test resource, but I'm still getting the same "Unauthorized" message. What am I missing?
(Note: I also posted this at https://forums.aws.amazon.com/message.jspa?messageID=871715#871715 but haven't received any response in 2 days)
aws-api-gateway amazon-cognito chalice
aws-api-gateway amazon-cognito chalice
edited Nov 13 '18 at 10:14
Ryan
911313
asked Oct 11 '18 at 17:14
Edwin EvansEdwin Evans
1,83242438
edited Nov 13 '18 at 10:14
Ryan
911313
asked Oct 11 '18 at 17:14
Edwin EvansEdwin Evans
1,83242438
edited Nov 13 '18 at 10:14
Ryan
911313
edited Nov 13 '18 at 10:14
Ryan
911313
edited Nov 13 '18 at 10:14
Ryan
911313
911313
asked Oct 11 '18 at 17:14
Edwin EvansEdwin Evans
1,83242438
asked Oct 11 '18 at 17:14
Edwin EvansEdwin Evans
1,83242438
asked Oct 11 '18 at 17:14
Edwin EvansEdwin Evans
1,83242438
1,83242438
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I would check to make sure your IAM policy chalice is running allows access to cognito.
You can add these as needed from the AmazonCognitoPowerUser policy to your policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"sns:ListPlatformApplications"
],
"Resource": "*"
}
]
}
As see at the link below "
Whenever your application is deployed using chalice, the auto generated policy is written to disk at /.chalice/policy.json. When you run the chalice deploy command, you can also specify the --no-autogen-policy option. Doing so will result in the chalice CLI loading the /.chalice/policy.json file and using that file as the policy for the IAM role. You can manually edit this file and specify --no-autogen-policy if you'd like to have full control over what IAM policy to associate with the IAM role.
"
As seen under the policy section here: https://github.com/aws/chalice
$ chalice gen-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "9155de6ad1d74e4c8b1448255770e60c"
}
]
}
answered Oct 18 '18 at 19:51
RyanRyan
911313
Oh! So it sounds like my best option will be to run chalice gen-policy and then replace the contents in policy.json with the snippet you provided at top?
– Edwin Evans
Oct 19 '18 at 17:26
1
Yay! It worked. Note, I already had a policy.json so didn't need to run gen-policy. Awarding bounty.
– Edwin Evans
Oct 19 '18 at 17:41
Hm, it isn't working in one of my environments now. Is there somewhere in Lambda or Gateway console where I can view the policies in AWS UI? (In one case it seems the policy file gets overwritten when deploying and in another it isn't)
– Edwin Evans
Oct 19 '18 at 19:02
yes, you can login to the console to verify the policy on the lambda. But you need to put your custom policy here /.chalice/policy.json and add the --no-autogen-policy flag to the chalice update command.
– Ryan
Oct 19 '18 at 19:05
Ah. Cool. Actually I noticed the reason autogen wasn't working is because I had CognitoUserPoolAuthorizer set up wrong for that environment. Thanks again!
– Edwin Evans
Oct 19 '18 at 19:10
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f52765636%2fapi-created-with-chalice-and-a-cognito-authorizer-returns-unauthorized%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I would check to make sure your IAM policy chalice is running allows access to cognito.
You can add these as needed from the AmazonCognitoPowerUser policy to your policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"sns:ListPlatformApplications"
],
"Resource": "*"
}
]
}
As see at the link below "
Whenever your application is deployed using chalice, the auto generated policy is written to disk at /.chalice/policy.json. When you run the chalice deploy command, you can also specify the --no-autogen-policy option. Doing so will result in the chalice CLI loading the /.chalice/policy.json file and using that file as the policy for the IAM role. You can manually edit this file and specify --no-autogen-policy if you'd like to have full control over what IAM policy to associate with the IAM role.
"
As seen under the policy section here: https://github.com/aws/chalice
$ chalice gen-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "9155de6ad1d74e4c8b1448255770e60c"
}
]
}
answered Oct 18 '18 at 19:51
RyanRyan
911313
Oh! So it sounds like my best option will be to run chalice gen-policy and then replace the contents in policy.json with the snippet you provided at top?
– Edwin Evans
Oct 19 '18 at 17:26
1
Yay! It worked. Note, I already had a policy.json so didn't need to run gen-policy. Awarding bounty.
