How to get Cognito Identity Id in Post Confirmation Lambda Trigger in Python using Amplify React?

Question

I'm working on a ReactJS project and using Amplify for Signup/Signin. On signup, I have a post confirmation lambda trigger in Python that stores the user information (username, cognito id, etc.) in an on-prem database. I would like to also store the identity id, but I can't seem to find it in the event or context variable. I can find the identity id by calling Auth.currentCredentials() in React after the user has signed in, but would like to get this information during the signup process.

Any help on this would be appreciated. Thank you.

Answer 1

I had this same issue, and found that it is indeed not available in the auth trigger because the user has to authenticate to retrieve it, as you said. There is also not a way (that I could find) to grab this information using the AWS admin SDK.

I resorted to running a small check after the user logs into the app and doing a call to save the identityId where I needed it. The purpose was to allow other users to access the user's media after logging in, by using the user's own identityId with amplify to pull a profile picture.

Hope this helps.

Answer 2

Yes, the client app can get the identityId, via Auth.currentCredentials().identityId, but that is not secure because anybody can override any code in the client app and therefore - if you rely on the client app to be your source of truth for identityId - anybody can set identityId to be that of another user, for example, and then log in as them.

One way to get the identityId in the post confirmation trigger lambda function is to call an API hosted on Amazon's API Gateway - the post confirmation lambda calls the API sending the newly confirmed user's credentials, the API has a lambda behind it, the code of that lambda has access to the identityId of whomever called the API in a variable that's tied to the incoming request 'req', namely, in:

req.apiGateway.event.requestContext.identity.cognitoIdentityId

So one secure way to get identityId in the post confirmation lambda function would be to call an API and ask the API to return the identityId in that variable -- all done on the server.

However, please note that there is currently an open issue about the post confirmation lambda not receiving permission from the API (403 errors) - this only happens when you set up all your stuff via Amplify, as opposed to a manual setup. If you use Amplify to set up all your lambda functions you would have to wait for this issue to be resolved: https://github.com/aws-amplify/amplify-cli/issues/6589 before you try the strategy described here to get identityId in the post confirmation trigger lambda function.