Using Serverless, how do you set a Lambda function’s authorizer to a Cognito User Pool from the Resources?


In my serverless.yml, I have a Lambda function and I want to set it’s authorizer to a Cognito User Pool that I have declared in the Resources section down below. I’ve seen examples where the authorizer is set to aws_iam but that seems wrong. Any help would be amazing 🙂

I’m thinking I need to set the authorizer’s ARN to the Pool’s ARN, but how do I get that? Or is that even correct?


As noted in another answer, hard coding the ARN works. So intuitively, you might think something like this would work:

Sadly, it does not. It looks like Serverless bumps your arn up against a couple of regular expressions to determine whether you’re pointing at a lambda or a user pool. This approach doesn’t seem to play nicely with approaches using things like Ref, Fn::Join, or Fn::GetAtt

As of Serverless 1.27.3 (which was released since this question was asked), there is a workaround of sorts available.

Essentially you declare your Authorizer in your resources section, instead of letting Serverless auto-magically create it for you. Then you use the new authorizerId key in your functions section to point at this authorizer. A minimal example:

It isn’t great, but it’s better than having to hard code the user pool ARN into your template.

Leave a Reply