如何从Python AWS Lambda函数访问context.identity？

Question

My lambda function is receiving a context.

def lambda_handler(event, context):
    logger.info(context.function_name)
    logger.info(context.identity)
    logger.info(context.cognito_identity_id)
    logger.info(context.identity.cognito_identity_id)
    return 'hello world'

The log receives the function_name, and logs the memory address for context.identity . But context.cognito_identity_id and context.identity.cognito_identity_pool_id are reported as None .

How do I get cognito_identity_id populated?

From Xcode debugger in the class built by AWS API Gateway I can see that the private variable `_configuration._credentialsProvider._identityId is set correctly. But this value isn't being passed thru to my AWS Lambda function.

I can't find how to get is passed thru. I've read this page where I'd expect it to be covered.

Further: From the Lambda function I logged out dir(context.identity) giving ['__class__', '__delattr__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__module__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__slots__', '__str__', '__subclasshook__', 'cognito_identity_id', 'cognito_identity_pool_id']

This shows that cognito_identity_id and cognito_identity_id are actually present.

I think AWS Gateway -> AWS Lambda doesn't set-up Identity for free - I'm missing some configuration - a mapping template perhaps.

Answer 1

This is too long for a comment...

You will need to look at the API Gateway documentation. I know that the Cognito identity ID is None if you

(a) invoke the lambda using the CLI with an (access key id,secret key) as credentials,

(b) invoke the lambda using boto using (access key id,secret key) credentials,

(c) invoke the lambda from the AWS console.

I invoke my Lambdas using Cognito credentials, and I get a non- None identity id in my context object. To set up Cognito credentials you need to set up an identity pool with a role which is authorized to invoke the function (simple setup: create an unauthorized role and give it the lambda:invokeFunction permission for your function).

I can provide Python or JavaScript code to do this, though it wouldn't answer your question because you specifically asked about invocation from the API Gateway. But if you want it let me know.

Answer 2

This is how I've made progress.

Drop the GET method - it doesn't support the passing of Cognito identities thru to Lambda.

Use POST instead. For the POST's Integration Request select "Invoke with caller credentials" and create a Mapping template. The template needs to be "application/json" with the Template contents { "identity": "$input.params('identity')" }

With these additions, when the lambda function is called its `context.identity' parameter will be populated with the values of the caller's cognity identifier pool and id.

From Python in your Lambda function be sure to access with context.identity and not context[identity]

Answer 3

I found the following solution https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

So from the event

UserPoolId = event['identity']['claims']['iss'].rsplit('/', 1)[-1]