What IAM policies need my backend application written in Java to work with Cognito ?

Hi! I think you might be mixing to different concepts: the OAuth2.0 grants and the Amazon Cognito (or other AWS services) API.

Cognito implements different OAuth 2.0 grants including the Authorization code grant. To use it your application must use the endpoints provided by Cognito with the credentials generated in your user pool app client. Nothing to do with AWS IAM nor its policies, actually the access to the information is controlled by standard OAuth scopes.

Let me share with you a fantastic guide to understand how the credentials and tokens exchange works in the Authorization Code Grant flow.

Having said this, if you want to use the Amazon Cognito API to create/manage new users, devices or apps, then you'd need a valid user with the right IAM permissions to perform the actions that you need to do. But be careful, embed user credentials in your app code is a bad practice, there are different ways to do it depending on the use case, take a look to the best practices. Probably in your case the most interesting way is using Amazon Cognito Identity Pools, which provides a temporary and limited access to other AWS services.

I hope it helps.

Ok, I think I've understood what you mean. I was a little confused, but now maybe I'm right. One the one hand we have an IAM users to allow access to our IAM user to differents AWS services. And in the other hand we have the Cognito un/authenticated users that, this is what I wanted to say. So, when you say about the topic "embed user credentials..." , I really understand you. In my case, I have a frontend web application and a Java backend application that implements the Authorization Code Grant, hence I will have a credentials file in the backend server instead having a credentials hardcoded in my Java code, is it the correct way ? Thanks in advance for your helpful reply !

Best regards.