Building RESTful APIs — Part 2 of 3 | Serverless | AWS Lambda
In our first tutorial we configured AWS Cognito user pools for user profiling and authentication purpose. In this tutorial we will create 4 separate Lambda functions for -
- Sign Up,
- Sign In,
- Refresh Token and
- Private API that requires authentication token.
Let start our journey to create these 4 functions. First we need to create a custom IAM role for our lambda functions to access cloudwatch logs and cognito. Go to Services > Security, Identity, & Compliance> IAM. Click Roles > Create role > AWS Services > Lambda > Next:Permissions > Create policy
Click JSON tab on new page and paste below policies on the editor.
Click Review policy, give that policy a name e.g. LambdaRolesToAccessCognitoAndCloudwatch and then click Create policy. Now go back to previous tab where you were creating roles. Under Attach permissions policies search for you newly created policy e.g. LambdaRolesToAccessCognitoAndCloudwatch and select it. Click Next:Tags > Next:Review. Give that role a name e.g. Lambda-Cognito-Cloudwatch and then click Create role.
Sign Up Lambda
In your aws console browse Services > Compute > Lambda section from top-menu. In Lambda dashboard, click Create function, select Author from scratch and under Basic Information section give a name to your function e.g. signUpWithCognito, select Python 3.7 as runtime, under Permissions expand choose or create an execution roles. Under Execution role click Use an existing role, under Existing role select Lambda-Cognito-Cloudwatch and then click Create function. Your lambda function will be created then. In your lambda editor remove all existing code and paste below code snippets.
Under Environment variables create two variables name clientId and clientSecret. Go to cognito user pool i.e. tutorials-user-pool that we created on first part of this tutorial to find out these client id and secret. Copy and paste these value accordingly. Then click Save. Left to Save button there is an adjacent Test button. Click, give that test event a name and configure a new test event with below JSON -
Click Save and then click Test to check whether our lambda function is able to execute that code and successfully able to create user in cognito pool. Under Execution Results console you’ll be able to see the response. If the account creation was successful with the test data you’ll be able to see that reflection in your tutorial-user-pool. We are done with Sign Up function here.
Sign In Lambda
Now let’s create Sign In Lambda function in the same way with same role as we given to Sign Up lambda. Give that function a name e.g. signInWithCognito and paste below code snippets inside code editor -
Under Environment variables create two variables name clientId and clientSecret. Go to cognito user pool i.e. tutorials-user-pool that we created on first part of this tutorial to find out these client id and secret. Copy and paste these value accordingly. Then click Save. Left to Save button there is an adjacent Test button. Click, give that test event a name and configure a new test event with below JSON -
Click Save and then click Test to check whether our lambda function is able to execute that code and successfully able to sign in the user based on email as username and password. Upon successful execution you’ll get a response like below with AccessToken, RefreshToken and IdToken. By default IdToken will expire in 3600 seconds, new IdToken can be generated with RefreshToken.
Refresh Token Lambda
Once our IdToken gets expired we need to request for a new token using RefreshToken that we received upon successful sign in. Let create another lambda function e.g. newIdTokenUsingRefreshToken for this purpose where user will provide username and refresh token and upon validation we will return the user a new IdToken to access private APIs. Paste below code snippets inside the newly created function editor -
Under Environment variables create two variables name clientId and clientSecret. Go to cognito user pool i.e. tutorials-user-pool that we created on first part of this tutorial to find out these client id and secret. Copy and paste these value accordingly. Then click Save. Left to Save button there is an adjacent Test button. Click, give that test event a name and configure a new test event with below JSON -
If you are using email as username, you need to provide the uuid that cognito created for that user. You can find that from your cognito user and groups section.
Click Save and then click Test to check whether our lambda function is able to execute that code and successfully able to generate a new IdToken. A successful response will be like this -
Private Lambda Function
Let’s create our final lambda function which will be a private one and will require authorization from cognito. We will cover the authorization part in our next tutorial when we will configure api gateway. Now let’s just create a new Lambda function e.g. privateLambda with same configuration as we did for earlier functions except with below code snippets.
In our next, last and final tutorial i.e. Part 3 we will discuss about where this event[‘payload’][‘user’] comes from.
So far we are done with all four(4) functions required for this tutorial.
In Part 1 we configured AWS Cognito User Pool and in Part 2 we created all necessary Lambda function. In next tutorial we will connect these two with API Gateway endpoints to get our desired outcome from this series.