@Kabirdas thanks for your replies
I'm a coworker of @karimitani also trying to figure out a solution for this.
We made some progress and went with creating an API resource which uses AWS v4 authorization which is supported by retool. Instead of using the .js SDK to call cognito we can call the cognito admin REST api directly. This solves the issue of exposing our AWS creds in the browser.
This works well for us because the aws secret key is encrypted and stored on the retool backend (I think)
However we can't actually call the Cognito API because your aws v4 puts the authorization in the URL instead of headers. We need it in headers.
Using postman's similar aws sig4 features (postman lets you choose url or headers) we were able to make the API call we wanted
this is the API call we want to make (credentials are fudged)
curl --location --request POST 'https://cognito-idp.us-east-2.amazonaws.com/' \
--header 'content-type: application/x-amz-json-1.1' \
--header 'x-amz-target: AWSCognitoIdentityProviderService.AdminCreateUser' \
--header 'X-Amz-Content-Sha256: beaead3198fxxxxx0eba3' \
--header 'X-Amz-Date: 20220304T231239Z' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential=xxx/us-east-2/cognito-idp/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date;x-amz-target, Signature=xxxxx' \
--data-raw '{"UserPoolId":"us-east-2_xxxxx","Username":"danishnet_38@hotmail.com","DesiredDeliveryMediums":["EMAIL"],"TemporaryPassword":"Abc@12345","UserAttributes":[{"Name":"email","Value":"danishnet_38@hotmail.com"},{"Name":"email_verified","Value":"true"},{"Name":"custom:org","Value":"bob"},{"Name":"custom:yards","Value":"bob"}]}'
some possible next steps
- Perhaps you guys could add to your roadmap to support AWS sig4 in headers ?
- The only real reason we are using API resource is so that we can store our AWS creds somewhere secure. If we could just avoid putting the AWS creds in the browser and retrieve them securely we could formulate the request ourselves or use the cognito SDK.
- Maybe an API resource with custom authorization option is the way to go?