Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Retrieve identityID given userpool ID_token in lambda@edge

0

Hi,

I have a CloudFront viewer request lambda@edge function that returns a custom cloudfront policy after verifying a cognito userpool id_token. The custom policy would grant access to read files from a user directory of the form /users/<identityID> where the identityID is based on the cognito identity pool. I have the following in my lambda function to get the identityID associated with a userpool id_token.

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: <identityPoolID>,
        Logins: {
                <UserPoolID>: id_token
            }
     	});
      await AWS.config.credentials.getPromise();
      identityId = AWS.config.credentials.identityId;
      console.log(identityId)

This seems to work, but I ran across an issue where the lambda@edge function was spun up in us-west-1, while my identity pool (and user pool) are in us-west-2. For some reason, I get an error that the identity pool can not be found. Are these region specific? I have no issues when the lambda function is run in us-west-2. Is there another way to get the identityID from the id_token?

Temas
Sin servidorCálculoSeguridad, identidad y cumplimientoRedes y entrega de contenido
Etiquetas
AWS LambdaAmazon CognitoAmazon CloudFront
Idioma
English
rrrpdx
preguntada hace un año187 visualizaciones
3 Respuestas
1

Yes, Amazon Cognito is a regional service, see https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html#cognito_identity_region. You may need to use the full Arn or specify the endpoint in your code even though the the region is part of Identity Pool Id.

AWS
AWS-Everett
respondido hace un año
  • rrrpdx
    hace un año

    Sorry, I may not have been clear... The values I am using look like the following: AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-west-2:xxxx-xxxx-xxxx-xxxx-xxxx', Logins: { 'cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxx': params.id_token } });

0

Did that work or are you still getting an error?

AWS
AWS-Everett
respondido hace un año
  • rrrpdx
    hace un año

    I'm not 100% sure... I havent' seen the issue pop up, but cloudfront has not routed any of my recent login attempts to a different region. Are there any best practices for how to test cloudfront against different regions? I only came across the issue because cloudfront randomly routed me to us-west-1 instead of us-west-2.

  • AWS-Everett
    hace un año

    You could set up a VDI in Amazon Workspaces in a region like us-east-2 and test with a web browser. The web browser accessing CloudFront should default to the local region.

0

Have you set the "region" in the SDK? If you don't do this lambda will send the call to in-region endpoint anyway.

AWS
AWS-Everett
respondido hace un año
  • rrrpdx
    hace un año

    Thanks, I think this is what I missed... I ended up doing the following:

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-west-2:e0e662ee-4037-41fa-9e47-adafc9ae6ef7',
    Logins: {
            'cognito-idp.us-west-2.amazonaws.com/us-west-2_nB7Uc8Zjn': params.id_token
        }
 	},
   {
     region:'us-west-2'
   });

    I'm assuming this would work correctly.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante