I have an AWS API, with access controlled by an IAM authoriser associated with the unauthenticated role of a Cognito Identity pool. A successful call to the API invokes a Lambda function.
The current process is:
- User obtains temporary security credentials. This includes:
- User
IdentityId
e.g.eu-west-2:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
. This is the information I require in my Lambda function - see below. - Access credentials:
AccessKeyId
,SecretKey
andSessionToken
- User
- The user calls the API using a signed request. The header of the request includes
X-Amz-Security-Token
, obtained from step 1 - If authorisation is successful, the request is sent on to the Lambda function.
event.headers
includesX-Amz-Security-Token
Is it possible for the Lambda function to identify the identity pool ID of the caller (e.g. eu-west-2:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
), either from the data available in the header of the request, or any other means.
Things I have tried:
- sts.getCallerIdentity with
Invoke with caller credentials
ticked in API Gateway - Looking at
SessionToken
, though this appears only to be a temporary access token rather than containing any useful data like a JWT.
If absolutely necessary I can include the identity ID of the user with every request, but I'd prefer to avoid this if possible.
CodePudding user response:
The Cognito ID of the user is included in the requestContext
property of the event
object passed to your Lambda function.
E.g. the Identity of the Cognito user that access the API is:
event['requestContext']['identity']['cognitoIdentityId'];