I need to integrate an Amazon Cognito user pool with an Amazon Cognito identity pool when they're located in different accounts.
Short description
When a user signs in to your application, Amazon Cognito verifies the sign-in information. After successfully signing in, an Amazon Cognito user pool creates a session and returns ID, access, and refresh tokens to the authenticated user.
An Amazon Cognito identity pool provides temporary AWS credentials for unauthenticated guest users and authenticated users who receive tokens from supported identity providers (IdPs). With these AWS credentials, your application can securely access AWS services.
You can integrate an Amazon Cognito user pool with an Amazon Cognito identity pool that's located in a different AWS account. With this configuration, your users authenticate from a user pool in one account. Then, to access AWS services, your users use temporary AWS credentials that they obtain from an identity pool in another account.
Resolution
The following cross-account scenario is an example configuration.
An Amazon Cognito user pool is in Account-A in the US East (N. Virginia) AWS Region. The Amazon Cognito identity pool is in Account-B in the Asia Pacific (Mumbai) Region.
In this scenario, you must get temporary credentials from the Account-B identity pool for a user who uses the Account-A user pool to authenticate. You must add the Account-A user pool as an authentication provider to the Account-B identity pool.
To add the user pool as an authentication provider, follow these steps:
1. Open the new Amazon Cognito console in Account-A.
2. Choose User Pools, and then choose the appropriate user pool from the list.
3. Copy and externally save the values for the User pool ID and the App client id.
Example user pool as an authentication provider:
Account-A user pool
User pool ID: us-east-1_xxxxxxxxx
App client ID: 79i7hhxxxxxxxx1d5iciiu7
4. Open the new Amazon Cognito console in Account-B, and then choose Federated identities.
5. From the list of identity pools, choose the appropriate identity pool.
6. Choose Edit identity pool. The Edit identity pool page appears.
7. Scroll down and choose Authentication providers to show the authentication provider options.
8. For the User pool ID, paste the user pool ID that you copied earlier.
9. For the App client id, paste the app client ID that you copied earlier.
10. Save your changes.
Invoke UpdateIdentityPool API to add the user pool as an authentication provider.
Example update-identity-pool command:
aws cognito-identity update-identity-pool --identity-pool-id example_identity_pool_id --identity-pool-name example_identity_pool_name --no-allow-unauthenticated-identities --cognito-identity-providers ProviderName=cognito-idp.example_region.amazonaws.com/example_user_pool_id,ClientId=example_app_client_id,ServerSideTokenCheck=false --region example_region
Descriptions for the update-identity-pool command:
- example_identity_pool_id corresponds to the identity pool ID in Account-B. Example: ap-south-1:12345678-abcd-abcd-abcd-1234567890ab.
- example_app_client_id represents the client ID from Account-A. Example: 79i7hhxxxxxxxx1d5iciiu7.
- example_region represents the Region of the identity pool. Example: ap-south-1.
- example_identity_pool_name corresponds to the identity pool name. Example: test-pool.
- example_user_pool_id represents the user pool from Account-A. Example: us-east-1_xxxxxxxxx.
Important: Because the UpdateIdentityPool API resets the identity pool's existing configuration, invoke the DescribeIdentityPool API first. Then, send all the existing identity pool parameters to the UpdateIdentityPool API.