Menu
Amazon Cognito
Developer Guide (Version Last Updated: 07/28/2016)

Getting Credentials

This section describes how to get credentials and how to retrieve an Amazon Cognito identity.

Android

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. Amazon Cognito supports both authenticated and unauthenticated identities. To provide AWS credentials to your app, follow the steps below.

  1. In the Amazon Cognito console, create an identity pool and copy the starter code snippets.

  2. If you haven't already done so, add the AWS Mobile SDK for Android to your project. For instructions, see Set Up the Mobile SDK for Android.

  3. Include the following import statements:

    Copy
    import com.amazonaws.auth.CognitoCachingCredentialsProvider; import com.amazonaws.regions.Regions;
  4. Initialize the Amazon Cognito credentials provider using the code snippet generated by the Amazon Cognito console. The value for IDENTITY_POOL_ID will be specific to your account:

    Copy
    CognitoCachingCredentialsProvider credentialsProvider = new CognitoCachingCredentialsProvider( getApplicationContext(), // Context "IDENTITY_POOL_ID", // Identity Pool ID Regions.US_EAST_1 // Region );
  5. Pass the initialized Amazon Cognito credentials provider to the constructor of the AWS client to be used. The code required depends on the service to be initialized. The client will use this provider to get credentials with which it will access AWS resources.

    Note

    If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor without the roles as parameters. To do so, open the Amazon Cognito console, select your identity pool, choose Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.

Retrieving an Amazon Cognito Identity

If you're allowing unauthenticated users, you can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately. If you're authenticating users, you can retrieve the identity ID after you've set the login tokens in the credentials provider:

Copy
String identityId = credentialsProvider.getIdentityId(); Log.d("LogTag", "my ID is " + identityId);

Note

Do not call getIdentityId(), refresh(), or getCredentials() in the main thread of your application. As of Android 3.0 (API Level 11), your app will automatically fail and throw a NetworkOnMainThreadException if you perform network I/O on the main application thread. You will need to move your code to a background thread using AsyncTask. For more information, consult the Android documentation. You can also call getCachedIdentityId() to retrieve an ID, but only if one is already cached locally. Otherwise, the method will return null.

iOS - Objective-C

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. Amazon Cognito supports both authenticated and unauthenticated identities. To provide AWS credentials to your app, follow the steps below.

  1. In the Amazon Cognito console, create an identity pool and copy the starter code snippets.

  2. If you haven't already done so, add the AWS Mobile SDK for iOS to your project. For instructions, see Set Up the Mobile SDK for iOS.

  3. In your source code, include the AWSCore header:

    Copy
    #import <AWSCore/AWSCore.h>
  4. Initialize the Amazon Cognito credentials provider using the code snippet generated by the Amazon Cognito console. The value for IDENTITY_POOL_ID will be specific to your account:

    Copy
    AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1 identityPoolId:@"IDENTITY_POOL_ID"]; AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider]; AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;

    Note

    If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor without the roles as parameters. To do so, open the Amazon Cognito console, select your identity pool, choose Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.

Retrieving an Amazon Cognito Identity

You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you're allowing unauthenticated users or after you've set the login tokens in the credentials provider if you're authenticating users:

Copy
// Retrieve your Amazon Cognito ID [[credentialsProvider getIdentityId] continueWithBlock:^id(AWSTask *task) { if (task.error) { NSLog(@"Error: %@", task.error); } else { // the task result will contain the identity id NSString *cognitoId = task.result; } return nil; }];

Note

getIdentityId is an asynchronous call. If an identity ID is already set on your provider, you can call credentialsProvider.identityId to retrieve that identity, which is cached locally. However, if an identity ID is not set on your provider, calling credentialsProvider.identityId will return nil. For more information, consult the Mobile SDK for iOS API Reference.

iOS - Swift

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. Amazon Cognito supports both authenticated and unauthenticated identities. To provide AWS credentials to your app, follow the steps below.

  1. In the Amazon Cognito console, create an identity pool and copy the starter code snippets.

  2. If you haven't already done so, add the Mobile SDK for iOS to your project. For instructions, see Set Up the SDK for iOS.

  3. In your source code, include the AWSCore header:

    Copy
    import AWSCore
  4. Initialize the Amazon Cognito credentials provider using the code snippet generated by the Amazon Cognito console. The value for IDENTITY_POOL_ID will be specific to your account:

    Copy
    let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: "IDENTITY_POOL_ID") let configuration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: credentialsProvider) AWSServiceManager.default().defaultServiceConfiguration = configuration

    Note

    If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor without the roles as parameters. To do so, open the Amazon Cognito console, select your identity pool, choose Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.

