Include cognito client ID in Lambda env when a lambda resource is allowed in defineAuth

[dhaub-exelixis]

Environment information

System:
  OS: Linux 6.8 Ubuntu 24.04.1 LTS 24.04.1 LTS (Noble Numbat)
  CPU: (16) x64 AMD Ryzen 7 7700X 8-Core Processor
  Memory: 17.55 GB / 30.46 GB
  Shell: /bin/bash
Binaries:
  Node: 20.18.1 - ~/.nvm/versions/node/v20.18.1/bin/node
  Yarn: undefined - undefined
  npm: 10.8.2 - ~/.nvm/versions/node/v20.18.1/bin/npm
  pnpm: 9.5.0 - ~/.local/share/pnpm/pnpm
NPM Packages:
  @aws-amplify/auth-construct: 1.3.1
  @aws-amplify/backend: 1.3.0
  @aws-amplify/backend-auth: 1.2.0
  @aws-amplify/backend-cli: 1.2.8
  @aws-amplify/backend-data: 1.1.4
  @aws-amplify/backend-deployer: 1.1.4
  @aws-amplify/backend-function: 1.5.0
  @aws-amplify/backend-output-schemas: 1.2.0
  @aws-amplify/backend-output-storage: 1.1.2
  @aws-amplify/backend-secret: 1.1.3
  @aws-amplify/backend-storage: 1.2.0
  @aws-amplify/cli-core: 1.1.3
  @aws-amplify/client-config: 1.3.2
  @aws-amplify/deployed-backend-client: 1.4.1
  @aws-amplify/form-generator: 1.0.3
  @aws-amplify/model-generator: 1.0.8
  @aws-amplify/platform-core: 1.1.0
  @aws-amplify/plugin-types: 1.3.0
  @aws-amplify/sandbox: 1.2.2
  @aws-amplify/schema-generator: 1.2.4
  aws-amplify: 6.6.2
  aws-cdk: 2.160.0
  aws-cdk-lib: 2.160.0
  typescript: 5.6.2
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Describe the feature

When using the access field of defineAuth to provide bestow userPool permissions to a lambda, only the
userPool ID (env.AMPLIFY_AUTH_USERPOOL_ID) is added to the environment variables by default. I propose that the userPool client ID should be included as well, for example in env.AMPLIFY_AUTH_USERPOOL_CLIENT_ID

Use case

My use case for this feature would be to more easily use the CognitoJwtVerifier package within a custom authorizer lambda. My team uses this custom authorizer to resolve fine-grained permissions defined in a userInfo table that is associated with our cognito users.

The JWT verification step ensures that the token is valid and to obtain the claims from the access key. One such claim is the user sub which is used to obtain the full userInfo record. From there the permissions are resolved based on the graphQL and the permissions object.

The CognitoJwtVerifier package requires the cognito client ID. Currently this can be done within the backend configuration by adding an environment variable after defineBackend is called (or by a bootstrapping step involving Amplify secrets, as was required to avoid circular dependencies within the cfn stacks, though this is no longer necessary). By adding env.AMPLIFY_AUTH_USERPOOL_ID to the lambda env by default, the need for workarounds goes away entirely

[ykethan]

Hey @dhaub-exelixis, thank you for opening this. Marking as feature request to add AMPLIFY_AUTH_USERPOOL_CLIENT_ID to function env variables.

Additionally, as discussed do let us know if the using the resourceGroupName on the function does mitigate the circular dependency issue when adding the client-id as env variable.