4

I am having an Architecture where I am using API Gateway with Cognito User Pool Authorizer and I am passing the IdToken in Authorization Header from client side ReST call.

It is working fine.

I need the cognitoIdentityId in Lambda.

Tried Body Template Mapping in Integration Request in API Gateway

Content type - application/json

{
"cognito-identity" : "$context.identity.cognitoIdentityId"
}

It doesn't send the identityid (in event or in context) and also it transforms my payload only to this json.

How to get the identityid in Lambda in this scenario with my payload intact?

Indrajit Dan
  • 193
  • 1
  • 3
  • 12

2 Answers2

5

The Cognito Identity Id will only be available if you use Cognito Identity Credentials. If you want to get information about the Cognito User Pool user authorized via an athorizer, it will be available in the context.authorizer.claims map.

See this documentation for more details.

Also, if you want this value to be available in your Lambda function, it will be in the event.requestContext.authorizer.claims map (if you are using Lambda proxy integration), or wherever you've chosen to map it with your mapping template (if you are not using proxy integration).

Edited to fix typo.

Harry
  • 4,660
  • 7
  • 37
  • 65
Bob Kinney
  • 8,870
  • 1
  • 27
  • 35
  • I am getting event.requestContext.identity.cognitoIdentityId as null after setting proxy integration. Though I am getting other values as email, sub, aud etc in the authorizer. Well, I am just passing the idToken in Authorization header from postman. And I am not intending to use any client side AWS-SDK for cognito. My setup is as described in this forum post : https://forums.aws.amazon.com/thread.jspa?threadID=252838 My goal is to get the identityId so that i can get temporary secretKey and accessKey from getCredentialsForIdentity in cognitoidentity. – Indrajit Dan Apr 10 '17 at 05:42
  • Again, if you are using Cognito User Pool Authorizer, cognitoIdentityId will never be filled. – Bob Kinney Apr 10 '17 at 14:16
  • then how to get the identityId with this architecture? Or how to get temporary secretKey and accessKey by this way? And I am just curious - why you guys limiting us by - "if you are using Cognito User Pool Authorizer, cognitoIdentityId will never be filled" ? – Indrajit Dan Apr 11 '17 at 06:08
  • This is a limitation of Cognito, not API Gateway. If you are just using Cognito User Pools, there is no identityId. IdentityId is only used if you actually use the federated identity feature. http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html – Bob Kinney Apr 12 '17 at 19:20
  • I just tried to transform my API Gateway resource to the proxy integration - as it turned out such type can not respond. I am using Cognito Federated Identities - so how can I get Cognito ID to my lambda? – Vitaly Zdanevich Jan 10 '18 at 13:42
  • @VitalyZdanevich please feel free to open a new question with your issues. I'm not sure what you mean by "can not respond". Please clarify in your new question. – Bob Kinney Jan 11 '18 at 18:13
2

CognitoIdentityId comes from the Federated Identity Pool. If you want an identityId then you have to create an Identity Pool in AWS Cognito Federated Identities with your AWS Cognito User Pool. Click here

Then you need to authenticate your UserPool user which will return you the JWT Tokens (IdToken, AccessToken and RefreshToken). Using this IdToken you can call the GetId method of Cognito Federated Identities API to obtain the IdentityId.

Jinia
  • 21
  • 5