Category Archives: CodeStar

Cognito Auth with AWS SAM

Hi everyone,

I’ve spent today implementing Cognito with AWS SAM and it took quite a while to work out what needed to be done – unfortunately there’s a lot of conflicting doco out there. Posting a sample template just in case it’s able to help anyone else out.

The first thing to do is to explicitly define you rest API. By default AWS SAM will generate one with a default logical id of ServerlessRestApi. You’ll need to override this:

  # See links for more info
  # Referencing cognito authorizer:
  # Logical id is auto generated:
  # Sample template.yml:
    Type: "AWS::Serverless::Api"
      StageName: Prod
      Auth: # We will eventually define other auth options here such as Usage Plans/Api Keys, AWS_IAM, and Resource Policies
        DefaultAuthorizer: MyCustomCognitoAuthorizer
            UserPoolArn: !GetAtt MyCustomCognitoUserPool.Arn # Can be a string, or array
            # Identity: # Optional
              # Header: ... # Optional; Default: Authorization
              # ValidationExpression: ...  # Optional; ensures the request header matches a pattern before checking in with the Authorizer endpoint; is there a default we can set for Cognito User Pools Auth?

You’ll also need to create a user pool and client:

# Creating a cognito user pool -
    Type: AWS::Cognito::UserPool
      UserPoolName: !Ref CognitoUserPoolName
      # LambdaConfig:
        # PreSignUp: !GetAtt PreSignupLambdaFunction.Arn
          MinimumLength: 8
        - email
        - AttributeDataType: String
          Name: email
          Required: false

    Type: AWS::Cognito::UserPoolClient
      UserPoolId: !Ref MyCustomCognitoUserPool
      ClientName: !Ref CognitoUserPoolClientName
      GenerateSecret: false

You then add the api id and the auth attribute to each of your function properties. If you’ve used the default authorizer property when defining the associated api you can override it by using authorizer: none.

    Type: AWS::Serverless::Function
      Handler: breed.getBreedHandler
      Policies: arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
      Runtime: nodejs8.10
          TABLE_CAT_BREED: !Ref CatBreedTable
          Type: Api
            Path: /breed/{breedId}
            Method: get
            RestApiId: !Ref MyCustomCustomApi
              Authorizer: NONE

Hopefully that’s able to help you out. If you run into any trouble I found the following link pretty useful:

AWS SAM not re-creating DynamoDb Table that was manually deleted – CodeStar

Hi everyone,

I ran into a bit of an issue after deleting a DynamoDb table via the AWS Console that had been created via CloudFormation (using AWS SAM). After deleting it I had expected it to be re-created automatically on the next deploy. Unfortunately this didn’t happen.

I came across the following AWS article that does a pretty good job of summarising the issue:

To fix it, I removed all references to the table from my template.yml file (this includes the table definition and any !Ref tags). After pushing this changeset I returned all of the references and re-pushed.

Let me know if you have any issues!


4: /codebuild/output/tmp/ pip: not found – Node.js and CodeStar

Hi everyone,

I ran into the following CodeBuild error after upgrading my build environment from the default nodejs8.10 to nodejs10.14:

4: /codebuild/output/tmp/ pip: not found

This one was a little confusing, but thankfully fairly easy to fix. In your buildspec.yml file update the pip steps to reference pip3 instead of pip:

// Original
      # Install dependencies needed for running tests
      - npm install

      # Upgrade AWS CLI to the latest version
      - pip install --upgrade awscli
// Modified
      # Install dependencies needed for running tests
      - npm install

      # Upgrade AWS CLI to the latest version
      - pip3 install --upgrade awscli