How do I use Amazon Cognito identity pools to grant users access to AWS services?

3 minute read

I want to use Amazon Cognito user pools to give users access to AWS resources.

Resolution

You can integrate Amazon Cognito identity pools with Amazon Cognito user pools to issue temporary credentials to access AWS resources. Set up an authentication provider by configuring an identity pool with a user pool. After authenticating a user through the user pool, use the user identity token with an authentication flow to retrieve temporary credentials from the identity pool. There's a basic authentication flow and an enhanced authentication flow to retrieve temporary credentials.

Important: In the following example AWS Command Line Interface (AWS CLI) commands, replace all instances of example strings with your values. (For example, replace "example_identity_pool_id" with your identity pool ID or "abcdef" with your AWS Region's identity ID.)

Basic flow

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Perform the following steps to retrieve temporary AWS credentials using the basic authflow:

1. From the old Amazon Cognito console, choose Manage Identity Pools. Select the name of the Amazon Cognito identity pool that you're updating, and then choose Edit identity pool. Under Authentication flow settings, select Allow Basic (Classic) Flow, and then save the changes.

2. To generate or retrieve a user identity in the identity pool, call the GetId API.

An example get-id command:

aws cognito-identity get-id --identity-pool-id "example_identity_pool_id" --logins cognito-idp.example_region.amazonaws.com/example_cognito_user_pool_id=example_cognito_user_id_token

An example output:

{
    "IdentityId": "region:abcdef"
}

3. To retrieve the open ID token, use the result from step 2 to call the GetOpenIdToken API.

An example get-open-id-token command:

aws cognito-identity get-open-id-token --identity-id "region:abcdef" --logins cognito-idp.example_region.amazonaws.com/example_user_pool_id=example_cognito_user_id_token

An example output:

{
    "IdentityId": "region:abcdef",
    "Token": "HIJKLMN"
}

4. To retrieve the temporary credentials of the authenticated role, use the token from step 3 to call the AssumeRoleWithWebIdentity API.

An example assume-role-with-web-identity command:

aws sts assume-role-with-web-identity --role-arn "example_auth_role_arn_of_the_identity_pool" --web-identity-token "HIJKLMN" --role-session-name "example_session_name"

An example output:

{
    "Credentials": {
        AccessKeyId": "xxxxxxxxxxxx",
        SecretAccessKey": "xxxxxxxxxxxx",
        SessionToken": "xxxxxxxxxxxx",
        Expiration": ""
    },
    "SubjectFromWebIdentityToken": "",
    "AssumedRoleUser": {
        "AssumedRoleId": "",
        "Arn": ""
    },
    "Provider": "cognito-identity.amazonaws.com",
    "Audience": ""
}

Enhanced flow

Perform the following steps to retrieve temporary AWS credentials using the enhanced authflow:

1. To generate or retrieve a user identity in the Amazon Cognito identity pool, call the GetId API.

An example get-id command:

aws cognito-identity get-id --identity-pool-id "example_identity_pool_id" --logins cognito-idp.example_region.amazonaws.com/example_cognito_user_pool_id=example_cognito_user_id_token

An example output:

{
    "IdentityId": "region:abcdef"
}

2. To retrieve temporary credentials from the identity pool, call the GetCredentialsForIdentity API.

An example get-credentials-for-identity command:

aws cognito-identity get-credentials-for-identity --identity-id region:abcdef --logins cognito-idp.example_region.amazonaws.com/example_cognito_user_pool_id = example_cognito_user_id_token

An example output:

{
    "IdentityId": "region:abcdef",
    "Credentials": {
        "AccessKeyId": "xxxxxxxxxx",
        "SecretKey": "xxxxxxxxxx",
        "SessionToken": "xxxxxxxxxx",
        "Expiration": ""
    }
}

To learn more about complex role-based access controls and attribute-based access controls, see Fine-grained access control with Amazon Cognito identity pools.

Related information

Identity pools (federated identities) authentication flow

Topics

Security, Identity, & Compliance

Relevant content

Cognito/Identity Pools
Satyajit_Lembhe
asked a year ago
Cognito token when Authenticated identity source is not a Amazon Cognito user pool
Accepted Answer
Jehan
asked 21 days ago
how to configure aws sdk client with cognito identity Pool , cognito user pool as a identity provider. i am trying to using dynamodb on react client
Accepted Answer
Debnath
asked 4 months ago
Map from federated identity pool to Cognito user pool
rePost-User-3243633
asked 2 years ago
unique identities in cognito user pool
Navin GV
asked 2 years ago
How do I integrate IAM Identity Center with an Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
How do I integrate a multi-Region and multi-account Amazon Cognito user pool with an Amazon Cognito identity pool?
AWS OFFICIALUpdated a year ago
What's the difference between Amazon Cognito user pools and identity pools?
AWS OFFICIALUpdated 5 months ago
How do I integrate Amazon SES with an Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published a month ago