Retrieving an Amazon Cognito Identity

You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you're allowing unauthenticated users or after you've set the login tokens in the credentials provider if you're authenticating users:

Copy
// Retrieve your Amazon Cognito ID credentialsProvider.getIdentityId().continueWith(block: { (task) -> AnyObject? in if (task.error != nil) { print("Error: " + task.error!.localizedDescription) } else { // the task result will contain the identity id let cognitoId = task.result! print("Cognito id: \(cognitoId)") } return task; })

Note

getIdentityId is an asynchronous call. If an identity ID is already set on your provider, you can call credentialsProvider.identityId to retrieve that identity, which is cached locally. However, if an identity ID is not set on your provider, calling credentialsProvider.identityId will return nil. For more information, consult the Mobile SDK for iOS API Reference.

JavaScript

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. Amazon Cognito supports both authenticated and unauthenticated identities. To provide AWS credentials to your app, follow the steps below.

Copy
// Set the region where your identity pool exists (us-east-1, eu-west-1) AWS.config.region = 'us-east-1'; // Configure the credentials provider to use your identity pool AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'IDENTITY_POOL_ID', }); // Make the call to obtain credentials AWS.config.credentials.get(function(){ // Credentials will be available when this function is called. var accessKeyId = AWS.config.credentials.accessKeyId; var secretAccessKey = AWS.config.credentials.secretAccessKey; var sessionToken = AWS.config.credentials.sessionToken; });

Note

If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor without the roles as parameters. To do so, open the Amazon Cognito console, select your identity pool, choose Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.

Retrieving an Amazon Cognito Identity

You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you're allowing unauthenticated users or after you've set the login tokens in the credentials provider if you're authenticating users:

Copy
var identityId = AWS.config.credentials.identityId;

Unity

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. Amazon Cognito supports both authenticated and unauthenticated identities. To provide AWS credentials to your app, follow the steps below.

  1. In the Amazon Cognito console, create an identity pool and copy the starter code snippets.

  2. If you haven't already done so, download and import the AWS Mobile SDK for Unity package into your project. You can do so from the menu Assets > Import Package > Custom Package.

  3. Paste the starter code snippet from the Console into the script you want to call Amazon Cognito from. The value for IDENTITY_POOL_ID will be specific to your account:

    Copy
    CognitoAWSCredentials credentials = new CognitoAWSCredentials ( "IDENTITY_POOL_ID", // Cognito Identity Pool ID RegionEndpoint.USEast1 // Region );
  4. Pass the initialized Amazon Cognito credentials to the constructor of the AWS client to be used. The code required depends on the service to be initialized. The client will use this provider to get credentials with which it will access AWS resources.

    Note

    If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor without the roles as parameters. To do so, open the Amazon Cognito console, select your identity pool, choose Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.

Retrieving an Amazon Cognito Identity

You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you're allowing unauthenticated users or after you've set the login tokens in the credentials provider if you're authenticating users:

Copy
credentials.GetIdentityIdAsync(delegate(AmazonCognitoIdentityResult<string> result) { if (result.Exception != null) { //Exception! } string identityId = result.Response; });

Xamarin

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. Amazon Cognito supports both authenticated and unauthenticated identities. To provide AWS credentials to your app, follow the steps below.

  1. In the Amazon Cognito console, create an identity pool and copy the starter code snippets.

  2. If you haven't already done so, add the AWS Mobile SDK for Xamarin to your project. For instructions, see Set Up the SDK for Xamarin.

  3. Include the following using statements:

    Copy
    using Amazon.CognitoIdentity;
  4. Paste the starter code snippet from the Console into the script you want to call Amazon Cognito from. The value for IDENTITY_POOL_ID will be specific to your account:

    Copy
    CognitoAWSCredentials credentials = new CognitoAWSCredentials ( "IDENTITY_POOL_ID", // Cognito Identity Pool ID RegionEndpoint.USEast1 // Region );
  5. Pass the initialized Amazon Cognito credentials to the constructor of the AWS client to be used. The code required depends on the service to be initialized. The client will use this provider to get credentials with which it will access AWS resources.

Note

Note: If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor without the roles as parameters. To do so, open the Amazon Cognito console, select your identity pool, choose Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.

Retrieving an Amazon Cognito Identity

You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you're allowing unauthenticated users or after you've set the login tokens in the credentials provider if you're authenticating users:

Copy
var identityId = await credentials.GetIdentityIdAsync();