How to call AWS API Gateway Endpoint with Cognito Id (+configuration)?

Question

I want to call an AWS API Gateway Endpoint that is protected with AWS_IAM using the generated JavaScript API SDK.

Answer 1

What access permissions does the role of the Cognito Identity have? Make sure it has access to perform execute-api:Invoke on your API.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:<account>:<rest-api>/*/POST/graphql"
      ]
    }
  ]
} 

You can get the exact resource ARN from the method settings page in the web console.

Answer 2

Even after following everything I was getting the same error. And the reason was I missed the "sessionToken" while initialising the apigClient.

var apigClient = apigClientFactory.newClient({
accessKey: AWS.config.credentials.accessKeyId, //'ACCESS_KEY',
secretKey: AWS.config.credentials.secretAccessKey, //'SECRET_KEY',
sessionToken: AWS.config.credentials.sessionToken, // 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
region: 'us-east-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1 });

//OPTIONAL: If you are using temporary credentials you must include the session token -- is not really optional