– Edwin Evans
Oct 19 '18 at 17:41
Hm, it isn't working in one of my environments now. Is there somewhere in Lambda or Gateway console where I can view the policies in AWS UI? (In one case it seems the policy file gets overwritten when deploying and in another it isn't)
– Edwin Evans
Oct 19 '18 at 19:02
yes, you can login to the console to verify the policy on the lambda. But you need to put your custom policy here /.chalice/policy.json and add the --no-autogen-policy flag to the chalice update command.
– Ryan
Oct 19 '18 at 19:05
Ah. Cool. Actually I noticed the reason autogen wasn't working is because I had CognitoUserPoolAuthorizer set up wrong for that environment. Thanks again!
– Edwin Evans
Oct 19 '18 at 19:10
add a comment |
I would check to make sure your IAM policy chalice is running allows access to cognito.
You can add these as needed from the AmazonCognitoPowerUser policy to your policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"sns:ListPlatformApplications"
],
"Resource": "*"
}
]
}
As see at the link below "
Whenever your application is deployed using chalice, the auto generated policy is written to disk at /.chalice/policy.json. When you run the chalice deploy command, you can also specify the --no-autogen-policy option. Doing so will result in the chalice CLI loading the /.chalice/policy.json file and using that file as the policy for the IAM role. You can manually edit this file and specify --no-autogen-policy if you'd like to have full control over what IAM policy to associate with the IAM role.
"
As seen under the policy section here: https://github.com/aws/chalice
$ chalice gen-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "9155de6ad1d74e4c8b1448255770e60c"
}
]
}
answered Oct 18 '18 at 19:51
RyanRyan
911313
Oh! So it sounds like my best option will be to run chalice gen-policy and then replace the contents in policy.json with the snippet you provided at top?
– Edwin Evans
Oct 19 '18 at 17:26
1
Yay! It worked. Note, I already had a policy.json so didn't need to run gen-policy. Awarding bounty.
– Edwin Evans
Oct 19 '18 at 17:41
Hm, it isn't working in one of my environments now. Is there somewhere in Lambda or Gateway console where I can view the policies in AWS UI? (In one case it seems the policy file gets overwritten when deploying and in another it isn't)
– Edwin Evans
Oct 19 '18 at 19:02
yes, you can login to the console to verify the policy on the lambda. But you need to put your custom policy here /.chalice/policy.json and add the --no-autogen-policy flag to the chalice update command.
– Ryan
Oct 19 '18 at 19:05
Ah. Cool. Actually I noticed the reason autogen wasn't working is because I had CognitoUserPoolAuthorizer set up wrong for that environment. Thanks again!
– Edwin Evans
Oct 19 '18 at 19:10
add a comment |
I would check to make sure your IAM policy chalice is running allows access to cognito.
You can add these as needed from the AmazonCognitoPowerUser policy to your policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"sns:ListPlatformApplications"
],
"Resource": "*"
}
]
}
As see at the link below "
Whenever your application is deployed using chalice, the auto generated policy is written to disk at /.chalice/policy.json. When you run the chalice deploy command, you can also specify the --no-autogen-policy option. Doing so will result in the chalice CLI loading the /.chalice/policy.json file and using that file as the policy for the IAM role. You can manually edit this file and specify --no-autogen-policy if you'd like to have full control over what IAM policy to associate with the IAM role.
"
As seen under the policy section here: https://github.com/aws/chalice
$ chalice gen-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "9155de6ad1d74e4c8b1448255770e60c"
}
]
}
answered Oct 18 '18 at 19:51
RyanRyan
911313
I would check to make sure your IAM policy chalice is running allows access to cognito.
You can add these as needed from the AmazonCognitoPowerUser policy to your policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"sns:ListPlatformApplications"
],
"Resource": "*"
}
]
}
As see at the link below "
Whenever your application is deployed using chalice, the auto generated policy is written to disk at /.chalice/policy.json. When you run the chalice deploy command, you can also specify the --no-autogen-policy option. Doing so will result in the chalice CLI loading the /.chalice/policy.json file and using that file as the policy for the IAM role. You can manually edit this file and specify --no-autogen-policy if you'd like to have full control over what IAM policy to associate with the IAM role.
"
As seen under the policy section here: https://github.com/aws/chalice
$ chalice gen-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "9155de6ad1d74e4c8b1448255770e60c"
}
]
}
answered Oct 18 '18 at 19:51
RyanRyan
911313
edited Nov 13 '18 at 15:56
answered Oct 18 '18 at 19:51
RyanRyan
911313
answered Oct 18 '18 at 19:51
RyanRyan
911313
answered Oct 18 '18 at 19:51
RyanRyan
911313
911313
Oh! So it sounds like my best option will be to run chalice gen-policy and then replace the contents in policy.json with the snippet you provided at top?
