Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Retrieve identityID given userpool ID_token in lambda@edge

0

Hi,

I have a CloudFront viewer request lambda@edge function that returns a custom cloudfront policy after verifying a cognito userpool id_token. The custom policy would grant access to read files from a user directory of the form /users/<identityID> where the identityID is based on the cognito identity pool. I have the following in my lambda function to get the identityID associated with a userpool id_token.

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: <identityPoolID>,
        Logins: {
                <UserPoolID>: id_token
            }
     	});
      await AWS.config.credentials.getPromise();
      identityId = AWS.config.credentials.identityId;
      console.log(identityId)

This seems to work, but I ran across an issue where the lambda@edge function was spun up in us-west-1, while my identity pool (and user pool) are in us-west-2. For some reason, I get an error that the identity pool can not be found. Are these region specific? I have no issues when the lambda function is run in us-west-2. Is there another way to get the identityID from the id_token?

Themen
ServerlosKalkulationSicherheit, Identität & KonformitätVernetzung & Bereitstellung von Inhalten
Tags
AWS LambdaAmazon CognitoAmazon CloudFront
Sprache
English
rrrpdx
gefragt vor einem Jahr187 Aufrufe
3 Antworten
1

Yes, Amazon Cognito is a regional service, see https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html#cognito_identity_region. You may need to use the full Arn or specify the endpoint in your code even though the the region is part of Identity Pool Id.

AWS
AWS-Everett
beantwortet vor einem Jahr
  • rrrpdx
    vor einem Jahr

    Sorry, I may not have been clear... The values I am using look like the following: AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-west-2:xxxx-xxxx-xxxx-xxxx-xxxx', Logins: { 'cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxx': params.id_token } });

0

Did that work or are you still getting an error?

AWS
AWS-Everett
beantwortet vor einem Jahr
  • rrrpdx
    vor einem Jahr

    I'm not 100% sure... I havent' seen the issue pop up, but cloudfront has not routed any of my recent login attempts to a different region. Are there any best practices for how to test cloudfront against different regions? I only came across the issue because cloudfront randomly routed me to us-west-1 instead of us-west-2.

  • AWS-Everett
    vor einem Jahr

    You could set up a VDI in Amazon Workspaces in a region like us-east-2 and test with a web browser. The web browser accessing CloudFront should default to the local region.

0

Have you set the "region" in the SDK? If you don't do this lambda will send the call to in-region endpoint anyway.

AWS
AWS-Everett
beantwortet vor einem Jahr
  • rrrpdx
    vor einem Jahr

    Thanks, I think this is what I missed... I ended up doing the following:

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-west-2:e0e662ee-4037-41fa-9e47-adafc9ae6ef7',
    Logins: {
            'cognito-idp.us-west-2.amazonaws.com/us-west-2_nB7Uc8Zjn': params.id_token
        }
 	},
   {
     region:'us-west-2'
   });

    I'm assuming this would work correctly.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt