#✅ - how do I convert the cognito identity ID to the cognito sub?

When a user is allowed to upload to a private or protected prefix in S3 storage, they send it to a prefix that although the documentation says is something akin to a cognito sub, it is in fact not quite sub you would find on their cognito user page. It's also not the sub nor the user identity included in a GraphQL owner field (which seems to just be the cognito sub twice, even though the documentation says the second part of it is an identity). This is fine, but I need a way to either replace that with their actual cognito sub, or away to translate that identity ID into their cognito sub.

I tried a method I found online to use "principle tags" to allow access to a cognito sub-based prefix, but that didn't seem to work. Does anyone know how I could get the cognito sub-based approach to work, or how to translate the identity ID into the cognito sub?

Per the office hours, it looks like there's no way to actually get the sub from the identity ID directly. It also doesn't appear to be easy to use a policy to allow access based on the principal tags without having to set up the mappings. Setting up those mappings doesn't appear to be something I can do through cloud formation easily, so it's not something I can rely on for redeploying the app from scratch.

The solution I'm going with for now is to have the front end predict what the S3 key will be since it has direct access to the sub and the identity ID. Then it will create a graphQL record that tracks the upload path. It will be generating the ID of that GraphQL record itself (to be used in DynamoDB) and providing it when it creates that record so that it can be looked up deterministically by the back end when it sees the new S3 object has been created because that DynamoDB record ID will be included in the S3 path. The path will look something like this:

private/<identity ID>/resumes/<DynamoDB Record ID>/<file name>

Because the user is creating the upload record through GraphQL, the owner field will automatically be filled with their sub allowing me to tie that record back to a specific user. This prevents someone from uploading something and tricking the system into thinking that it's for someone else.

Then when the S3 trigger goes off the back end will be able to find who owns the file as well as know where to go to get the file so that it can be processed.

Trying to leave my solution here in case someone comes across this.

✅ - how do I convert the cognito identity ID to the cognito sub?