Getting cognito user pool username from cognito identity pool identityId

Question

I am using AWS Congito User Pools for account management with a Cognito Identity Pool that has this User Pool as the Identity Provider. I'm using this to control access to an API through API Gateway that sends requests to Lambda. My Lambda is implemented with Java 8 using Micronaut. All of this is working fine.

In the Lambda, I'm getting the name from the Principal in the HttpRequest:

  protected String resolveUser( HttpRequest request ){
    String ret = null;

    Optional<Principal> principal = request.getUserPrincipal();
    if( principal.isPresent() ){
      ret = principal.get().getName();
    }

    if( ret == null || ret.length() == 0 ){
      ret = "unknown";
    }
    return ret;
  }

What is coming back in the string name of the Cognito identityId. Something like this:

us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx

I would like to either log the actual user login or at least have some way to convert the identityId to the login when needed.

The LookupDeveloperIdentity API call appears to be the right way to go about this, but I'm unable to get it to work.

Attempting to do this with Java and the AWS Java SDK 2:

  protected String loadUsername( String user ){
    String ret = "unknown:"+user;
    CognitoIdentityClient cognito = CognitoIdentityClient.create();

    LookupDeveloperIdentityRequest request = LookupDeveloperIdentityRequest.builder()
      .identityPoolId( identityPoolId )
      .identityId( user )
      .build();
    LookupDeveloperIdentityResponse response = cognito.lookupDeveloperIdentity( request );
    List<String> identifiers = response.developerUserIdentifierList();
    if( identifiers != null && identifiers.size() > 0 ){
      ret = identifiers.get( 0 );
    }

    return ret;    
  }

throws an exception

software.amazon.awssdk.services.cognitoidentity.model.NotAuthorizedException: You do not have access to this identity (Service: CognitoIdentity, Status Code: 400, Request ID: 64e36646-612b-4985-91d1-82aca770XXXX)

Attempting to do this via the CLI produces a similar result:

aws cognito-identity lookup-developer-identity --identity-id us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx --identity-pool-id us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx --max-results=10

An error occurred (NotAuthorizedException) when calling the LookupDeveloperIdentity operation: You do not have access to this identity

I have made sure the IAM policy in place should be able to handle this, and when I try it with a role that does not have this policy, I get a different error

    {
        "Effect": "Allow",
        "Action": [
            "cognito-identity:LookupDeveloperIdentity"
        ],
        "Resource": [
            "arn:aws:cognito-identity:us-east-1:##########:identitypool/us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx"
        ]
    }

So the questions boil down to:

Is this the best way to get the user pool username from the identity pool id?
- If it is - what am I doing incorrectly?
- If it is not - what is a better way of doing this?

Could you try https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html that recommended approach for higher-volume operations. `Are you sure you are using the credentials from the account which owns the identity pool you are requesting lookupDeveloperIdentity for?` - https://forums.aws.amazon.com/thread.jspa?threadID=231354 For me it looks like a user permission, not IAM role issue. — Jan Garaj, Jan 06 '20 at 17:39
I tried that as well, and got the same error message. I'm sure I'm using credentials from the account that owns the identity pool - other operations on the pool work fine. It being a user permission seems... odd... but if so, I'd love to know how to get a user permission for a server. — Prisoner, Jan 19 '20 at 20:13

Xanthos Symeou · Accepted Answer · 2020-01-10T12:53:13.007

Alternative Approach

In order to retrieve the user’s User Pool user id you can retrieve in your lambda:

authProvider = event.requestContext.identity.cognitoAuthenticationProvider;

This will return a string which will include the user's User Pool user ID and it will look something like:

cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx,cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa:CognitoSignIn:qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr

Where us-east-1_aaaaaaaaa is the User Pool id and qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr is the User Pool User Id. You can then split the string and extract the user ID.

Note that these info will be different depending on the authentication provider you are using.

Then if you need the username instead of user ID you can extract it directly from user Pool by getting the appropriate details for that specific user ID.

Reference

https://serverless-stack.com/chapters/mapping-cognito-identity-id-and-user-pool-id.html

Accepted (belatedly, but glad you got the bonus rep), even tho the documentation on that page says: _"While the process below isn’t documented"_ Wish there was an actual documented way to do this. — Prisoner, Jan 19 '20 at 20:14
Is there any documentation for how to achieve that with SDK? `Then if you need the username instead of user ID you can extract it directly from user Pool by getting the appropriate details for that specific user ID.` ? I'm struggling to find any, to be honest :( — Philipp Grigoryev, Nov 22 '21 at 02:13

Getting cognito user pool username from cognito identity pool identityId

1 Answers1

Linked