First off, I've read through similar questions:
- Using AWS Cognito can I resolve the authenticated IdentityId given a disabled unauthenticated IdentityId?
- AWS Lambda API gateway with Cognito - how to use IdentityId to access and update UserPool attributes?
We use Cognito Users and provide them access to folders in a bucket by the Bucket Policy - eg BUCKET_NAME/user_data/eu-west-2:00000000-0000-0000-0000-000000000000.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET_NAME",
"Condition": {
"StringLike": {
"s3:prefix": [
"user_data/${cognito-identity.amazonaws.com:sub}/",
]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/user_data/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
This works perfectly for clients using the javascript API. They authenticate, and I can access S3 using the AWS.config.credentials.identityId1.
However, if I want to access the bucket for the user from my .Net Web API backend I can find no way to get the IdentityId. So I don't know which folder is the user's, which defeats the whole purpose of being able to create user folders. For example when the user signs up, I might want to create the folder with so existing items...
One workaround is for the the client to post the IdentityId so it can be stored against the User sub, but that making the assumption that - 1.it happens; 2.the ID is valid.
TLDR: How can I get the Cognito IdentityId using the AWSSDK.CognitoIdentity from the Cognito Username (sub)?
1 An important aside - As I discovered after far too much time, ${cognito-identity.amazonaws.com:sub} is not the user sub. The documentation is incredibly unclear, so much so I had no idea what ${cognito-identity.amazonaws.com:sub} would even look like.
