问题
Let me start with the overall description of what I'm trying to achieve. I'm building a serverless API using Lambda, Cognito (Federated Identities), API Gateway etc. I'm using aws_iam as the authorizer in API Gateway. In some endpoints, I need to access for example user e-mail or username or whatever so I can send it back in the response (also data of users who did not make the request). I guess I'm looking for some kind of "admin" access to the identity pool so I can retrieve data based on cognitoIdentityId.
Now in my case, this data is stored in a dataset in Cognito. The question is, how can I access this data from my Lambda function (node.js)? Is this a good approach at all? Should I use something else instead of datasets? Is there a working example somewhere?
I will be happy to provide more details if necessary.
Thanks
EDIT #1:
here is the code of my lambda function:
module.exports.getDataSet = (event, context, callback) => {
console.log("event: " + JSON.stringify(event));
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: IDENTITY_POOL_ID
});
try {
AWS.config.credentials.get(function() {
var client = new AWS.CognitoSync();
var params = {
DatasetName: 'userinfo',
IdentityId: event.requestContext.identity.cognitoIdentityId,
IdentityPoolId: IDENTITY_POOL_ID
};
client.listRecords(params, function (err, data) {
if (err) {
console.log(JSON.stringify(err));
} else {
console.log(data);
}
});
});
} catch (ex) {
callback(ex);
}
};
and this is what i get in err when calling listRecords:
{
"message": "Missing credentials in config",
"code": "CredentialsError",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666,
"originalError": {
"message": "Could not load credentials from CognitoIdentityCredentials",
"code": "CredentialsError",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666,
"originalError": {
"message": "Unauthenticated access is not supported for this identity pool.",
"code": "NotAuthorizedException",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666
}
}
}
EDIT #2:
solved by removing
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: IDENTITY_POOL_ID
});
from the code and adding the AmazonCognitoReadOnly policy to the role that invokes the lambda.
回答1:
First, you need the Cognito identity of the caller to be known to the Lambda function. The request context in API Gateway includes the Cognito id, which you can put into the payload that is sent to the Lambda function, or use the Lambda proxy integration and have it included automatically.
Once you have the Cognito id in the Lambda, you can use it to retrieve an associated dataset from Cognito Sync. You can use an IAM policy like AmazonCognitoReadOnly to give your Lambda function permission to call the ListRecords API on Cognito Sync (which gives you access to the dataset).
来源:https://stackoverflow.com/questions/44154025/how-to-access-dataset-of-an-identity-in-cognito-federated-identities-from-lambda