I have enabled AWS Cognito for an alexa skill and enabled only google login for the users, now Cognito + google auth flow completes successfully, and We get a AWS bearer token ey...,
Now I wish to use a google services AP (drive/gmail), sensitive/restricted Google APIs.
Is this possible using the Cognito as auth provider? if not can I create a sort of Alexa + Node(middleware, to handle google auth, then pass code/tokens back to Alexa server)
I don't think so.
Let me explain. Cognito can be authentication provider for your application if you are developing an application. Many AWS services support Cognito (e.g. ElasticSearch, API Gateway, etc.). But it doesn't mean that Google supports Cognito.
Don't be mistaken by the fact that Cognito supports Google Login. It's the other way around called "federation". In this mode, Google tells Cognito that the user is authenticated by Google and Cognito trusts this information. Now any application that uses Cognito, will "Login with Google".
Yes, this is possible. You can use AWS Secrets Manager to keep the Google secrets out of code.