how to increase expiration time of cognito identity pool credentials


I am using identity pool credentials to authenticate my requests to the API gateway. the problem is the credentials last for only 1 hour. Is there a way to increase the expiration time? I have searched for this answer but I am getting answers on how to increase the time for id token and access token of Cognito user pool

2 Answers

Cognito Identity pools have different authentication flows .Unfortunately, the API call that is involved in the Enhanced Cognito flow (GetCredentialsForIdentity API call) doesn't provide an option to specify such a duration parameter which is why we wouldn't be able to use the Enhanced flow to set the duration of the AWS Credentials for more than an hour.

Therefore, to enable Cognito to produce credentials which have validity in range from 900 seconds(15 minutes) up to the maximum session duration setting(12 hours) for the role, we will have to use the Basic (Classic) Auth Flow. This is disabled by default and can be enabled in the new Cognito console by choosing "Edit" button under "Basic (classic) authentication" in the "Identity pool properties" tab of a Cognito Identity pool. If the old console, select 'Edit Identity Pool' option on top right side corner. Once there, under the tab 'Authentication flow settings', check the radio button next to 'Allow Basic (Classic) Flow' and save the changes for your Identity pool. Basic Flow has the below three calls -

  1. GetId - This gets the Cognito ID for a user trying to access Cognito Identity Pool.
  2. GetOpenIdToken - This call gets an OpenID token using the Cognito ID obtained in the first call.
  3. . AssumeRoleWithWebIdentity - This calls gives the temporary AWS credentials using the OpenID token from the second call.

In the AssumeRoleWithWebIdentity call (step 3) , we have an option to provide the "duration-seconds" parameter where we can set the duration validity of the tokens. One other thing that we need to make sure in order to extend the credentials validity time beyond 1 hour is to update the Maximum session duration parameter of the concerned IAM role before making the AssumeRoleWithWebIdentity API call. This is because by default, IAM roles in our AWS accounts have a maximum session duration of one hour. We can do the same either on the AWS IAM console or by making the UpdateRole API call and setting the parameter value of MaxSessionDuration. If we don't perform this step and we try to extend the validity time of the credentials, then we will get the following error:

` "An error occurred (ValidationError) when calling the AssumeRoleWithWebIdentity operation: The requested DurationSeconds exceeds the MaxSessionDuration set for this role."`
answered 10 months ago

Within the AWS Console, navigate to Cognito then navigate to your user pool, then the App Integration tab, and scroll to the bottom of the page to App Clients and click "edit" for existing App Clients or "Create" for a new App Client. In the top card labeled "App Client Information" click edit and you can change the timeout settings for all of the tokens:

Enter image description here

You can also do this with the AWS CLI and SDK:

answered 2 years ago
  • but it doesn't increase the expiration for identity pool credentials

  • I think the question was about the identity pool not user one, is there a way to do the same for identity pool? In my case, I use identity pool to get temporary credentials for non-authenticated users and would like to control the token expiration

  • This configuration is about the user pool's access and id tokens expiration time, not the Cognito identity pool.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions