Identify unauthenticated Cognito Identity ID from request

Question

I have an AWS API, with access controlled by an IAM authoriser associated with the unauthenticated role of a Cognito Identity pool. A successful call to the API invokes a Lambda function.

The current process is:

1. User obtains temporary security credentials . This includes:
   • User IdentityId eg eu-west-2:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX . This is the information I require in my Lambda function - see below.
   • Access credentials: AccessKeyId , SecretKey and SessionToken
2. The user calls the API using a signed request . The header of the request includes X-Amz-Security-Token , obtained from step 1
3. If authorisation is successful, the request is sent on to the Lambda function. event.headers includes X-Amz-Security-Token

Is it possible for the Lambda function to identify the identity pool ID of the caller (eg eu-west-2:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX ), either from the data available in the header of the request, or any other means.

Things I have tried:

• sts.getCallerIdentity with Invoke with caller credentials ticked in API Gateway
• Looking at SessionToken , though this appears only to be a temporary access token rather than containing any useful data like a JWT.

If absolutely necessary I can include the identity ID of the user with every request, but I'd prefer to avoid this if possible.

Answer 1

The Cognito ID of the user is included in the requestContext property of the event object passed to your Lambda function.

Eg the Identity of the Cognito user that access the API is:

event['requestContext']['identity']['cognitoIdentityId'];