How can I get the cognito IdentityId of the user

Question

I have an AWS Lambda function which is attached as a trigger to a user pool on the "Post confirmation" event.

I need to get the IdentityId of the user that has been created, how can I do that?

Here is my code:

'use strict';
var AWS = require('aws-sdk');
var region = 'eu-west-1'
var sqs = new AWS.SQS({region : region});
var s3 = new AWS.S3({region : region});
var util = require('util');
let awsAccountId = 'xx';
let queueName = 'xx';

// this function saves public user data to a bucket where clients can access it.

let putObjectToS3 = (bucket, key, data, contentType, callback) => {
        let params = {
            Bucket : bucket,
            Key : key,
            Body : data,
            CacheControl: "max-age=864000",
            ContentType: contentType
        }
        s3.putObject(params, callback);
}

let sendSQSMessage = (dataStr, callback) => {
  let queueURL = 'https://sqs.' + region + '.amazonaws.com/' + awsAccountId + '/' + queueName;
  let params = {
    MessageBody: dataStr,
    QueueUrl: queueURL
  };
  sqs.sendMessage(params, callback);
}

exports.handler = (event, context, callback) => {
    console.log('event', event)

    let S3key = 'publicuserdata/' + event.request.userAttributes.sub + '.json';
    let publicUserData = {};
    publicUserData['IdentityId'] = context.identity.cognitoIdentityId; //doesn't seem to work
    publicUserData['region'] = event.region;
    publicUserData['userName'] = event.userName;
    publicUserData['userPoolId'] = event.userPoolId;

    let finishLambdaCallback = (err, result) => {
        if (err) {
            console.log('error', err)
        } else {
            console.log('success', result)
            context.done(null, event)
        }
    };

    let funcOne = (callback) => {
        let data = util.inspect(context)
        //let data = JSON.stringify(context, null, 2)

        putObjectToS3(  'files.example.org', 
                        S3key, 
                        data, 
                        'application/json',
                        callback);
    }

    let funcTwo = (callback) => {
        let data = util.inspect(context)
        //let data = JSON.stringify(context, null, 2)
        sendSQSMessage(data, callback);
    }

    funcOne(() => {funcTwo(finishLambdaCallback)})

};

Answer 1

It sounds like there may be confusion on how identity pools and user pools interact.

The context.identity.cognitoIdentityId is populated with the identity id only when Lambda is invoked with credentials vended by Cognito federated identities. When it's just a lambda invocation from Cognito user pools, that won't be the case.

Cognito user pools and Cognito federated identities are two separate services, think of user pools as another identity provider for federated identities. What that means is that the identity id won't be created automatically when a user in your user pool is, you have to actually use the tokens vended for that user to create an identity in your identity pool. So, if you want to create an identity in an identity pool for that user, call GetId with the id token. See this docs page for specifics.