Amazon Cognito: Authenticated and Unauthenticated AWS User Identities

Using Amazon Cognito, you can create unique identities for your users and authenticate them for secure access to your AWS resources. Amazon Cognito supports public identity providers—Amazon, Facebook, and Google—as well as unauthenticated identities. You can establish your own identity provider through Amazon Cognito Your User Pools. Amazon Cognito also supports SAML 2.0 federation with enterprise identity providers like Active Directory, and developer authenticated identities, which let you register and authenticate users via your own backend authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources.

For information about Amazon Cognito Identity Region availability, see AWS Service Region Availability.

To use AWS services in your app, you must include AWSxxx.framework (where 'xxx' is the AWS service you wish to use) in your project.


To integrate Amazon Cognito with your app, you need the following:

Create an Identity Pool#

To use Amazon Cognito in your app, you'll need to create an identity pool. An identity pool is a store of user identity data specific to your account. Using Amazon Cognito Sync: Sync User Data, you can retrieve the data across client platforms, devices, and operating systems, so that if a user starts using your app on a phone and later switches to a tablet, the persisted app information is still available for that user. To create a new identity pool, log in to the Amazon Cognito console. The New Identity Pool wizard will guide you through the configuration process.

Providing AWS Credentials#

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources. Amazon Cognito supports both authenticated and unauthenticated users.

To provide AWS credentials to your app, follow the steps below.

  1. In the Amazon Cognito console, create an identity pool and download or copy the starter code snippets.

  2. If you haven't already done so, add the AWSCore.framework to your project. (For more information, see Set Up the SDK for iOS).

  3. In your source code, include the AWSCore header

    import AWSCore
    #import <AWSCore/AWSCore.h>
  4. Initialize the Amazon Cognito credentials provider using the code snippet generated by the Amazon Cognito Console. The value for YourIdentityPoolId will be specific to your account

    let credentialProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: "YourIdentityPoolId")
    let configuration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: credentialProvider)
    AWSServiceManager.default().defaultServiceConfiguration = configuration
    AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1
    AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider];
    AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;


If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor. To do so, open the Cognito Console, select your identity pool, click Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.

Retrieving an Amazon Cognito ID and AWS Credentials#

Once the login tokens are set in the credentials provider, you can retrieve a unique Amazon Cognito identifier for your end user and temporary credentials that let the app access your AWS resources.

let cognitoId = credentialsProvider.identityId
// Retrieve your Amazon Cognito ID.
NSString *cognitoId = credentialsProvider.identityId;

The unique identifier is available in the identityId property of the credentials provider object.

Once the Amazon Cognito credentials provider is initialized, you can use it to create clients for other Amazon Web Services. The example below shows how to create an Amazon DynamoDB client.

let dynamoDB = AWSDynamoDB.default()
AWSDynamoDB *dynamoDB = [AWSDynamoDB defaultDynamoDB];

The credentials provider communicates with Amazon Cognito, retrieving a unique identifier for the user as well as temporary, limited privilege AWS credentials for the AWS Mobile SDK. The retrieved credentials are valid for one hour.

Integrating Identity Providers#

With Amazon Cognito, you can create unique end user identifiers for accessing AWS cloud services by using public login providers such as Amazon, Facebook, Google, Twitter and any OpenID Connect compatible provider, or by using your own user identity system. With these identifiers you can store app data in the Amazon Cognito sync store or access other AWS services like Amazon S3 or Amazon DynamoDB. For information on how to use "External Identity Providers" with Amazon Cognito, please see the Amazon Cognito Developer Guide.