Amazon Cognito: Authenticated and Unauthenticated AWS User Identities
Using Amazon Cognito, you can create unique identities for your users and authenticate them for secure access to your AWS resources. Amazon Cognito supports public identity providers—Amazon, Facebook, and Google—as well as unauthenticated identities. You can establish your own identity provider through Amazon Cognito Your User Pools. Amazon Cognito also supports SAML 2.0 federation with enterprise identity providers like Active Directory, and developer authenticated identities, which let you register and authenticate users via your own backend authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources.
For information about Amazon Cognito Identity Region availability, see AWS Service Region Availability.
To use AWS services in your app, you must include
AWSxxx.framework (where 'xxx' is the AWS service you wish to use) in your project.
To integrate Amazon Cognito with your app, you need the following:
To use Amazon Cognito in your app, you'll need to create an identity pool. An identity pool is a store of user identity data specific to your account. Using Amazon Cognito Sync: Sync User Data, you can retrieve the data across client platforms, devices, and operating systems, so that if a user starts using your app on a phone and later switches to a tablet, the persisted app information is still available for that user. To create a new identity pool, log in to the Amazon Cognito console. The New Identity Pool wizard will guide you through the configuration process.
You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. Amazon Cognito supports both authenticated and unauthenticated users.
To provide AWS credentials to your app, follow the steps below.
In the Amazon Cognito console, create an identity pool and download or copy the starter code snippets.
If you haven't already done so, add the
AWSCore.frameworkto your project. (For more information, see Set Up the SDK for iOS).
In your source code, include the
Initialize the Amazon Cognito credentials provider using the code snippet generated by the Amazon Cognito Console. The value for
YourIdentityPoolIdwill be specific to your account
let credentialProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: "YourIdentityPoolId") let configuration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: credentialProvider) AWSServiceManager.default().defaultServiceConfiguration = configuration
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1 identityPoolId:@"<your-identity-pool-arn>"]; AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider]; AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;
NoteIf you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor. To do so, open the Cognito Console, select your identity pool, click Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.
Once the login tokens are set in the credentials provider, you can retrieve a unique Amazon Cognito identifier for your end user and temporary credentials that let the app access your AWS resources.
- let cognitoId = credentialsProvider.identityId
- // Retrieve your Amazon Cognito ID. NSString *cognitoId = credentialsProvider.identityId;
The unique identifier is available in the
identityId property of the credentials provider object.
Once the Amazon Cognito credentials provider is initialized, you can use it to create clients for other Amazon Web Services. The example below shows how to create an Amazon DynamoDB client.
- let dynamoDB = AWSDynamoDB.default()
- AWSDynamoDB *dynamoDB = [AWSDynamoDB defaultDynamoDB];
The credentials provider communicates with Amazon Cognito, retrieving a unique identifier for the user as well as temporary, limited privilege AWS credentials for the AWS Mobile SDK. The retrieved credentials are valid for one hour.
With Amazon Cognito, you can create unique end user identifiers for accessing AWS cloud services by using public login providers such as Amazon, Facebook, Google, Twitter and any OpenID Connect compatible provider, or by using your own user identity system. With these identifiers you can store app data in the Amazon Cognito sync store or access other AWS services like Amazon S3 or Amazon DynamoDB. For information on how to use "External Identity Providers" with Amazon Cognito, please see the Amazon Cognito Developer Guide.