Preparing to use web identity federation
If you are an application developer and want to use web identity federation for your app, follow these steps:
-
Sign up as a developer with a third-party identity provider. The following external links provide information about signing up with supported identity providers:
-
Registration
on the Facebook site -
Using OAuth 2.0 to Access Google APIs
on the Google site
-
Register your app with the identity provider. When you do this, the provider gives you an ID that's unique to your app. If you want your app to work with multiple identity providers, you need to obtain an app ID from each provider.
-
Create one or more IAM roles. You need one role for each identity provider for each app. For example, you might create a role that can be assumed by an app where the user signed in using Login with Amazon, a second role for the same app where the user has signed in using Facebook, and a third role for the app where users sign in using Google.
As part of the role creation process, you need to attach an IAM policy to the role. Your policy document should define the DynamoDB resources required by your app, and the permissions for accessing those resources.
For more information, see About Web Identity Federation in IAM User Guide.
Note
As an alternative to AWS Security Token Service, you can use Amazon Cognito. Amazon Cognito is the preferred service for managing temporary credentials for mobile apps. For more information, see Getting credentials in the Amazon Cognito Developer Guide.
Generating an IAM policy using the DynamoDB console
The DynamoDB console can help you create an IAM policy for use with web identity federation. To do this, you choose a DynamoDB table and specify the identity provider, actions, and attributes to be included in the policy. The DynamoDB console then generates a policy that you can attach to an IAM role.
Sign in to the AWS Management Console and open the DynamoDB console at https://console.aws.amazon.com/dynamodb/
. -
In the navigation pane, choose Tables.
-
In the list of tables, choose the table for which you want to create the IAM policy.
-
Select the Actions button, and choose Create Access Control Policy.
-
Choose the identity provider, actions, and attributes for the policy.
When the settings are as you want them, choose Generate Policy. The generated policy appears.
-
Choose See Documentation, and follow the steps required to attach the generated policy to an IAM role.