I am using AWS Congito User Pools for account management with a Cognito Identity Pool that has this User Pool as the Identity Provider. I'm using this to control access to an API through API Gateway that sends requests to Lambda. My Lambda is implemented with Java 8 using Micronaut. All of this is working fine.
In the Lambda, I'm getting the name from the Principal
in the HttpRequest
:
protected String resolveUser( HttpRequest request ){
String ret = null;
Optional<Principal> principal = request.getUserPrincipal();
if( principal.isPresent() ){
ret = principal.get().getName();
}
if( ret == null || ret.length() == 0 ){
ret = "unknown";
}
return ret;
}
What is coming back in the string name of the Cognito identityId. Something like this:
us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx
I would like to either log the actual user login or at least have some way to convert the identityId to the login when needed.
The LookupDeveloperIdentity API call appears to be the right way to go about this, but I'm unable to get it to work.
Attempting to do this with Java and the AWS Java SDK 2:
protected String loadUsername( String user ){
String ret = "unknown:"+user;
CognitoIdentityClient cognito = CognitoIdentityClient.create();
LookupDeveloperIdentityRequest request = LookupDeveloperIdentityRequest.builder()
.identityPoolId( identityPoolId )
.identityId( user )
.build();
LookupDeveloperIdentityResponse response = cognito.lookupDeveloperIdentity( request );
List<String> identifiers = response.developerUserIdentifierList();
if( identifiers != null && identifiers.size() > 0 ){
ret = identifiers.get( 0 );
}
return ret;
}
throws an exception
software.amazon.awssdk.services.cognitoidentity.model.NotAuthorizedException: You do not have access to this identity (Service: CognitoIdentity, Status Code: 400, Request ID: 64e36646-612b-4985-91d1-82aca770XXXX)
Attempting to do this via the CLI produces a similar result:
aws cognito-identity lookup-developer-identity --identity-id us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx --identity-pool-id us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx --max-results=10
An error occurred (NotAuthorizedException) when calling the LookupDeveloperIdentity operation: You do not have access to this identity
I have made sure the IAM policy in place should be able to handle this, and when I try it with a role that does not have this policy, I get a different error
{
"Effect": "Allow",
"Action": [
"cognito-identity:LookupDeveloperIdentity"
],
"Resource": [
"arn:aws:cognito-identity:us-east-1:##########:identitypool/us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx"
]
}
So the questions boil down to:
Alternative Approach
In order to retrieve the user’s User Pool user id you can retrieve in your lambda:
authProvider = event.requestContext.identity.cognitoAuthenticationProvider;
This will return a string which will include the user's User Pool user ID and it will look something like:
cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx,cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa:CognitoSignIn:qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr
Where us-east-1_aaaaaaaaa is the User Pool id and qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr is the User Pool User Id. You can then split the string and extract the user ID.
Note that these info will be different depending on the authentication provider you are using.
Then if you need the username instead of user ID you can extract it directly from user Pool by getting the appropriate details for that specific user ID.
Reference
https://serverless-stack.com/chapters/mapping-cognito-identity-id-and-user-pool-id.html