2

I setup my iOS app with the AWS Mobile Hub. The services I'm using are AWS Cognito and AWS DynamoDB.

I created on AWS DynamoDB a private table that has by default the partition key userId. As far as I can tell, AWS DynamoDB only allows the userId to be the identityId from e.g. AWSIdentityManager.

I'm able to successfully establish an user session via AWSCognitoIdentityUserPool.default().currentUser()?.getSession().

I read/write to AWS DynamoDB with the identityId, that I get through AWSIdentityManager.default().identityId, as userId.

However, the identityId stays always the same on the device, even if I have established an user session.

How can I get an identityId from AWSIdentityManager that is specific for an AWS Cognito user?

Poweranimal
  • 1,622
  • 3
  • 12
  • 16

1 Answers1

3

EDIT:

IdentityId's are unique per cognito user as we discovered together in the comment thread but they are cached on the device and need to be cleared on log out. Clear via swift sdk with:

AWSCognitoIdentityProvider.Clear()

Below is my original answer recommending to use the username or an alias which is also unique per cognito user but it should only be used as reference for the comment discussion. Use IdentityId's as dyanmodb primary keys instead.

END-EDIT:

I would recommend using the username as the partition key in your dynamodb table.

You can get the username from the AWSCognitoIdentityUser object by

if let username = AWSCognitoIdentityUserPool.default().currentUser()?.username {
   // do stuff with username
}

You could also configure the user pool to use custom username alias to allow users to sign in via email and/or phone number. In this scenario, email and/or phone number would also be unique and then if you prefer to, you may use either of those as the unique partition key in your dynamodb table instead. Here's an overview of aliases in cognito.

Jacob Lange
  • 1,299
  • 14
  • 22
  • Thanks a lot for your response. I do have a private table that requires an `userId`. The `userId` must be the `identityId` from e.g. `AWSIdentityManager`, otherwise I'm not allowed to write or query the item. How can I host then a private table that takes e.g. the username as `userId`? – Poweranimal May 23 '18 at 21:39
  • Actually after looking at the [AWSIdentityManager class referenece](https://docs.aws.amazon.com/awsmobilehubhelper/apireference/latest/Classes/AWSIdentityManager.html#//api/name/identityId) I'm no longer so sure about the identityId. You're saying it's an id per device not per user? – Jacob Lange May 23 '18 at 21:44
  • I don't fully understand the use case you're trying to go for, but I know for sure usernames are unique in cognito and in dynamo partition keys can be of any type. So therefore if you're looking to use dyanmo to store a little extra metadata about users or to uniquely identify data associated with a particular user it would make sense to me to use the username as it guaranteed to be unique. – Jacob Lange May 23 '18 at 21:46
  • 1
    Yes. I started a session of the same user on two different devices. Both devices do have a different `identityId`. – Poweranimal May 23 '18 at 21:46
  • You're right, it's possible to use the username as partition key. This however, only works for public tables. Since I'm storing sensitive user data, I need to use a private table. A private table has by default the attribute `userId`. AWS Cognito then only allows the `identityId` to be the `userId`. – Poweranimal May 23 '18 at 21:50
  • Hmm I don't understand what you mean by private and public tables. Looks like this is something specific the the Mobile Hub? I don't have any experience with it, sorry. Looking at the documentation it does look like it wants you to use the IdentityId from [the docs](https://docs.aws.amazon.com/aws-mobile/latest/developerguide/NoSQL-Database.html#nosqldb-permissions). Given all this info, I'm really not sure why the identityId's would be different per device. – Jacob Lange May 23 '18 at 22:04
  • Have you seen the answer on this post https://stackoverflow.com/questions/46044598/using-aws-cognito-can-i-resolve-the-authenticated-identityid-given-a-disabled-un ? It looks like the mobile SDK caches IdentityId, could this be why you're seeing different id's for the same user on different devices? The more I read about this, the more I think my original answer is invalid, you do want to use the IdenityId and the IdentityId *should* be unique for a given user regardless of the device. – Jacob Lange May 23 '18 at 22:37
  • 1
    Great! Thanks for the link. Indeed, the root of my problem was the identityId caching. – Poweranimal May 24 '18 at 09:52
  • Happy to hear the problem is resolved, I'll edit my original answer to reflect what the original issue was. – Jacob Lange May 24 '18 at 17:06