Getting cognito user pool username from cognito identity pool identityId

Question

I am using AWS Congito User Pools for account management with a Cognito Identity Pool that has this User Pool as the Identity Provider. I'm using this to control access to an API through API Gateway that sends requests to Lambda. My Lambda is implemented with Java 8 using Micronaut. All of this is working fine.

In the Lambda, I'm getting the name from the Principal in the HttpRequest:

  protected String resolveUser( HttpRequest request ){
    String ret = null;

    Optional<Principal> principal = request.getUserPrincipal();
    if( principal.isPresent() ){
      ret = principal.get().getName();
    }

    if( ret == null || ret.length() == 0 ){
      ret = "unknown";
    }
    return ret;
  }

What is coming back in the string name of the Cognito identityId. Something like this:

us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx

I would like to either log the actual user login or at least have some way to convert the identityId to the login when needed.

The LookupDeveloperIdentity API call appears to be the right way to go about this, but I'm unable to get it to work.

Attempting to do this with Java and the AWS Java SDK 2:

  protected String loadUsername( String user ){
    String ret = "unknown:"+user;
    CognitoIdentityClient cognito = CognitoIdentityClient.create();

    LookupDeveloperIdentityRequest request = LookupDeveloperIdentityRequest.builder()
      .identityPoolId( identityPoolId )
      .identityId( user )
      .build();
    LookupDeveloperIdentityResponse response = cognito.lookupDeveloperIdentity( request );
    List<String> identifiers = response.developerUserIdentifierList();
    if( identifiers != null && identifiers.size() > 0 ){
      ret = identifiers.get( 0 );
    }

    return ret;    
  }

throws an exception

software.amazon.awssdk.services.cognitoidentity.model.NotAuthorizedException: You do not have access to this identity (Service: CognitoIdentity, Status Code: 400, Request ID: 64e36646-612b-4985-91d1-82aca770XXXX)

Attempting to do this via the CLI produces a similar result:

aws cognito-identity lookup-developer-identity --identity-id us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx --identity-pool-id us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx --max-results=10

An error occurred (NotAuthorizedException) when calling the LookupDeveloperIdentity operation: You do not have access to this identity

I have made sure the IAM policy in place should be able to handle this, and when I try it with a role that does not have this policy, I get a different error

    {
        "Effect": "Allow",
        "Action": [
            "cognito-identity:LookupDeveloperIdentity"
        ],
        "Resource": [
            "arn:aws:cognito-identity:us-east-1:##########:identitypool/us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx"
        ]
    }

So the questions boil down to:

• Is this the best way to get the user pool username from the identity pool id?
  • If it is - what am I doing incorrectly?
  • If it is not - what is a better way of doing this?

Answer 1

Alternative Approach

In order to retrieve the user’s User Pool user id you can retrieve in your lambda:

authProvider = event.requestContext.identity.cognitoAuthenticationProvider;

This will return a string which will include the user's User Pool user ID and it will look something like:

cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx,cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa:CognitoSignIn:qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr

Where us-east-1_aaaaaaaaa is the User Pool id and qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr is the User Pool User Id. You can then split the string and extract the user ID.

Note that these info will be different depending on the authentication provider you are using.

Then if you need the username instead of user ID you can extract it directly from user Pool by getting the appropriate details for that specific user ID.

Reference

https://serverless-stack.com/chapters/mapping-cognito-identity-id-and-user-pool-id.html