*It will actually take around an hour

The best things about writing code is not having to write very much of it. Let’s discuss how to get there using a few magical libraries and a couple of managed services from our favorite cloud provider and supreme leader of the universe, AWS.

This is not meant to be a step-by-step tutorial, but more of a guide for when you get lost in the woods. But first, let’s get on the same page. Our entire application has a few basic requirements:

The application has users Users can create things Access to things can be controlled

Here is the basic architecture we are aiming for:

Users are stored in Cognito, which adds interesting attributes to our request A Lambda parses the request and attributes and converts the GraphQL to SQL Postgres runs our query and uses Row Level Security to control access to things

So, how are we going to do server-less GraphQL? Hold on, I’ll get there. This story starts at the user service…

1. Users are stored in Cognito

I’m not going to put the word “Cognito” in big letters because, if you used it before, you probably had a bad time. Yes, it’s documentation is notoriously bad and it’s support in CloudFormation basically non-existent at the time of this writing, but it also does a lot for us so let’s use it anyway.

The way you setup Cogntio doesn’t really matter, you just need to have a user pool; all we care about is using the user pool as the authentication provider for our API Gateway endpoint. Obviously, storing users in Cognito is an opinion with massive implications:

You will end up using things like AWS Amplify to interact with the service on the client-side

You cannot build foreign key relationships between users and other tables directly in the database

Access tokens are generated inside Cognito and must play by their rules, but we do get a few triggers with which we can augment them

But with all those considerations, locking down an endpoint is dangerously easy:

APIUserPool is a Cognito Pool with absolutely nothing special about it

If you really don’t want to use Cognito to handle your API Gateway authentication, that is fine. Suffice to say we just want the request to our Lambda function to include some interesting, (and unique), things about our user…which Cognito will do without any special configuration.

If you’re new to Cognito and API Gateway, here are some great places to start:

Since there are a lot of great resources on setting up API Gateway I won’t get into more detail here, but let me know in the comments if this is a topic you’d like me to cover in the future.