– Edwin Evans
Oct 19 '18 at 17:26
1
Yay! It worked. Note, I already had a policy.json so didn't need to run gen-policy. Awarding bounty.
– Edwin Evans
Oct 19 '18 at 17:41
Hm, it isn't working in one of my environments now. Is there somewhere in Lambda or Gateway console where I can view the policies in AWS UI? (In one case it seems the policy file gets overwritten when deploying and in another it isn't)
– Edwin Evans
Oct 19 '18 at 19:02
yes, you can login to the console to verify the policy on the lambda. But you need to put your custom policy here /.chalice/policy.json and add the --no-autogen-policy flag to the chalice update command.
– Ryan
Oct 19 '18 at 19:05
Ah. Cool. Actually I noticed the reason autogen wasn't working is because I had CognitoUserPoolAuthorizer set up wrong for that environment. Thanks again!
– Edwin Evans
Oct 19 '18 at 19:10
add a comment |
Oh! So it sounds like my best option will be to run chalice gen-policy and then replace the contents in policy.json with the snippet you provided at top?
– Edwin Evans
Oct 19 '18 at 17:26
1
Yay! It worked. Note, I already had a policy.json so didn't need to run gen-policy. Awarding bounty.
– Edwin Evans
Oct 19 '18 at 17:41
Hm, it isn't working in one of my environments now. Is there somewhere in Lambda or Gateway console where I can view the policies in AWS UI? (In one case it seems the policy file gets overwritten when deploying and in another it isn't)
– Edwin Evans
Oct 19 '18 at 19:02
yes, you can login to the console to verify the policy on the lambda. But you need to put your custom policy here /.chalice/policy.json and add the --no-autogen-policy flag to the chalice update command.
– Ryan
Oct 19 '18 at 19:05
Ah. Cool. Actually I noticed the reason autogen wasn't working is because I had CognitoUserPoolAuthorizer set up wrong for that environment. Thanks again!
– Edwin Evans
Oct 19 '18 at 19:10
Oh! So it sounds like my best option will be to run chalice gen-policy and then replace the contents in policy.json with the snippet you provided at top?
– Edwin Evans
Oct 19 '18 at 17:26
Oh! So it sounds like my best option will be to run chalice gen-policy and then replace the contents in policy.json with the snippet you provided at top?
– Edwin Evans
Oct 19 '18 at 17:26
1
1
Yay! It worked. Note, I already had a policy.json so didn't need to run gen-policy. Awarding bounty.
– Edwin Evans
Oct 19 '18 at 17:41
Yay! It worked. Note, I already had a policy.json so didn't need to run gen-policy. Awarding bounty.
– Edwin Evans
Oct 19 '18 at 17:41
Hm, it isn't working in one of my environments now. Is there somewhere in Lambda or Gateway console where I can view the policies in AWS UI? (In one case it seems the policy file gets overwritten when deploying and in another it isn't)
– Edwin Evans
Oct 19 '18 at 19:02
Hm, it isn't working in one of my environments now. Is there somewhere in Lambda or Gateway console where I can view the policies in AWS UI? (In one case it seems the policy file gets overwritten when deploying and in another it isn't)
– Edwin Evans
Oct 19 '18 at 19:02
yes, you can login to the console to verify the policy on the lambda. But you need to put your custom policy here /.chalice/policy.json and add the --no-autogen-policy flag to the chalice update command.
– Ryan
Oct 19 '18 at 19:05
yes, you can login to the console to verify the policy on the lambda. But you need to put your custom policy here /.chalice/policy.json and add the --no-autogen-policy flag to the chalice update command.
– Ryan
Oct 19 '18 at 19:05
Ah. Cool. Actually I noticed the reason autogen wasn't working is because I had CognitoUserPoolAuthorizer set up wrong for that environment. Thanks again!
– Edwin Evans
Oct 19 '18 at 19:10
Ah. Cool. Actually I noticed the reason autogen wasn't working is because I had CognitoUserPoolAuthorizer set up wrong for that environment. Thanks again!
– Edwin Evans
Oct 19 '18 at 19:10
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f52765636%2fapi-created-with-chalice-and-a-cognito-authorizer-returns-unauthorized%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
