I am using a nodejs lamdas to get authentication tokens from AWS Cognito and in the front end code I am using the "aws-sdk": "^2.74.0" javascript / typescript sdk :
var creds = new AWS.CognitoIdentityCredentials({
IdentityPoolId: environment.identityPoolId
})
AWS.config.update({
region: environment.region,
credentials: creds
});
var lambda = new AWS.Lambda();
when I sign the token and identity id to my AWS.CognitoIdentityCredentials.params the following way :
creds.params['IdentityId'] = output.identityId;
creds.params['Logins'] = {};
creds.params['Logins']['cognito-identity.amazonaws.com'] = output.token;
creds.expired = true;
I am able to get the following lamda.invoke calls to use authenticated role arn configured for my federated identity pool. The issue I am having is when I try to sign the user out. I read many forums posts but nobody seem to have a clear explanation on this. I tried using the following in my front end logout function which didn't help:
creds.clearCachedId();
creds.refreshPromise();
any examples showing how the javascript aws-sdk would clear the session/authentication information and switch back to unauthenticated user role arn or logout user and update the config so that next call a AWS service ( lambda.invoke in my case ) would use the unauthenticated role arn instead of trying to use the authenticated role. So it seems Cognito is not aware of the sigout, or I am missing the call to make it aware. I was hoping creds.clearCachedId() would do it but apparently not.
Well it turns out I needed to clear the creds.params manually :
creds.params['IdentityId'] = null;
creds.params['Logins'] = null;
I would think the below would do it, but apparently not.
creds.clearCachedId();
creds.refreshPromise();