By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Retrieve identityID given userpool ID_token in lambda@edge

0

Hi,

I have a CloudFront viewer request lambda@edge function that returns a custom cloudfront policy after verifying a cognito userpool id_token. The custom policy would grant access to read files from a user directory of the form /users/<identityID> where the identityID is based on the cognito identity pool. I have the following in my lambda function to get the identityID associated with a userpool id_token.

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: <identityPoolID>,
        Logins: {
                <UserPoolID>: id_token
            }
     	});
      await AWS.config.credentials.getPromise();
      identityId = AWS.config.credentials.identityId;
      console.log(identityId)

This seems to work, but I ran across an issue where the lambda@edge function was spun up in us-west-1, while my identity pool (and user pool) are in us-west-2. For some reason, I get an error that the identity pool can not be found. Are these region specific? I have no issues when the lambda function is run in us-west-2. Is there another way to get the identityID from the id_token?

Topics
ServerlessComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS LambdaAmazon CognitoAmazon CloudFront
Language
English
rrrpdx
asked a year ago183 views
3 Answers
1

Yes, Amazon Cognito is a regional service, see https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html#cognito_identity_region. You may need to use the full Arn or specify the endpoint in your code even though the the region is part of Identity Pool Id.

AWS
AWS-Everett
answered a year ago
  • rrrpdx
    a year ago

    Sorry, I may not have been clear... The values I am using look like the following: AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-west-2:xxxx-xxxx-xxxx-xxxx-xxxx', Logins: { 'cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxx': params.id_token } });

0

Did that work or are you still getting an error?

AWS
AWS-Everett
answered a year ago
  • rrrpdx
    a year ago

    I'm not 100% sure... I havent' seen the issue pop up, but cloudfront has not routed any of my recent login attempts to a different region. Are there any best practices for how to test cloudfront against different regions? I only came across the issue because cloudfront randomly routed me to us-west-1 instead of us-west-2.

  • AWS-Everett
    a year ago

    You could set up a VDI in Amazon Workspaces in a region like us-east-2 and test with a web browser. The web browser accessing CloudFront should default to the local region.

0

Have you set the "region" in the SDK? If you don't do this lambda will send the call to in-region endpoint anyway.

AWS
AWS-Everett
answered a year ago
  • rrrpdx
    a year ago

    Thanks, I think this is what I missed... I ended up doing the following:

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-west-2:e0e662ee-4037-41fa-9e47-adafc9ae6ef7',
    Logins: {
            'cognito-idp.us-west-2.amazonaws.com/us-west-2_nB7Uc8Zjn': params.id_token
        }
 	},
   {
     region:'us-west-2'
   });

    I'm assuming this would work correctly.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content