Is there a way to query Amazon Cognito for multiple User Ids at once? If yes, are there any limitations?
Related
I'm working with an AWS Cognito UserPool.
I have a list of Cognito User IDs. I'm interested in querying Cognito for attributes for each ID. I see that Cognito supports querying one ID at a time, but doesn't support batch queries. Is this the case?
Is there a performant way to convert a list of IDs into a list of objects with user attributes?
Cognito doesn't support batch get-user queries, so you are basically left with 2 options.
If the user pool is not very large, use ListUsers API to dump all user info. Max batch size is 60.
If your user pool is huge, use multi-threading/processing to fetch users in parallel.
I'm pretty new in all the AWS Tools BTW. Anyhow, I already created the Cognito User Pool and I can create and login new users but I also need those fields in my RDS database.
Yesterday I was reading docs and tutorials about the problem but looks like there is a lot of ways to synchronise two data sources. I don't know if something like AppSync has the options to do that or I need to write a two steps lambda, so I'm looking for advice for more experienced users like you guys.
You can have only the basic required attributes for authentication in the cognito user pool such as username, name, email and phone number and the rest of the meta data in some other database such as RDS or DynamoDB.
Within dynamo or RDS you can create a one to one mapping of the username in cognito and the rest of the metadata. Like for example:
*username* -> pk
employee_id
address
user_type
first_name
last_name
marital_status
gender
From implementation point of view:
Expose lambda to create and update a user. Create a user in cognito using only the required attributes earlier defined using the cognito APIs, next insert the meta data for that user in the database of your choice. Same goes for your PUT API with a slight change that you will have to update user pool and user meta data in the database.
Short answer:
You can replicate Cognito User Pool data to a SQL table by listening to Cognito events (using AWS Lambda, for example).
Long answer:
I think you can have Cognito User Pools as authentication/user data Bounded Context, in other words a single source of truth for authentication and user data.
And other BC's in need of user data (for example Sales context) can use some kind of data replication architecture to sync user data as read only, for internal complex queries, or just decoupling from Cognito.
One example of data replication in this case could be listening to Cognito events (AWS Lambda can help with that) to replicate user data to a Bounded Context (just the part of the data you need for that context).
But remember that the replicated data is read only, the original Cognito data should be the single source of truth.
You can use AWS AppSync Lambda resolvers coupled with Cognito User Pools as the AuthZ choice for an AppSync API to satisfy your use case. Essentially when the user completes auth with cognito you will have the '$context.identity.claims' which contains the user attributes, and inside your lambda resolver you can write to your RDS DB.
Some reference docs:
Lambda Resolvers: https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html
AppSync Auth with User Pools: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html
I'm new to AWS, and i'm using Cognito Identity Pools to allow unverified (unauthenticated) users access to my AWS resources. I want to create users table using DynamoDb and my question is:
Is unauthenticated users ids in Cognito are consistent among devices? Will the id be constant for each device or change due to any reasons?
Can I use Cognito uid to identify a specific user even if he deletes the app for example, and comes back after few months?
THANKS.
Can I apply a policy (for example to an AWS DynamoDB table) but restrict it based on a specific field of the Cognito user (other than the Cognito id)?
What I'm tring to implement:
I've got multiple Cognito users that belongs to one specific group. Each group can have multiple users. There are a lot of groups > 1000.
Each group should have permissions to read/write rows in a DynamoDB Table that belongs to the group (to do so the table has a field GroupName).
Each user should have the same permissions that the group he belongs to has.
I would like to check in the policy file that MyCognitoUser.GroupName equals the row.GroupName
If you are using Amazon Cognito User Pools then you can use the recently launched Groups functionality to assign roles based on the user groups (you don't need to store this field in DynamoDB, instead it is part of user profile).
I have an API deployed on AWS API Gateway. I will have multiple subscribers using my API and each customer would be unique. Is it possible that each customer will have a separate API key unique to him? Or will I have to create those many IAM users in order for them to be unique? If yes for the IAM users, then what is the upper limit of the number of users? I will be doing all this programmatically.
By unique, if you mean that you should be able to identify which request came from who, then you can generate one API Key per subscriber. You can generate up to 10000 API keys per AWS account. More details about API keys here.
By unique, if you mean that each subscriber should have access to a unique set of API resources/methods/stages, then you can create different IAM roles with different levels of permissions and let the subscribers assume the roles. You can create up to 250 roles per account. More details about access permissions here.