Menu
Amazon Cognito
Developer Guide

Using the Amazon Cognito Console

This guide provides a short introduction to working with the Amazon Cognito console.

What is the Amazon Cognito Console?

You can use the Amazon Cognito console to manage the resources for your applications that interact with Amazon Cognito. The console provides an intuitive user interface for performing many Amazon Cognito tasks, such as creating and managing identity pools and user pools, browsing the identities of your users, managing users in your user pools, viewing the number of data syncs for your application, and so on.

The Amazon Cognito console is a part of the AWS Management Console, which provides information about your account and billing. For more information on using the AWS Management Console, see Working with the AWS Management Console.

Create an Identity Pool

To create a new identity pool in the console

  1. Sign in to the Amazon Cognito console, choose Manage Federated Identities, and then choose Create new identity pool.

  2. Type a name for your identity pool.

  3. To enable unauthenticated identities select Enable access to unauthenticated identities from the Unauthenticated identities collapsible section.

  4. If desired, configure an authentication provider in the Authentication providers section.

  5. Choose Create Pool.

    Note

    At least one identity is required for a valid identity pool.

  6. You will be prompted for access to your AWS resources.

    Choose Allow to create the two default roles associated with your identity pool–one for unauthenticated users and one for authenticated users. These default roles provide your identity pool access to Amazon Cognito Sync. You can modify the roles associated with your identity pool in the IAM console. For additional instructions on working with the Amazon Cognito console, see Using the Amazon Cognito Console.

Delete an Identity Pool

From the Console home page:

  1. Click the name of the identity pool that you want to delete. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, click Edit identity pool. The Edit identity pool page appears.

  3. Scroll down and click Delete identity pool to expand it.

  4. Click Delete identity pool.

  5. Click Delete pool.

Warning

When you click the delete button, you will permanently delete your identity pool and all the user data it contains. Deleting an identity pool will cause applications and other services utilizing the identity pool to stop working.

Delete an Identity from an Identity Pool

From the Console home page:

  1. Click the name of the identity pool that contains the identity that you want to delete. The Dashboard page for your identity pool appears.

  2. In the left-hand navigation on the Dashboard page, click Identity browser. The Identities page appears.

  3. On the Identities page, enter the identity ID that you want to delete and then click Search.

  4. On the Identity details page, click the Delete identity button, and then click Delete.

Enable or edit authentication providers

If you allow your users to authenticate using public identity providers (e.g. Amazon Cognito user pools, Facebook, Twitter, Amazon), you can specify your application identifiers in the Amazon Cognito Console. This associates the application ID (provided by the public login provider) with your identity pool.

You can also configure authentication rules for each provider from this page. Each provider allows up to 25 rules. The rules are applied in the order you save for each provider. For more information, see Role-Based Access Control.

Warning

Changing the application ID to which your identity pool is linked will disable existing users from authenticating with Amazon Cognito. Learn more about External Identity Providers.

From the Console home page:

  1. Click the name of the identity pool for which you want to enable the external provider. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, click Edit identity pool. The Edit identity pool page appears.

  3. Scroll down and click Authentication providers to expand it.

  4. Click the tab for the appropriate provider and enter the required information associated with that authentication provider.

Change the role associated with an identity type

Amazon Cognito defines two types of identities: authenticated and unauthenticated. Every identity in your identity pool is either authenticated and unauthenticated. Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools, Facebook, Amazon, Google, Twitter/Digits, SAML, or any OpenID Connect Providers) or a developer provider (your own backend authentication process). Unauthenticated identities typically belong to guest users.

For each identity type, there is an assigned role. This role has a policy attached to it which dictates which AWS services that role can access. When Amazon Cognito receives a request, the service will determine the identity type, determine the role assigned to that identity type, and use the policy attached to that role to respond. By modifying a policy or assigning a different role to an identity type, you can control which AWS services an identity type can access. To view or modify the policies associated with the roles in your identity pool, see the AWS IAM Console.

You can easily change which role is associated with an identity type using the Amazon Cognito Console. From the Console home page:

  1. Click the name of the identity pool for which you want to modify roles. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, click Edit identity pool. The Edit identity pool page appears.

  3. Use the dropdown menus next to Unauthenticated role and Authenticated role to change roles. Click Create new role to create or modify the roles associated with each identity type in the AWS IAM console. For more information, see IAM Roles.

