Amazon DynamoDB
Developer Guide (API Version 2012-08-10)

Configure AWS Credentials in Your Files Using Amazon Cognito

The recommended way to obtain AWS credentials for your web and mobile applications is to use Amazon Cognito. Amazon Cognito helps you avoid hardcoding your AWS credentials on your files. Amazon Cognito uses IAM roles to generate temporary credentials for your application's authenticated and unauthenticated users.

For example, to configure your JavaScript files to use an Amazon Cognito unauthenticated role to access the DynamoDB web service:

  1. Create an Amazon Cognito identity pool that allows unauthenticated identities.

    aws cognito-identity create-identity-pool \ --identity-pool-name DynamoPool \ --allow-unauthenticated-identities \ --output json { "IdentityPoolId": "us-west-2:12345678-1ab2-123a-1234-a12345ab12", "AllowUnauthenticatedIdentities": true, "IdentityPoolName": "DynamoPool" }
  2. Copy the following policy into a file named myCognitoPolicy.json. Modify the identity pool ID (us-west-2:12345678-1ab2-123a-1234-a12345ab12) with your own IdentityPoolId obtained in the previous step:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "": "us-west-2:12345678-1ab2-123a-1234-a12345ab12" }, "ForAnyValue:StringLike": { "": "unauthenticated" } } } ] }
  3. Create an IAM role that assumes the previous policy. In this way, Amazon Cognito becomes a trusted entity that can assume the Cognito_DynamoPoolUnauth role.

    aws iam create-role --role-name Cognito_DynamoPoolUnauth \ --assume-role-policy-document file://PathToFile/myCognitoPolicy.json --output json
  4. Grant the Cognito_DynamoPoolUnauth role full access to the DynamoDB service by attaching a managed policy (AmazonDynamoDBFullAccess).

    aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess \ --role-name Cognito_DynamoPoolUnauth


    Alternatively, you can grant fine-grained access to DynamoDB. For more information, see Using IAM Policy Conditions for Fine-Grained Access Control.

  5. Obtain and copy the IAM role ARN:

    aws iam get-role --role-name Cognito_DynamoPoolUnauth --output json
  6. Add the Cognito_DynamoPoolUnauth role to the DynamoPool identity pool. The format to specify is KeyName=string, where KeyName is unauthenticated and the string is the role ARN obtained in the previous step.

    aws cognito-identity set-identity-pool-roles \ --identity-pool-id "us-west-2:12345678-1ab2-123a-1234-a12345ab12" \ --roles unauthenticated=arn:aws:iam::123456789012:role/Cognito_DynamoPoolUnauth --output json
  7. Specify the Amazon Cognito credentials in your files. Modify the IdentityPoolId and RoleArn accordingly.

    AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: "us-west-2:12345678-1ab2-123a-1234-a12345ab12", RoleArn: "arn:aws:iam::123456789012:role/Cognito_DynamoPoolUnauth" });

You can now run your JavaScript programs against the DynamoDB web service using Amazon Cognito credentials. For more information, see Setting Credentials in a Web Browser in the AWS SDK for JavaScript Getting Started Guide.