Cognito Identity ID persistence

Question

I have a Cognito Identity Pool with a Cognito User Pool as an authentication provider.

The Identity Pool accepts both authenticated and unauthenticated identities.

Assuming a web app using this setup:

• when a non-authenticated user loads the app, an unauthenticated identity id is issued (let's assume: 'UNAUTH_ID')

• when the user authenticates with email/password, an authenticated identity id is issued (let's assume 'AUTH_ID') and associated with this user.

I want to create a DB entry using this AUTH_ID as a key, but need to be certain that for a given user, this 'AUTH_ID' will never ever change.

For instance, if the same user uses another device, I assume first 'UNAUTH_ID_2' will be issued then once the user successfuly logs in, the same 'AUTH_ID' is retrieved and used on the second device. I also assume there's no time base deprecation of the 'AUTH_ID' or any other mechanism that would regenerate a new identity Id for a given authenticated user.

My guess the answer is yes, but I could not find any official documentation that clearly confirms this particular point.

I would appreciate if someone could confirm this and/or send me to the relevant official documentation.

Answer 1

Yes you guessed correctly. For Authenticated Identity your user will have a unique sub id which will not change. You can use this sub id as a variable in the IAM policy to give fine grained access to your users. This means you can create a s3 bucket (or even dynamodb table) and use the unique sub id as folder name which contains all users files. Now only the user will have access to this folder on s3.

Note that the sub id is in the identity pool. There is another sub id in user pool which is different and cannot be used in policy statements.

You can see here to confirm sub (UUID) is globally unique.