In the browser, after Facebook Login, statusChangeCallback is called. Everything succeeds. Cognito even returns an Identity Id. However, userPool.getCurrentUser() returns null. Cognito does not think there is an authenticated user. How can I fix that? Thanks.

function statusChangeCallback(response) {
    if(response.status == 'connected' && response.authResponse) {
        testAPI()

        console.log("FB statusChangeCallback", JSON.stringify(response))

        AWSCognito.config.credentials = new AWSCognito.CognitoIdentityCredentials({
            IdentityPoolId : '<%=process.env.AWS_USERPOOLGUID%>', // your identity pool id here
            Logins : {
                'graph.facebook.com': response.authResponse.accessToken
            }
        });
        console.log(JSON.stringify(AWSCognito.config.credentials))


        AWSCognito.config.region = '<%= process.env.AWS_REGION%>'

        AWSCognito.config.credentials.refresh(function(error) {
            if (error) {
                console.error("AWSCognito.config.credentials.get", error);
            } else {
                console.log("Cognito Identity Id", AWSCognito.config.credentials.identityId);
                console.log('Successfully logged!');
                var cognitoUser = userPool.getCurrentUser();
                console.log('cognitoUser', cognitoUser);

            }
        });
    }
}

userPool.getCurrentUser();

refers to the authenticated user with regards to the particular user pool. What you are doing, in the above code is obtaining AWS credentials using a Facebook identity. However, the current user refers to the last authenticated user of the user pool. That is saved in local storage after a successful authentication. So you would need to authenticate first, similar to the code below.

var authenticationData = {
    Username : 'username',
    Password : 'password',
};
var authenticationDetails = new AWSCognito.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
var poolData = { 
    UserPoolId : '...', // Your user pool id here
    ClientId : '...' // Your client id here
};
var userPool = new AWSCognito.CognitoIdentityServiceProvider.CognitoUserPool(poolData);
var userData = {
    Username : 'username',
    Pool : userPool
};
var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
    onSuccess: function (result) {
        console.log('access token + ' + result.getAccessToken().getJwtToken());

        AWS.config.credentials = new AWS.CognitoIdentityCredentials({
            IdentityPoolId : '...', // your identity pool id here
            Logins : {
                // Change the key below according to the specific region your user pool is in.
                'cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>' : result.getIdToken().getJwtToken()
            }
        });

        // Instantiate aws sdk service objects now that the credentials have been updated.
        // example: var s3 = new AWS.S3();

    },

    onFailure: function(err) {
        alert(err);
    },

});

Looks like you need to change your AWSCognito.config.credentials From what you have to this:

// Add the Facebook access token to the Cognito credentials login map.
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: 'IDENTITY_POOL_ID',
  Logins: {
    'graph.facebook.com': response.authResponse.accessToken
  }
});

// Obtain AWS credentials
AWS.config.credentials.get(function(){
    // Access AWS resources here.
});

NOTICE : IdentityPoolId: 'IDENTITY_POOL_ID', and not IdentityPoolId : '<%=process.env.AWS_USERPOOLGUID%>', // your identity pool id here

Looks like you are trying to access your USER POOL and not your IDENTITY POOL.

Facebook users live in the Identity Pool because they are a federated user from the Facebook server.