By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Retrieve identityID given userpool ID_token in lambda@edge

0

Hi,

I have a CloudFront viewer request lambda@edge function that returns a custom cloudfront policy after verifying a cognito userpool id_token. The custom policy would grant access to read files from a user directory of the form /users/<identityID> where the identityID is based on the cognito identity pool. I have the following in my lambda function to get the identityID associated with a userpool id_token.

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: <identityPoolID>,
        Logins: {
                <UserPoolID>: id_token
            }
     	});
      await AWS.config.credentials.getPromise();
      identityId = AWS.config.credentials.identityId;
      console.log(identityId)

This seems to work, but I ran across an issue where the lambda@edge function was spun up in us-west-1, while my identity pool (and user pool) are in us-west-2. For some reason, I get an error that the identity pool can not be found. Are these region specific? I have no issues when the lambda function is run in us-west-2. Is there another way to get the identityID from the id_token?

3 Answers
1

Yes, Amazon Cognito is a regional service, see https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html#cognito_identity_region. You may need to use the full Arn or specify the endpoint in your code even though the the region is part of Identity Pool Id.

AWS
answered 2 years ago
  • Sorry, I may not have been clear... The values I am using look like the following: AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-west-2:xxxx-xxxx-xxxx-xxxx-xxxx', Logins: { 'cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxx': params.id_token } });

0

Did that work or are you still getting an error?

AWS
answered 2 years ago
  • I'm not 100% sure... I havent' seen the issue pop up, but cloudfront has not routed any of my recent login attempts to a different region. Are there any best practices for how to test cloudfront against different regions? I only came across the issue because cloudfront randomly routed me to us-west-1 instead of us-west-2.

  • You could set up a VDI in Amazon Workspaces in a region like us-east-2 and test with a web browser. The web browser accessing CloudFront should default to the local region.

0

Have you set the "region" in the SDK? If you don't do this lambda will send the call to in-region endpoint anyway.

AWS
answered 2 years ago
  • Thanks, I think this is what I missed... I ended up doing the following:

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'us-west-2:e0e662ee-4037-41fa-9e47-adafc9ae6ef7',
        Logins: {
                'cognito-idp.us-west-2.amazonaws.com/us-west-2_nB7Uc8Zjn': params.id_token
            }
     	},
       {
         region:'us-west-2'
       });
    

    I'm assuming this would work correctly.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions