2

Using the AWS CLI, how to get user details (username, e-mail) from Cognito Identities?

This question relates to https://stackoverflow.com/a/55436168/1692112, which no longer seems to be working in 2021. The problem is, the sub attribute in the User Pool no longer matches the IdentityId in the Identity Pool.

List of users in the User Pool:

$ aws cognito-idp list-users --user-pool-id XX-XXXXX-X_XXXXXXXXX

{
    "Users": [
        {
            "Username": "my.username.yay",
            "Attributes": [
                {
                    "Name": "sub",
                    "Value": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
                },
                {
                    "Name": "email_verified",
                    "Value": "true"
                },
                {
                    "Name": "email",
                    "Value": "my.username.yay@my.company.yay"
                }
            ],
            "UserCreateDate": 1612361296.687,
            "UserLastModifiedDate": 1612361331.99,
            "Enabled": true,
            "UserStatus": "CONFIRMED"
        }
    ]
}

List of identities in the Identity Pool:

$ aws cognito-identity list-identities --identity-pool-id XX-XXXXXXXX-X:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --max-results 50

{
    "IdentityPoolId": "XX-XXXXX-X:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "Identities": [
        {
            "IdentityId": "XX-XXXXXXX-X:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
            "Logins": [
                "cognito-idp.XX-XXXXXXX-X.amazonaws.com/XX-XXXXXXX-X_XXXXXXXXX"
            ],
            "CreationDate": 1612795279.758,
            "LastModifiedDate": 1612795279.771
        }
    ]
}

I had been sort of hoping that the list of Logins would somehow mention the username or sub, but it just references the whole User Pool.

Theoretically, it might be possible to use AWS Lambda and AWS Cognito Triggers to connect the two pools and store the IDs somewhere. However, I would assume that AWS Cognito already knows the connection between the two pools and that there's a simple command for the job.

Edit: It appears that even by the time the last Cognito trigger Pre Token Generation is invoked, the identity does not exist yet. Moreover, the event structure does not reference the identity anywhere. Thus, AWS Lambda and Cognito Triggers would not provide a workaround to the AWS CLI, either.

Any suggestions?

Sussch
  • 1,117
  • 1
  • 9
  • 15
  • `aws cognito-idp get-user`/`aws cognito-idp admin-get-user` should do the trick. – Dunedan Feb 15 '21 at 17:51
  • @Dunedan `aws cognito-idp get-user` expects an access token from the user, which I'm afraid the admin doesn't have. `aws cognito-idp admin-get-user` seems to produce the same output as `aws cognito-idp list-users` which I've listed above (lacks IdentityID), just filtered to a specific user. – Sussch Feb 15 '21 at 18:00
  • Sorry, my bad. I didn't notice that you're looking for an association between an identity in an identity pool and a user in a user pool. – Dunedan Feb 15 '21 at 18:05
  • Did you ever find a solution to this problem? – Kenneth Dec 26 '21 at 04:22
  • @Kenneth No, but for my use case (access control of S3 objects, based on Cognito login), AWS recommended using just the User Pool with API Gateway or CloudFront. I have not tried yet if or how these would work out. – Sussch Dec 28 '21 at 12:54

0 Answers0