event.identity is null in Lambda Function, even when the request comes from an authenticated user

[PedroBern]

Describe the bug event.identity is null in Lambda Function, even when the request comes from an authenticated user

To Reproduce Steps to reproduce the behavior:

1 - amplify add auth 2 - amplify add api ... select the cognito option 3 - amplify add function... hello world template 4 - See the code snipped section below to see the lambda function and the schema

Expected behavior event.identity to correspond to the authenticated user.

Code Snippet

1 - schema

type Profile
  @model(subscriptions: null)
  @auth(rules: [
    { allow: owner, operations:  [update] },
    { allow: groups, groups: ["Admin"], operations:  [create, update, delete] }
  ])    
{
  id: ID!
  email: String!
  owner: String
  # ...
}

input CreateUserProfileInput {
  id: String!
  email: String!
}

type Mutation {
  createUserProfile(input: CreateUserProfileInput!): Profile @function(name: "CreateUserProfileResolver-${env}")
}

2 - The lambda function

const { DynamoDB, CognitoIdentityServiceProvider } = require('aws-sdk');

const REGION = process.env.REGION
const TABLE_NAME = `${process.env.TABLE_NAME}-${process.env.ENV}`
const COGNITO_USERNAME_CLAIM_KEY = 'cognito:username';
const COGNITO_USERPOOL_ID = process.env.AUTH_AUTH_USERPOOLID;
if (!COGNITO_USERPOOL_ID) {
  throw new Error(`Function requires environment variable: 'COGNITO_USERPOOL_ID'`);
}

const docClient = new DynamoDB.DocumentClient({REGION})
const cognitoIdentityServiceProvider = new CognitoIdentityServiceProvider();

exports.handler = async (event) => {
  console.log(JSON.stringify(event, null, 2)); // event.identity is always null, even for authenticated users
  // ...
};

3 - Auth.currentSession()

CognitoUserSession {idToken: CognitoIdToken, refreshToken: CognitoRefreshToken, accessToken: CognitoAccessToken, clockDrift: 0}
accessToken: CognitoAccessToken {jwtToken: "eyJraWQiOiJLMXpvb2VNRkNtUzNocFpGcDIwcjZVcndFQWlFZk…8khnVK3C35lhC2QcEShBZUBH7Z5rjWDNeMbP3tdsxkn3bGjSw", payload: {…}}
clockDrift: 0
idToken: CognitoIdToken {jwtToken: "eyJraWQiOiJudGVIYWpibFVRVXo2RlRXcE1YUkVYd2ZOZTJlU2…7XJ4yAW-DoVW1l7XH-6v_ArlU1jB-lA0JDwehUosxhE2Znr4A", payload: {…}}
refreshToken: CognitoRefreshToken {token: "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUl…8HTKORfwvmp6IiOa83IyfmCCtA.EPDaU-uM2wzsqnGLld8b0Q"}
__proto__: Object

4 - The lambda log

{
    "typeName": "Mutation",
    "fieldName": "createUserProfile",
    "arguments": {...},
    "identity": null,
    "source": null,
    "request": {...},
    "prev": {
        "result": {}
    }
}

What is Configured?

If applicable, please provide what is configured for Amplify CLI:

• Which steps did you follow via Amplify CLI when configuring your resources. It is in the To Reproduce step

• Which resources do you have configured?

  • If applicable, please provide your aws-exports file:

const awsmobile = {
    "aws_project_region": "us-east-1",
    "aws_cognito_identity_pool_id": "us-east-1:xxx",
    "aws_cognito_region": "us-east-1",
    "aws_user_pools_id": "us-east-1_xxx,
    "aws_user_pools_web_client_id": "xxx",
    "oauth": {},
    "aws_appsync_graphqlEndpoint": "https://xxxxmwpj4qm.appsync-api.us-east-1.amazonaws.com/graphql",
    "aws_appsync_region": "us-east-1",
    "aws_appsync_authenticationType": "API_KEY",
    "aws_appsync_apiKey": "xxx"
};

• If applicable, provide more configuration data, for example for Amazon Cognito, run aws cognito-idp describe-user-pool --user-pool-id us-west-2_xxxxxx (Be sure to remove any sensitive data)

Environment

``` System: OS: macOS High Sierra 10.13.6 CPU: (4) x64 Intel(R) Core(TM) i5-2435M CPU @ 2.40GHz Memory: 16.85 MB / 4.00 GB Shell: 3.2.57 - /bin/bash Binaries: Node: 10.13.0 - /usr/local/bin/node Yarn: 1.21.1 - /usr/local/bin/yarn npm: 6.13.4 - /usr/local/bin/npm Watchman: 4.9.0 - /usr/local/bin/watchman Browsers: Chrome: 83.0.4103.116 Firefox: 76.0.1 Safari: 11.1.2 npmPackages: @babel/core: ^7.8.6 => 7.10.3 @expo/vector-icons: ~10.0.6 => 10.0.6 @react-native-community/masked-view: 0.1.6 => 0.1.6 @react-native-community/netinfo: ^5.9.3 => 5.9.3 @react-navigation/bottom-tabs: ^5.3.1 => 5.5.2 @react-navigation/native: ^5.2.1 => 5.5.1 @react-navigation/stack: ^5.2.16 => 5.5.1 aws-amplify: ^3.0.18 => 3.0.18 aws-amplify-react-native: ^4.2.1 => 4.2.1 babel-preset-expo: ~8.1.0 => 8.1.1 expo: ~37.0.9 => 37.0.12 expo-asset: ~8.1.0 => 8.1.7 expo-constants: ~9.0.0 => 9.0.0 expo-font: ~8.1.0 => 8.1.1 expo-linking: ^1.0.1 => 1.0.3 expo-splash-screen: ^0.2.3 => 0.2.3 expo-web-browser: ~8.2.0 => 8.2.1 graphql-auto-transformer: ^1.3.1 => 1.3.1 jest-expo: ~37.0.0 => 37.0.0 js-md5: ^0.7.3 => 0.7.3 react: ~16.9.0 => 16.9.0 react-dom: ~16.9.0 => 16.9.0 react-native: https://github.com/expo/react-native/archive/sdk-37.0.1.tar.gz => 0.61.4 react-native-gesture-handler: ~1.6.0 => 1.6.1 react-native-safe-area-context: 0.7.3 => 0.7.3 react-native-screens: ~2.2.0 => 2.2.0 react-native-web: ~0.11.7 => 0.11.7 npmGlobalPackages: @aws-amplify/cli: 4.21.3 create-react-app: 2.1.1 depcheck: 0.8.4 expo-cli: 3.21.9 monaca: 3.1.2 npm: 6.13.4 typescript: 3.9.5 ```

Additional context

I saw some people talking about "Invoke with caller credentials", but I did not find this option.

[PedroBern]

Got it working after adding the auth directive, but the example in the docs does not use it. The problem was probably because my default auth is by API Key, cognito is the additional one.

# ...
createUserProfile(input: CreateUserProfileInput!): Profile
    @auth(rules: [{ allow: owner }])  
    @function(name: "CreateUserProfileResolver-${env}")
# ...

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.