Get Cognito user attributes in Lambda function

Asked 2/2, 2021 at 13:12 Answered 18/1 at 19:44

amazon-web-services aws-lambda aws-api-gateway amazon-cognito aws-amplify

I'm using AWS Amplify to create a Lambda function, REST API, and Cognito user pool. I want to retrieve the Cognito user who made the request to the endpoint so I can access their user attributes.

I selected the serverless Express template for the function:

app.js

app.post('/do-something', async (req, res) => {
  // The user pool ID is available as an environment variable.
  // I want to get the user and use their user attributes here.
});

And the client-side configuration sets the Authorization header based on the current user's token:

App.js

Amplify.configure({
  API: {
    endpoints: [
      {
        name: "sampleCloudApi",
        endpoint: "https://xyz.execute-api.us-east-1.amazonaws.com/Development",
        custom_header: async () => { 
          return { Authorization: `Bearer ${(await Auth.currentSession()).getIdToken().getJwtToken()}` }
        }
      }
    ]
  }
});

Does the event (req.apiGateway.event) or context hold user information? Or can I use the Authorization header somehow?

Also, what would it look like to make the Cognito call inside the Lambda function? Will this need to use the Admin API?

Thanks!

Bug answered 2/2, 2021 at 13:12 Comment(2)

Does this help? https://mcmap.net/q/719074/-get-cognito-user-pool-identity-in-lambda-function – Ariminum 2/2, 2021 at 13:26

This is how I get the user attributes from lambda requests: #68918727 – Bookstand 25/8, 2021 at 10:1

You can get the federated identity ID of the user through the Lambda context object using context.identity.cognitoIdentityId, but this will just be the ID associated with the user in the Cognito Identity Pool and not the Cognito User Pool.

The best way that I've seen to get User Pool attributes within Lambda is to use a custom authorizer, pass in the JWT token generated client-side by the SDK, and decode it server-side. After authorizing the user and decoding the JWT token, your Lambda will be able to access the User Pool attributes in context.authorizer.claims. Here's a post walking through the custom authorizer: https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/

Convolve answered 2/2, 2021 at 17:2 Comment(0)

Supposed that you have set up the API Gateway with Cognito authorizer, you can access the authenticated user attributes from your lambda's app.js file this way:

app.post('/do-something', async (req, res) => {
    req.apiGateway.event.requestContext.authorizer.claims['<user-attribute>']
});

Aeromedical answered 13/7, 2022 at 19:47 Comment(0)

Globally there are two paths:

the user claim is in the token the client or resource provider possess. The Token is a base64 encoded JSON Structure and the claim can be extracted as such
The user claim is not into the token and exist only in Cognito, then if the Token is an Access Token, use the userInfo endpoint of Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html

Erymanthus answered 18/1 at 19:44 Comment(0)

Recommended topics

Hot tags