AWS API Gateway Authentication using AWS Directory Services (Active Directory) - amazon-web-services

I'm using AWS API gateway for an API I'm setting up, and I want to be able to use an existing AWS Directory Services Directory (Microsoft AD Enterprise) for authentication.
I'm not sure where to start.
Would I need to use a custom lambda function for authentication, and then write my own ldap authentication code?
I can't find any references to this scenario, of authenticating an API against AWS AD.
Any pointers would be greatly appreciated.

perhaps worth checking how configure AWS Directory Service as Federated Identity Provider in IAM, then how to retrieve access tokens from STS and ultimately configure API Gateway to use Authorization Method: AWS_IAM
for authentication - perhaps worth studying how configure federated identity in cognito
have a look at these slides https://www.slideshare.net/AmazonWebServices/aws-may-webinar-series-48671841

Related

AWS API gateway for K8s using Cognito with JWT

I have AWS K8s cluster(EKS) and I want to use AWS API gateway to protect endpoints and separate authorization logic from microservices. I need to have 2 authentication schemas:
Send login/password and get JWT
OAuth2
There is an integration between API gateway and K8s cluster via ALB Ingress Controller. It looks fine. Then I need to authenticate somehow. AWS provides Cognito as a service to manage users and the possibility to have your own identity provider. I know that we can integrate API gateway authorizer with Cognito, but I can't understand the following things:
How to integrate Cognito with already existed LDAP for example? (SAML?)
Can I use my own already created OAuth2 authentication endpoint?
How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
1 How to integrate Cognito with already existed LDAP for example? (SAML?)
Make use of Cognito Userpools with SAML IDP.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
2 Can I use my own already created OAuth2 authentication endpoint?
Yes, use Developer Authenticated Identities for Cognito Identity Pools.
Users that authenticate from the existing user database will be authorized by identity pools through assuming the authenticated IAM role of the identity pool, in that role set the access level to AWS resources.
https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
3 How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
Best way to achieve this seeing that API Gateway is being used is to implement a Lambda authorizer in API gateway that uses Cognito Userpools. You will then be able to get the JWT token in that Lambda authorizer, the claims in the authorizer will also be available in the integration request vtl and accessible using $context . i.e.
$context.authorizer.claims.sub
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

Can we authenticate application user with on-premise directory services with AWS Lambda?

Am looking for authentication methods with our on-premise directory other than AWS Cognito user pool. I saw Lambda can be integrated with Azure AD. Our directory is SAML integrated. Can i achieve this with AWS Lambda function.? And how can i get access tokens to authorize API Gateway after authentication. If Possible, Please let me know how to achieve. Thanks in Advance.

How can I authenticate a backend service against my AWS Api Gateway

I have a lambda function running behind the aws api gateway, that acts as the backend for my website. It uses a cognito authorizer to authenticate the users of my website. This works fine.
Now I need to authenticate a c# backend service against the api that is not running in the cloud has no user interaction. It should just synchronize data.
My initial plan was to configure cognito credentials and log into the cloud via the cognito sdk but this is not possible as the app would then need developer access to my cloud.
I also thought about using the api gateway api keys but I would still need the cognito authentication then.
So how can I authenticate my c# service against my aws api without user interaction being nessecary?
You could use Cognito User Pool Authentication.
This is an OpenID implementation where Cognito issues JSON Web Tokens (JWTs) where the signature of a JWT can be verified with a public endpoint.
In the context of API Gateway, you would use a Lambda as a custom authorizer, but the tokens could be verified in any environment/language with a relevant JWT Library.
More reading: Verifying a JWT issued by Cognito

AWS Cognito with non-AWS Resources

My question is about AWS Cognito Security Services- can AWS Cognito be used for any resources outside AWS Cloud e.g an API developed published on Apigeea API Gateway?
I searched through AWS Documents and on Google
I want to create SSO with AWS Cognito like SAML-based SSO federation where Resources/ Services can be anywhere.
Yes, You can. Kindly see the App Clinet option in Cognito.
However, Apigee also needs to have the capability to integrate.

How to Configure AWS API GATEWAY with cognito user pool authentication?

Trying to configure AWS API Gateway with AWS Cognito userpool authentication.
Tried some of the settings provided on aws documentation and trying to check this API from Postman client.
Not able check what setting need to be done at postman side and any specific configuration needs to be done at API and Cognito.
Thanks