We have some admin APIs that we would like to use in Retool. Those APIs are on AWS API Gateway and we use IAM authorisation with Identity Pool and RBAC from IAM roles.
I configured Cognito User pool and client with self hosted UI to provide OAuth2 and configured retool to use it. This user pool uses our federated identity provider in Google, which we use for SSO.
This way can sign our users using their Google credentials and get identity that's associated with roles to call APIs. This however requires IAM authoriser, that requires sigv4 authorisation on client.
I was unable to find any way how to configure sigv4 on REST api that uses this Auth model. Is this somehow supported or is it on roadmap?
This model allows us to see who's calling API and we have full audit trail with minimal effort. Other approach would require us to use anonymous API key and replicate security and audit mechanisms in Retool.
Hey @martinmacak, our team is aware of this and has an open ticket to address this at some point. We don't have any estimates on when it will be implemented, but when it is we will update this post.
In the meantime are you possibly able to pass your credentials using URL params?
My team has a similar requirement: we have APIs using IAM authorization. The identity pool assumes IAM roles, so that a logged Cognito user has an assumed role. We then exchange the ID token for IAM credentials, and sign requests with sigv4.
Ideally, we'd have a login component at the top of some of our Retool apps with username+password to login to your Cognito account, and then subsequent API calls in the API will be signed with the sigv4 credentials. Is that possible?
Yes, the feature mentioned above has shipped already.
For the login component, we do have an "Auth login" component that can be used to kick off custom auth for specific resources. To use the component, you'd configure the custom auth as needed for a specific REST API resource. It doesn't look like resources using AWS v4 auth can be connected to the component, but the auth should be handled automatically once at least one query is added to the app.