Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Cognito: Difference between Cognito ID and sub, what should I use as primary key?

Tags:

Im building a serverless backend using AWS Cognito for user administration.

Cognito uses both cognitoId and sub to identify a user.

This project from the official awslabs uses the cognitoId as primary key in the database tables to link data to a user object, but the documentation about sub clearly states:

sub: the UUID of the authenticated user. This is not the same as username.

Question: What should I use as primary key, cognitoID or sub?

like image 778
Vingtoft Avatar asked Mar 07 '17 10:03

Vingtoft


People also ask

How do I get my Cognito access key?

To do so, open the Amazon Cognito console , choose Manage identity pools, select your identity pool, choose Edit identity Pool, specify your authenticated and unauthenticated roles, and save the changes. To use the Amazon Web Services Documentation, Javascript must be enabled.

What is sub in Cognito user?

Cognito uses both cognitoId and sub to identify a user. This project from the official awslabs uses the cognitoId as primary key in the database tables to link data to a user object, but the documentation about sub clearly states: sub : the UUID of the authenticated user. This is not the same as username .

What is the main difference between Cognito user pool and Cognito identity pool?

With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.

What is cognitoIdentityId?

cognitoIdentityId as the user Id. This is the Id that a user is assigned through the Identity Pool. However, you cannot use this Id to look up information for this user from the User Pool. This is because to access your Lambda function, your user needs to: Authenticate through your User Pool.


1 Answers

The naming can get confusing, I'll try to clarify.

There are typically two pools under the umbrella of Amazon Cognito:

  • User Pool
  • Identity Pool (Federated Identities)

The "sub" that you are referring to is typically expressed in IAM Policies as

${cognito-identity.amazonaws.com:sub}

and will resolve to the value found in (in the javascript sdk)

AWS.config.credentials.identityId

which will look something like

us-east-1:########-####-####-####-############

It will only exist on the credentials once the credentials have been refreshed.

So to answer you question, the sub.

like image 183
bleuf1shi Avatar answered Sep 16 '22 14:09

bleuf1shi