How to get Cognito identityId in AWS Lambda Functions

avatar
Borislav Hadzhiev

4 min

banner

# Getting the Identity Id of Cognito Users in Lambda

To get the identityId of a Cognito user in a Lambda function we have to call the getId() method on the CognitoIdentity class.

The code for this article is available on GitHub

Let's look at the complete code of a helper method, which retrieves and returns the identityId of a Cognito user.

src/cognito-id/index.ts
import AWS from 'aws-sdk';

export function getCognitoIdentityId(
  jwtToken: string,
): Promise<string> | never {
  const params = getCognitoIdentityIdParams(jwtToken);
  const cognitoIdentity = new AWS.CognitoIdentity();

  // ๐Ÿ‘‡ get and return the identityId
  return cognitoIdentity
    .getId(params)
    .promise()
    .then(data => {
      if (data.IdentityId) {
        return data.IdentityId;
      }
      throw new Error('Invalid authorization token.');
    });
}

// ๐Ÿ‘‡ construct the parameters for the getId method
function getCognitoIdentityIdParams(jwtToken: string) {
  const {
    USER_POOL_ID,
    ACCOUNT_ID,
    IDENTITY_POOL_ID,
    AWS_DEFAULT_REGION,
  } = process.env;
  const loginsKey = `cognito-idp.${AWS_DEFAULT_REGION}.amazonaws.com/${USER_POOL_ID}`;

  return {
    IdentityPoolId: IDENTITY_POOL_ID,
    AccountId: ACCOUNT_ID,
    Logins: {
      [loginsKey]: jwtToken,
    },
  };
}

Let's go over the code snippet.

We have created a getCognitoIdentityId function, which:

  • Retrieves and returns the identityId of a Cognito user
  • Takes a single parameter - the jwtToken of the user making the request, most commonly sent via the Authorization HTTP Header
  • Calls the getId method on the CognitoIdentity class via the aws-sdk

We have also created a getCognitoIdentityParams function, which is responsible for constructing the parameters the getId method takes.

In this implementation, the USER_POOL_ID, IDENTITY_POOL_ID and ACCOUNT_ID values have been passed to the lambda as environment variables. The AWS_DEFAULT_REGION value would also have to be replaced with the region your User Pool is deployed in.

A very important detail is that we access the user's JWT token from theAuthorization header. Based on the JWT token the Cognito service is able to return the user's identityId.

# Verifying our Solution works

To test the getCognitoIdentityId function, I've created a simple CDK stack that provisions:

The code for this article is available on GitHub

# Project Set up

  1. Clone the GitHub repository

  2. Install the dependencies

shell
npm install
  1. Create the CDK stack
shell
npx aws-cdk deploy \
  --outputs-file ./cdk-outputs.json
  1. Open the AWS Console and the stack named cdk-stack should be created in your default region

# Testing our Solution

Let's test the lambda function that gets the identityId of a Cognito user.

To test the flow, we have to:

  1. Create a Cognito user
  2. Confirm the user so they can sign in
  3. Log the user in to get a JWT token
  4. Use the token to invoke our API endpoint which will call the function and return the Cognito identity id
You can find the User Pool Id, User Pool Client Id and API URL identifiers in the cdk-outputs.json file in the root directory of your project. Alternatively, you can grab them using the AWS Console.
Make sure you don't confuse the User Pool id and the User Pool Client id because the commands below use both.
  1. Sign a user up, using the AWS CLI:
shell
aws cognito-idp sign-up \
  --client-id YOUR_USER_POOL_CLIENT_ID \
  --username "test@test.com" \
  --password "password123"
  1. Confirm the user, so they can sign in
shell
aws cognito-idp admin-confirm-sign-up \
  --user-pool-id YOUR_USER_POOL_ID \
  --username "test@test.com"

At this point if you look at the Cognito User Pool, you would see that the user is confirmed and ready to sign in:

user pool user

  1. Log the user in
shell
aws cognito-idp initiate-auth \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters \
  USERNAME="test@test.com",PASSWORD="password123" \
  --client-id YOUR_USER_POOL_CLIENT_ID

You will get a verbose response because of the length of the tokens. We only care about the IdToken, so copy and paste it into a notepad because we will need it.

Make sure that you copy the IdToken, not the Access or Refresh Tokens.
  1. Hit our API to get the lambda identityId. You can find the API URL in the cdk-outputs.json file in the root directory, or by opening the API gateway console.
shell
curl --location --request GET 'YOUR_API_URL/cognitoid' \
  --header 'Authorization: YOUR_ID_TOKEN'

The response should look as follows.

api-response
{"identityId": "eu-central-1:5b117ba7-3a85-4fa4-a6c9-a8415d7ccdc8"}

At this point, we know that we were able to get a Cognito user's identity id in our lambda function.

# Clean up

To delete the provisioned resources, run the destroy command:

shell
npx aws-cdk destroy

# Conclusion

We are able to access the Cognito user's identityId by calling the CognitoIdentity().getId method.

Based on the JWT token that was sent in the Authorization header, Cognito will determine the user's identityId.

# Additional Resources

You can learn more about the related topics by checking out the following tutorials:

I wrote a book in which I share everything I know about how to become a better, more efficient programmer.
book cover
You can use the search field on my Home Page to filter through all of my articles.
About
Contacts
Policy
Terms & Conditions
TwitterGitHubLinkedin

Copyright ยฉ 2023 Borislav Hadzhiev

0
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........
.........