What IAM policies need my backend application written in Java to work with Cognito ?

Question

Hi guys,

I've a doubt about Cognito. Imagine I have a backend in Java (with Java AWS SDK) that uses the Authorization Code Grant flow. This backend need to comunicate with Cognito for exchange Authorization Code, obtains tokens, etc. But at this point I have a question/s, what kind of IAM policy my backend needs to comunicate with Cognito ?, is it needed an IAM user and a policy attached that allows my backend to interact with Cognito ?
Can you give me some example or recommendation about this topic ? I think I'm a little confused. 
On the other hand, it's so simple as creating an IAM user with programatic access (this option appears when we are creating a new IAM user), hence my backend have access to all SDK functions and API's, CLI, etc. (Cognito included) ?, thanks in advance !

Best regards.

Answer

Hi! 
I think you might be mixing to different concepts: the OAuth2.0 grants and the Amazon Cognito (or other AWS services) API.

Cognito implements different OAuth 2.0 grants including the Authorization code grant. To use it your application must use the endpoints provided by Cognito with the credentials generated in your [user pool app client](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html). Nothing to do with AWS IAM nor its policies, actually the access to the information is controlled by standard [OAuth scopes](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims).

Let me share with you a fantastic guide to understand how the credentials and tokens exchange works in the [Authorization Code Grant](https://aws.amazon.com/es/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/#:~:text=Authorization%20code%20grant) flow.

Having said this, if you want to use the [Amazon Cognito API](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-reference.html) to create/manage new users, devices or apps, then you'd need a valid user with the right IAM permissions to perform the actions that you need to do. But be careful, **embed user credentials in your app code is a bad practice**, there are different ways to do it depending on the use case, take a look to [the best practices](https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html). Probably in your case the most interesting way is using [Amazon Cognito Identity Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html), which provides a temporary and limited access to other AWS services.

I hope it helps.

Answer

Ok, I think I've understood what you mean. I was a little confused, but now maybe I'm right. One the one hand we have an IAM users to allow access to our IAM user to differents AWS services. And in the other hand we have the Cognito un/authenticated users that, this is what I wanted to say. So, when you say about the topic "embed user credentials..." , I really understand you. In my case, I have a frontend web application and a Java backend application that implements the Authorization Code Grant, hence I will have a credentials file in the backend server instead having a credentials hardcoded in my Java code, is it the correct way ? Thanks in advance for your helpful reply !

Best regards.

What IAM policies need my backend application written in Java to work with Cognito ?

관련 콘텐츠