UserPool: incorrect id

[GuyT07]

Describe the bug

In order to allow my Lambda to create a Cognito user I have to add an action. I do this by using:

const cognito = UserPool.fromUserPoolId(construct, env.getId('cognito-pool-ref'), env.getId('user-pool'));
const statement = new PolicyStatement({
  actions: ["cognito-idp:AdminCreateUser"],
  resources: [cognito]
});

Looking in the console it prints: arn:aws:cognito-idp:<region>:<account>:userpool/dev-user-pool

I think this is incorrect, because the last part should be the id instead of the name.

The userPoolId is also set to the user pool name instead of the id. Probably a mapping is incorrect.

Expected Behavior

Return the correct arn (userPoolId should be the id, not the name).

Current Behavior

The arn includes the user pool name instead of the id

Reproduction Steps

• Create a user pool
• Get the user pool: UserPool.fromUserPoolId(construct, 'cognito-pool-ref', 'user-pool');
• Check the name and id

Possible Solution

Fix mapping (id should be the id, not the name)

Additional Information/Context

No response

CDK CLI Version

2.82.0

Framework Version

No response

Node.js Version

v18.15.0

OS

Mac

Language

Typescript

Language Version

4.9.4

Other information

No response

[peterwoodworth]

This seems like it behaves correctly to me:

Code:

const userPool = cognito.UserPool.fromUserPoolId(this, 'UserPool', 'myid');
console.log(userPool.userPoolId);
console.log(userPool.userPoolArn);

Output:

myid
arn:aws:cognito-idp:us-east-1:123456789012:userpool/myid

[GuyT07]

Are you sure this is correct? I expected the id, not the name. If you open AWS Cognito and check the id it will give you something like: <region>_<random-string>. As a workaround I am passing a Cognito User Pool arn reference to my Lambda and then it works as expected. Also in your example, for me at least, it looks like it is returning the name of the userpool instead of the id.

[peterwoodworth]

Also in your example, for me at least, it looks like it is returning the name of the userpool instead of the id.

I'm supplying myid as the parameter that takes in the id, and it's returning the exact id i provided as the id when I log the userPoolId. There's no name here at all, I'm not sure where you are seeing a name.

[GuyT07]

Well just create a UserPool and log its name and id (arn is optional).

[peterwoodworth]

Yes, if your id looks like that, then that is what you need to provide?

These methods aren't looking anything up, I'm not sure if you're expecting that to be the case or not. The method asks for you to provide the ID because it can't know it, so please provide the ID and then it will work right

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[GuyT07]

Yes, if your id looks like that, then that is what you need to provide?

These methods aren't looking anything up, I'm not sure if you're expecting that to be the case or not. The method asks for you to provide the ID because it can't know it, so please provide the ID and then it will work right

No, I still think it is not right. You are showing the CDK (CloudFormation) id, not the UserPool id. So I fetch the User Pool by CloudFormation id and expect that the id of the User Pool = the id of the User Pool. The same is true for the ARN. Take a second look at your example, rename the id and it should be clear to you it isn't returning the User Pool id, but the CloudFormation id.

@peterwoodworth also compare the uploaded image with the results I got. Should be clear that the UserPool.fromUserPoolId method is returning incorrect values. So, in my case, after I call 'UserPool.fromUserPoolId' and print the id and arn, it is returning the name ('dev-xxx-customer') instead of 'eu-central-1_xxxx'. Also in the arn, the name is used instead of the id (probably because they are correctly using the id, but it is mapped to the name).

[peterwoodworth]

So I fetch the User Pool by CloudFormation id

That's not how this works, there is no lookup occurring. You need to supply the value of the id yourself in the third argument of fromUserPoolId()

[GuyT07]

So why do I get my User Pool then? I know the id that I provided to create the User Pool, not the User Pool id. I am able to fetch the User Pool by the id I created myself. Those are different things. I expect a not found exception when I provided an invalid id, right? I am also seeing the name of the user pool after I invoked fromUserPoolId(). The whole point is that I get my expected User Pool, but the id is incorrect.

[peterwoodworth]

You would want to import your user pool if you need to pass it into a construct that accepts an IUserPool as a prop. When you're importing a resource with fromUserPoolId(), you're just telling CDK to create a reference to the User Pool that you specify. So, if you want to reference a User Pool by its ID, you need to provide the ID that you want to reference. Like I've said, CDK will not look up anything, and as such will not know if you've provided inaccurate information

If you can't manually provide the ID for the user pool and need to fetch it programmatically, you shouldn't do this during synth, and should instead do this with a script that writes to a file before running synth, and have synth read the contents of that file. See the section Commit cdk.context.json to avoid... for more information