How to log all Cognito User details in API Gateway Cloudwatch

Asked 16/5, 2018 at 16:20 Answered 6/10, 2023 at 10:48

amazon-web-services aws-api-gateway amazon-cognito amazon-cloudwatchlogs

I'm trying to understand what are the available claims I am able to access from the API Gateway when an user makes an authenticated request.

The API Gateway Mapping Template Reference (https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference) is listing different authorizer claims but it looks like only "sub" and "email" work.

All the other claims are logged as "-"

I'm logging the requests with CloudWatch, as described in this guide: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html

I would like to get the username too but none of the following mapping work:

$context.authorizer.claims['cognito:username']
$context.authorizer.claims\['cognito:username'\]
$context.identity.cognitoIdentityId

Theogony answered 16/5, 2018 at 16:20 Comment(0)

The question is very old but I'd like to add that configuring the log format like this does work now, using the ['cognito:username']of the original author of this question.

{"cognitoUsername":"$context.authorizer.claims['cognito:username']","httpMethod":"$context.httpMethod"}

Probably something AWS fixed in the last 5 years.

Berty answered 6/10, 2023 at 10:48 Comment(0)

To see a list of all available properties you can temporarily add this to your mapping template: $context.authorizer.claims.keySet().

Feud answered 20/8, 2023 at 9:52 Comment(0)

Recommended topics

Hot tags