Include tags in Cognito Identity ListUserPools/ListIdentityPools API responses

[zpbonjour]

Describe the feature

Currently list-user-pools outputs the following info:

{
      "Id": "<Pool_Id>",
      "Name": "<Pool_Name>",
      "LambdaConfig": { <Lambda_Triggers> },
      "LastModifiedDate": "<Date_Modified>",
      "CreationDate": "<Data_Created>"
 }

and list-identity-pools:

{
  "IdentityPoolId":"<Pool_Name>"
  "IdentityPoolName": "<Pool_Name>"
 }

I would like to see more descriptive information that will help narrow down the search for a specific pool. Tags would be super helpful for my use case.

 {
      "Id": "<Pool_Id>",
      "Name": "<Pool_Name>",
      "LambdaConfig": { <Lambda_Triggers> },
      "LastModifiedDate": "<Date_Modified>",
      "CreationDate": "<Data_Created>",
      "UserPoolTags": {
           "TagKey1": "TagValue1",
           "TagKey2": "TagValue2"
      }
 }

{
  "IdentityPoolId": "<Pool_Name>"
  "IdentityPoolName": "<Pool_Name>",
  "IdentityPoolTags": {
           "TagKey1": "TagValue1",
           "TagKey2": "TagValue2"
      }
}

Use Case

I am working on some workflow automation that needs to fetch a user and identity pool's id. Unfortunately, the name of the pool is not always uniform or known. However, there are some tags that I could use to find the intended pool. Right now, I am unable to search the tags unless I know the pool id as list-tags-for-resource requires an ARN and describe-identity/user-pool requires a pool id.

Proposed Solution

output the pool resource tags when listing pools with list-identity/user-pools so they can be used to locate a pool.

Other Information

All of my testing has been done in Cloud Shell but I intend to use this feature with Github Actions.

Acknowledgements

• [ ] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

CLI version used

aws-cli/2.13.4 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off

Environment details (OS name and version, etc.)

Cloud Shell

[tim-finnigan]

Hi @zpbonjour thanks for the feature request. This would need to get rerouted to the Cognito team, as they own the underlying ListUserPools and ListIdentityPools APIs. (If you have a support plan we recommend reaching out through AWS Support with requests like these, otherwise we can forward them on your behalf.)

I'm not sure if the Cognito team would consider this feature request though if your use case can be addressed using the list-tags-for-resources command. You can get the user pool ID via list-user-pools and then construct the ARN in this format with your region/account/id: arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341.

[zpbonjour]

@tim-finnigan I cannot get the correct user/identity pool by using list-user-pools and list-identity-pool because I cannot rely on the name of the pool. I need the tags to select the needed pool. Without the name of the pool, I can't get the ID. Without the ID, I can't use list-tags-for-resources as the ARN.

An alternative would be adding the --filter functionality to these commands.

[tim-finnigan]

Thanks @zpbonjour for following up and elaborating further. I'll go ahead and transfer this issue to our cross-SDK repository as requests involving APIs apply to other SDKs in addition the AWS CLI. And I'll reach out to the Cognito Identity team for additional review and feedback on this request. (ref: P96282886)

[jmklix]

You might be able to use AWS Resource Explorer as a possible workaround.

After Resource Explorer is setup, you could use the Search API and query for the tags you use.

For example, if you had several Cognito user pools tagged with a key value of "sanboxCognitoUserPools", you could use a query similar to "tag.key: sanboxCognitoUserPools" with the Resource Explorer Search API and you would get back a response similar to this:

{
    "Resources": [
        {
            "Arn": "arn:aws:cognito-idp:<REGION>:<ACCOUNT-ID>:userpool/<REGION>_123abc",
            "LastReportedAt": "2024-02-27T17:43:39+00:00",
            "OwningAccountId": "<ACCOUNT-ID>",
            "Properties": [
                {
                    "Data": [
                        {
                            "Key": "sanboxCognitoUserPools",
                            "Value": ""
                        }
                    ],
                    "LastReportedAt": "2024-02-27T17:43:39+00:00",
                    "Name": "tags"
                }
            ],
            "Region": "<REGION>",
            "ResourceType": "cognito-idp:userpool",
            "Service": "cognito-idp"
        }
    ],
}

From there you would get the ARN and could extract the user pool id (or identity pool id) and then call ListUserPools/ListIdentityPools API.