I have an AWS Lambda function called on "subscribe" IOT event. Client subscribes to IOT with Cognito credentials. Is it possible to get Cognito Identity Id in the Lambda function?
I think you can get the Cognito Identity ID from the identity property (in case of noe.js runtime) of the context parameter (context.identity) as explained here.
Also, I don't really understand the use-case of Cognito Identity ID. I think you should be able to uniquely identify your devices using clientId property of the MQTT message.
Related
I'm very new to AWS cognito. I want to send a mail on deleting a user from AWS cognito user pool. I learnt that there is a list of predefined event trigger sources for various user actions such as sign up, sign in, password change etc., but, there is no such event trigger sources for deleting a user. I found few similar questions posted and saw that using cognito sync trigger was recommended and when I tried to follow that, it asked me to select a cognito identity pool to proceed further but there is no identity pool used in my project.
Kindly let me know how can I trigger a lambda function on deleting a cognito user.
Identity pools are used for giving temporary access to you AWS Resources/Services, you can refer the docs
Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.
Since your backend is not using any AWS resource, you can use AWS API Gateway for creating an endpoint which can be hit to trigger the lambda function, as Auth provider of the api you can use cognito. Here is the reference
I am creating a web app using AWS amplify, and one of its features will be integration with AWS IoT for live MQTT data. I successfully setup Cognito to work with IoT, but there is one step that I currently have to do manually: attach the iot policy to a cognito identity. In all the AWS tutorials on this, they have you manually attach the policy for the user via the command line, but obviously in a production app this needs to be automated with something like a Lambda as part of the user signup flow. I know that lambda triggers are available with the user pools side of Cognito, but I don't see any documentation on them being available for identity pools. If I'm correct the user signup happens first in the user pool and then the identity pool, and since I need the identity ID to link to IoT, using user pool lambda triggers won't work for this. Of course I could always add this to my own API which is called after sign up, the only issue with that is that it relies on the client to call the API, which adds complexity, i.e. the client could disconnect after signup but before the API call is made, in which case the user would never get the policy attached. Is there any better server-side way to trigger this?
I'm trying to associate my user's Cognito identity with the SNS endpoints they create when registering for push notifications. I've created a Lambda functions connected to the SNS application's EndpointAdded topic. It is fired whenever an endpoint is created, but it does not include any information I can see that I can use to associate the endpoint to a user.
I see many examples where people are adding the user ID as custom user data, but this allows any user to sign up for any other user's notifications. Is there a more secure way to make this association?
If you front registering the endpoint with Lambda or APIGateway and you use SigV4 credentials vended by Cognito to make the call, the context passed in will contain the Cognito Identity Id extracted from the credentials that made the call. This will ensure that the identity id you associate with the endpoint hasn't been tampered with.
Im building a serverless backend using the following AWS technologies:
AWS api_gateway
AWS cognito
AWS lambda
In api_gateway I have created a Cognito User Pool authorizer and Im using this authorizer for all requests to the backend.
Everything works: When a user makes a request with an invalid JWT token, the server respons accordingly. A valid JWT token executes the requested Lambda function.
Problem: I'm unable to retrieve identity information, such as accessKey, accountId, cognitoIdentityId and so forth. All these variables are null when I access them via the context object in the lambda function
Question: What do I need to do in order to get the identity variables?
The context object in the Lambda function contains the context from Lambda's perspective. The Lambda function is running with the identity of it's execution role, thus its context won't contain the identity attributes from the Cognito user pool.
API Gateway exposes the Cognito user pool identity information via $context.authorizer.claims variable within API Gateway. To access this information from within your Lambda function, you must modify your body mapping template in API Gateway to pass the desired data from $context.authorizer.claims to your Lambda function via the request body. You're Lambda function then reads this information from the request body like any other field.
Documentation on this can be found here.
Scroll down to the section titled "To enable a user pool authorizer on methods" and see step 7: "If needed, choose Integration Request to add $context.authorizer.claims ..."
When you created the Cognito User Pool you would have created two IAM Roles. You can now setup API Gateway to pass the Identity information by
Authorization set to AWS_IAM
Turn on Invoke with caller credential
In Lambda you should be able to get the information in context.
Note: In the Cognito IAM Roles you need allow invoke permission for API Gateway.
What I'm trying to do here is sending a notification via SNS and APNS when a specific user is part of a newly added DynamoDB Item. I want to send it to the users Cognito Identity ID, not to device token.
So Lambda should be triggered when the item is added and then go through a list of Cognito Identity IDs, which is also part of the item.
Then Lambda is supposed to publish the push notifications to each Cognito Identity ID.
All the devices are registered as endpoints within sns. I also keep the Cognito Identity ID in the "user data" row for the endpoint.
But i didn't find a way to send notifications directly to a Cognito Identity ID. Do i have to add a topic for each user and send the notification to that topic? Or do i have to store another DynamoDB table to map Cognito Identity IDs to device tokens? It would be great if someone knew an easier and not too expensive way!
Thank you!
If you are sending Push Notifications via SNS to APNS or GCM then you first need to create an SNS Platform Endpoint for each device token registered for Push Notifications. Once you have an SNS Endpoint, you'll need to map that endpoint with the Cognito Identity ID in the user table or another mapping table.
When a new item is added to DynamoDB, the event handler (Lambda) will need to map the incoming Cognito Identity ID to the SNS Platform Endpoint in the user table and then it can direct publish to that one endpoint.
You do not need to create an SNS Topic for sending Push to individual endpoints.