Cognito: Federated Identity Id and User Attributes

Asked 23/3, 2017 at 0:43 Answered 31/3, 2020 at 17:39

amazon-web-services amazon-s3 aws-lambda federated-identity amazon-cognito

Story:

I have a Cognito User Pool with Users.

This User Pool is an authentication provider in a Federated Identity Pool.

I have an S3 bucket where users are limited to uploading to a private path via a policy on the Auth Role as follows:

arn:aws:s3:::BUCKET_NAME/${cognito-identity.amazonaws.com:sub}/*

The users upload directly from the web browser via the aws javascript sdk.

Now this works great and my users are limited to where they upload. The files they upload end up with paths in the bucket looking like this:

us-east-1:0f26319c-1233-4c71-afb6-fac96a798ffb/random_file_name.txt

I then have a lambda which is triggered from this S3 bucket whenever a file is added. To clarify, the user does NOT invoke the lambda

Problem:

I would like to access the user's attributes in the user pool from the lamda. I thought that I could do this lookup using the cognito-identity sub. However, I can't seem to find a way using the SDK api's to allow this.

Using this api: http://boto3.readthedocs.io/en/latest/reference/services/cognito-identity.html#CognitoIdentity.Client.describe_identity I am able to get the login / the user pool but not the username associated with this Identity ID.

If I had the username, then I could use the api: http://boto3.readthedocs.io/en/latest/reference/services/cognito-idp.html?highlight=cognito#CognitoIdentityProvider.Client.admin_get_user

Any ideas how I can use the Federated Identity ID to lookup the user's attributes?

Valeda answered 23/3, 2017 at 0:43 Comment(2)

Is the username available to code in the browser? – Kanchenjunga 23/3, 2017 at 2:56

@Kanchenjunga it is. However if I use user attributes to keep track of a users storage quota. It means that any user could send whatever username he wants. And since usernames are usually emails, it would be relatively easy to pretend to be someone else. – Valeda 23/3, 2017 at 9:6

Unfortunately, I don't believe this is possible. The reason is, as far as I understand, technically the federated identity ID doesn't have to represent a user pool user. If you connected other authentication providers to the identity pool users could have completely different properties, for example.

Devine answered 31/3, 2020 at 17:39 Comment(0)

-1

What about storing files in
arn:aws:s3:::BUCKET_NAME/${cognito-idp.us-east-1.amazonaws.com:sub}

This will be resolved to the folder names like
f4cfd4a8-0e94-4287-8c5e-1b01538dd2a1

Using this sub of user from Cognito User Pool you can list users with that sub, for example in cli:
aws cognito-idp list-users --user-pool-id=us-east-1_ndhjGJQYE --filter "sub = 'f4cfd4a8-0e94-4287-8c5e-example'"

Yunyunfei answered 16/1, 2018 at 12:29 Comment(1)

sub from the cognito-idp.<aws-region>.amazonaws.com:sub is actually the federated id, which is not the same as user-pool's sub. Hence, this is not the right answer. – Broach 9/7, 2018 at 9:44

Recommended topics

Hot tags