Enable or disable unauthenticated identities

Amazon Cognito can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider. If your application allows users who do not log in, you can enable access for unauthenticated identities. To learn more, see Identity Pools.

From the Console home page:

  1. Click the name of the identity pool for which you want to enable or disable unauthenticated identities. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, click Edit identity pool. The Edit identity pool page appears.

  3. Scroll down and click Unauthenticated identities to expand it.

  4. Select the checkbox to enable or disable access to unauthenticated identities.

  5. Click Save Changes.

Managing Datasets in the Amazon Cognito Console

If you have implemented Amazon Cognito Sync functionality in your application, the Amazon Cognito console enables you to manually create and delete datasets and records for individual identities. Any change you make to an identity's dataset or records in the Amazon Cognito console will not be saved until you click Synchronize in the console and will not be visible to the end user until the identity calls synchronize. The data being synchronized from other devices for individual identities will be visible once you refresh the list datasets page for a particular identity.

Create a Dataset for an Identity

From the Amazon Cognito console home page:

  1. Click the name of the identity pool that contains the identity for which you want to create a dataset. The Dashboard page for your identity pool appears.

  2. In the left-hand navigation on the Dashboard page, click Identity browser. The Identities page appears.

  3. On the Identities page, enter the identity ID for which you want to create a dataset, and then click Search.

  4. On the Identity details page for that identity, click the Create dataset button, enter a dataset name, and then click Create and edit dataset.

  5. On the Current dataset page, click Create record to create a record to store in that dataset.

  6. Enter a key for that dataset, the valid JSON value or values to store, and then click Format as JSON to prettify the value you entered and to confirm that it is well-formed JSON. When finished, click Save Changes.

  7. Click Synchronize to synchronize the dataset. Your changes will not be saved until you click Synchronize and will not be visible to the user until the identity calls synchronize. To discard unsynchronized changes, select the change you wish to discard, and then click Discard changes.

Delete a Dataset Associated with an Identity

From the Amazon Cognito console home page:

  1. Click the name of the identity pool that contains the identity for which you want to delete a dataset. The Dashboard page for your identity pool appears.

  2. In the left-hand navigation on the Dashboard page, click Identity browser. The Identities page appears.

  3. On the Identities page, enter the identity ID containing the dataset which you want to delete, and then click Search.

  4. On the Identity details page, select the checkbox next to the dataset or datasets that you want to delete, click Delete selected, and then click Delete.

Set Up Amazon Cognito Streams

Amazon Cognito Streams gives developers control and insight into their data stored in Amazon Cognito Sync. Developers can now configure an Kinesis stream to receive events as data. Amazon Cognito can push each dataset change to an Kinesis stream you own in real time. For instructions on how to set up Amazon Cognito Streams in the Amazon Cognito console, see Amazon Cognito Streams.

Bulk Publish Data

Bulk publish can be used to export data already stored in your Amazon Cognito Sync store to an Kinesis stream. For instructions on how to bulk publish all of your streams, see Amazon Cognito Streams.

Enable Push Synchronization

Amazon Cognito automatically tracks the association between identity and devices. Using the push sync feature, you can ensure that every instance of a given identity is notified when identity data changes. Push sync ensures that, whenever the sync store data changes for a particular identity, all devices associated with that identity receive a silent push notification informing them of the change.

You can enable Push Sync via the Amazon Cognito console. From the console home page:

  1. Click the name of the identity pool for which you want to enable Push Sync. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, click Edit identity pool. The Edit identity pool page appears.

  3. Scroll down and click Push synchronization to expand it.

  4. In the Service role dropdown menu, select the IAM role that grants Amazon Cognito permission to send an SNS notification. Click Create role to create or modify the roles associated with your identity pool in the AWS IAM console.

  5. Select a platform application, and then click Save Changes.

Set Up Amazon Cognito Events

Amazon Cognito Events allows you to execute an AWS Lambda function in response to important events in Amazon Cognito Sync. Amazon Cognito Sync raises the Sync Trigger event when a dataset is synchronized. You can use the Sync Trigger event to take an action when a user updates data. For instructions on setting up Amazon Cognito Events from the console, see Amazon Cognito Events.

To learn more about AWS Lambda, see AWS Lambda.