AWS Cognito / Getting user information from the sub

Question

I have a working iOS app using AWS Cognito AWSMobileClient where users can sign in and log in/out with AWSAuthUI.

What I want to do next is: having a sub from another us

Answer 1

You would use the ListUsers API, indeed.

Here is its documentation for AWS iOS SDK. One of the filters you can apply is for "sub".

The user calling ListUsers must have a role assigned that will grant it access to that API. Have a look at this AWS blog post for an example in JS.

However, you can't allow everyone to list all users in the pool, that would be a huge security hole. Permissions to list all users should be reserved to application administrators, and only if needed. Instead, what you can do is set up a Lambda function on AWS, called through API Gateway. The function would take the sdb as input and would return the email address. The role attached to that function would give it access to call ListUsers for your pool. That would limit the amount of information your users can get about others, but your Lambda should still run checks to make sure it's not abused. For example, if user X wants to get the email address of user Y, user Y should approve that in advance.

I don't know your use case, but in general, allowing anyone to get information about any user of your app should be done with care. Any interaction between users should be transparent to them and agreed to. Keep in mind that users can log in to Cognito from outside your application if they can find the app ID and secret token. When giving a user access to anything, think about how it can be misused. You might realize that you should rethink how you approach the problem.