Reputation: 850
Story:
I have a Cognito User Pool with Users.
This User Pool is an authentication provider in a Federated Identity Pool.
I have an S3 bucket where users are limited to uploading to a private path via a policy on the Auth Role as follows:
arn:aws:s3:::BUCKET_NAME/${cognito-identity.amazonaws.com:sub}/*
The users upload directly from the web browser via the aws javascript sdk.
Now this works great and my users are limited to where they upload. The files they upload end up with paths in the bucket looking like this:
us-east-1:0f26319c-1233-4c71-afb6-fac96a798ffb/random_file_name.txt
I then have a lambda which is triggered from this S3 bucket whenever a file is added. To clarify, the user does NOT invoke the lambda
Problem:
I would like to access the user's attributes in the user pool from the lamda. I thought that I could do this lookup using the cognito-identity sub. However, I can't seem to find a way using the SDK api's to allow this.
Using this api: http://boto3.readthedocs.io/en/latest/reference/services/cognito-identity.html#CognitoIdentity.Client.describe_identity I am able to get the login / the user pool but not the username associated with this Identity ID.
If I had the username, then I could use the api: http://boto3.readthedocs.io/en/latest/reference/services/cognito-idp.html?highlight=cognito#CognitoIdentityProvider.Client.admin_get_user
Any ideas how I can use the Federated Identity ID to lookup the user's attributes?
Upvotes: 12
Views: 1646
Reputation: 132972
Unfortunately, I don't believe this is possible. The reason is, as far as I understand, technically the federated identity ID doesn't have to represent a user pool user. If you connected other authentication providers to the identity pool users could have completely different properties, for example.
Upvotes: 0
Reputation: 14936
What about storing files in
arn:aws:s3:::BUCKET_NAME/${cognito-idp.us-east-1.amazonaws.com:sub}
This will be resolved to the folder names like
f4cfd4a8-0e94-4287-8c5e-1b01538dd2a1
Using this sub
of user from Cognito User Pool you can list users with that sub, for example in cli:
aws cognito-idp list-users --user-pool-id=us-east-1_ndhjGJQYE --filter "sub = 'f4cfd4a8-0e94-4287-8c5e-example'"
Upvotes: -1