AWS Cognito: Difference between Cognito ID and sub, what should I use as primary key?

The naming can get confusing, I'll try to clarify.

There are typically two pools under the umbrella of Amazon Cognito:

  • User Pool
  • Identity Pool (Federated Identities)

The "sub" that you are referring to is typically expressed in IAM Policies as

${cognito-identity.amazonaws.com:sub}

and will resolve to the value found in (in the javascript sdk)

AWS.config.credentials.identityId

which will look something like

us-east-1:########-####-####-####-############

It will only exist on the credentials once the credentials have been refreshed.

So to answer you question, the sub.


  • sub(subject) is globally unique and hence is unique for user pool as well.
  • Unlike username, which can be reassigned to another user in user pool, sub is never reassigned.

Source

Tags:

Amazon Web Services

Aws Cognito

Recent Posts