How do I create a Cognito UserPool Authorizer with CDK when the UserPool is in another Account

[stowg]

If the the UserPool is in different account to the API Gateway, how do you create an Authorizer?

Using CognitoUserPoolsAuthorizer we only seem to be able to pass in an IUserPool but I'm unable to import an existing UserPool if it's in a different account. (It can be done from the console using the ARN but I can't implement that in CDK)

I seem to be struggling to import a UserPool from another account, is that possible?

[stowg]

Turns out this is actually straight-forward:

You CAN import from another account:
const userPool = UserPool.fromUserPoolArn(this, 'UserPool', props.userPoolArn);

My confusion arose from trying to do the same thing with UserPoolClient trying to add a client to an existing UserPool (in another Account) gives an error suggesting the import hasn't worked.

I guess that leads to my next question...

[fynnfluegge]

I solve this by creating the UserPoolClient in that account/cdk-app where the UserPool was created. Then I simply pass the UserPoolClientId via environment param and set this to JwtAudience of the authorizer.
This is my code (note this is golang):

authorizer := awscdkapigatewayv2alpha.NewHttpAuthorizer(stack, jsii.String("MyHttpAuthorizer"), &awscdkapigatewayv2alpha.HttpAuthorizerProps{
	AuthorizerName: jsii.String("MyHttpAuthorizer"),
	HttpApi:        httpApi,
	Type:           awscdkapigatewayv2alpha.HttpAuthorizerType_JWT,
	JwtIssuer:      jsii.String("https://cognito-idp." + *props.Env.Region + ".amazonaws.com/" + props.CognitoUserPoolId),
	JwtAudience:    jsii.Strings(props.CognitoAppClientId), // Look this up in Cognito Userpool App Client settings. It’s the App client ID.
	IdentitySource: jsii.Strings("$request.header.Authorization"),
})

httpApiAuthorizer := awscdkapigatewayv2alpha.HttpAuthorizer_FromHttpAuthorizerAttributes(stack, jsii.String("MyHttpAuthorizer4Test"), &awscdkapigatewayv2alpha.HttpAuthorizerAttributes{
	AuthorizerId:   authorizer.AuthorizerId(),
	AuthorizerType: jsii.String("JWT"),
})

Finally you can simply attach the authorizer to the route of your API gateway. That work's for me, hope that helps.

[stowg]

We ended up doing the same thing.. creating a separate Stack to create the client in the other account.
Cheers,
g.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.