AWS API Gateway: How to pass IAM identity to Lambda function?

Question

I've successfully configured IAM-authenticated access to my Lambda function with AWS API Gateway front-end, but unable to find how to pass IAM user identity to my Lambda function.

I need exactly IAM user identity and can not run Lambda function under calling IAM-user credentials. All I need - is to get calling IAM-user identity in my Lambda function.

Is there option for that?

Answer 1

Support for accessing identity and other information from the Amazon API Gateway request context hadn't been available when you posted the question, but recently been added, see Announcement: Context Variables:

You can now access context variables from within mapping templates to retrieve contextual information about the API call. You can access data such as stage, resource path, and HTTP method, as well as information about the identity of the caller. This information can then be passed along to your backend integration using the $context variable. [emphasis mine]

The referenced documentation on Accessing the $context Variable features a $context Variable Reference and there are various $context.identity.* parameters that should address your use case.

Cognito Identity

As outlined in Soenke's answer to the OPs similar question in the Amazon API Gateway forum, there is an as of yet undocumented integration parameter that results in the Cognito identifier being included in this $context.identity.* context variables:

in order to have the Cognito (not IAM!) IdentityId and IdentityPoolId available in Lambda, you have to enable "Invoke with caller credentials" on the API Gateway "Integration Request" page of the API GW Resource. This results in a new context struct "identity" (containing "cognitoIdentityId" and "cognitoIdentityPoolId" being passed to the Lambda function).