Accessing AWS services using an identity pool after sign-in - Amazon Cognito

Accessing AWS services using an identity pool after sign-in

You can enable your users to sign-in with a user pool, and then access AWS services using an identity pool.

After a successful authentication, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to retrieve AWS credentials that allow your app to access other AWS services. For more information, see Getting started with Amazon Cognito identity pools (federated identities).


        Accessing AWS credentials through a user pool with an identity pool

For more information about using identity pools together with user pool groups to control access your AWS resources see Adding groups to a user pool and Using role-based access control. See also Identity pools concepts (federated identities) for more information about identity pools and AWS Identity and Access Management.

Setting up a user pool with the AWS Management Console

Create an Amazon Cognito user pool and make a note of the User Pool ID and App Client ID for each of your client apps. For more information about creating user pools, see Getting started with user pools.

Setting up an identity pool with the AWS Management Console

The following procedure describes how to use the AWS Management Console to integrate an identity pool with one or more user pools and client apps.

To add an Amazon Cognito user pools identity provider (IdP)
  1. Choose Identity pools from the Amazon Cognito console. Select an identity pool.

  2. Choose the User access tab.

  3. Select Add identity provider.

  4. Choose Amazon Cognito user pool.

  5. Enter a User pool ID and an App client ID.

  6. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure Role settings.

    1. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules. With an Amazon Cognito user pool IdP, you can also Choose role with preferred_role claim in tokens. For more information about the cognito:preferred_role claim, see Assigning precedence values to groups.

      1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.

      2. If you chose Choose role with preferred_role claim in tokens, Amazon Cognito will issue credentials for the role in your user's cognito:preferred_role claim. If no preferred role claim is present, Amazon Cognito issues credentials based on your Role resolution.

      3. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.

  7. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure Attributes for access control.

    1. To apply no principal tags, choose Inactive.

    2. To apply principal tags based on sub and aud claims, choose Use default mappings.

    3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.

  8. Select Save changes.

Integrating a user pool with an identity pool

After your app user is authenticated, add that user's identity token to the logins map in the credentials provider. The provider name will depend on your Amazon Cognito user pool ID. It will have the following structure:

cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>

You can derive the value for <region> from the User Pool ID. For example, if the user pool ID is us-east-1_EXAMPLE1, then the <region> is us-east-1, and if the user pool ID is us-west-2_EXAMPLE2, then the <region> is us-west-2.

JavaScript
var cognitoUser = userPool.getCurrentUser(); if (cognitoUser != null) { cognitoUser.getSession(function(err, result) { if (result) { console.log('You are now logged in.'); // Add the User's Id Token to the Cognito credentials login map. AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'YOUR_IDENTITY_POOL_ID', Logins: { 'cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>': result.getIdToken().getJwtToken() } }); } }); }
Android
cognitoUser.getSessionInBackground(new AuthenticationHandler() { @Override public void onSuccess(CognitoUserSession session) { String idToken = session.getIdToken().getJWTToken(); Map<String, String> logins = new HashMap<String, String>(); logins.put("cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>", session.getIdToken().getJWTToken()); credentialsProvider.setLogins(logins); } });
iOS - objective-C
AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:nil]; AWSCognitoIdentityUserPoolConfiguration *userPoolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"YOUR_CLIENT_ID" clientSecret:@"YOUR_CLIENT_SECRET" poolId:@"YOUR_USER_POOL_ID"]; [AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration userPoolConfiguration:userPoolConfiguration forKey:@"UserPool"]; AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"]; AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1 identityPoolId:@"YOUR_IDENTITY_POOL_ID" identityProviderManager:pool];
iOS - swift
let serviceConfiguration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: nil) let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: "YOUR_CLIENT_ID", clientSecret: "YOUR_CLIENT_SECRET", poolId: "YOUR_USER_POOL_ID") AWSCognitoIdentityUserPool.registerCognitoIdentityUserPoolWithConfiguration(serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: "UserPool") let pool = AWSCognitoIdentityUserPool(forKey: "UserPool") let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: "YOUR_IDENTITY_POOL_ID", identityProviderManager:pool)