How federated Identity ID is populated and sent to IAM policies?

Question

I want to know , from where this value is ${cognito-identity.amazonaws.com:sub} populated . I had checked in cognito Identity JWT token where sub will have username of cognito. I cant able to see federated ID any where in JWT Id token. I can only see the ID generated in federated identity pool.

Does it is a hash of cognito and federated pool ID ?

Because if it is taking from JWT token, i want to pass custom:Attribute1 into this variable dynamically ${cognito-identity.amazonaws.com:custom:Attribute1} in IAM role of dynamodb ?

Thanks Any help is appreicated

When downvoting pls share your reasons. SO that i will improve my way of asking next time. — Private, Aug 24 '18 at 19:49

score 0 · Answer 1 · answered Aug 24 '18 at 17:57

With Cognito Federated Identity, the username from the user pool is not preserved across the federation boundary. Instead it is exchanged for an identity id which is consistent for future interactions with that user. At this time, you will need to maintain your own mapping of username -> identity id. Another option is to not use Federated Identity and proxy your requests to DynamoDB through API Gateway using Cognito User Pool authorizers so you have access to the end user's username.

How federated Identity ID is populated and sent to IAM policies?

1 Answers1