I've managed to successfull login to the API gateway I've made via my iOS device and Cognito. The problem is I'd like to use postman to test the API calls then implement them on the phone. Currently, Postman cannot authenticate (despite AWS saying it can). No matter what I do I get a 401 error (visible in the screen-shots)

What I've tried

Downloaded the postman collection from AWS Api Gateway enter image description here

Then imported it into postman, and switch the authentication to "AWS Signature" enter image description here

And Here is a screen shot of the Postman Generated Header Info enter image description here

2 Answers

thomasmichaelwallace On Best Solutions

If I understand correctly, you are trying to call an API Gateway endpoint that is behind the built-in Cognito Authoriser.

I think you've misunderstood how you call an Cognito Authorised API Gateway:

  1. Authorise against Cognito to get an id_token
  2. Call API Gateway with the Authorization header set to id_token
  3. Renew id_token every hour

By enabling ADMIN_NO_SRP_AUTH you're allowing the first step (sign-in to Cognito) to be simplified so that you can more easily do it manually. (If you hadn't, then you would need to do SRP calculations).

One way to get the id_token is to use the aws cli (further ways are shown in the documentation):

aws cognito-idp admin-initiate-auth --user-pool-id='[USER_POOL_ID]' --client-id='[CLIENT_ID]' --auth-flow=ADMIN_NO_SRP_AUTH --auth-parameters="USERNAME=[USERNAME],PASSWORD=[PASSWORD]"

You can then use the result (AuthenticationResult.IdToken) as the Authorization header in Postman (no need for the AWS v4 signature- that is only for IAM authentication).

n.b. a much fuller explanation with images can be found here.

sevensevens On

Here is what I finally did to fix postman auth issues

1) Turned off App Client Secret in the Cognito pool.

2) Ran aws --region us-east-1 cognito-idp admin-initiate-auth --cli-input-json file://gettoken.json

JSON file example

"UserPoolId": "us-east-1_**********", 
"ClientId": "******************", 
"AuthFlow": "ADMIN_NO_SRP_AUTH",

    "AuthParameters": {
        "USERNAME": "*********",
        "PASSWORD": "***********"

3) Went to Postman > Authorization > Bearer Copied the idToken value into the token field and everything worked. enter image description here

NOTE: For those wondering if not using a secret client key is safe. See this article.