Using identity pools (federated identities) - Amazon Cognito

Using identity pools (federated identities)

Important

Currently, you must configure Amazon Cognito identity pools in the original console, even if you have migrated to the new console for Amazon Cognito user pools. From the new console, choose Federated identities to navigate to the identity pools console.

Amazon Cognito identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to your account.

To create a new identity pool in the console

  1. Sign in to the Amazon Cognito console, choose Manage identity pools, and then choose Create new identity pool.

  2. Type a name for your identity pool.

  3. To enable unauthenticated identities, select Enable access to unauthenticated identities from the Unauthenticated identities collapsible section.

  4. If desired, configure an authentication provider in the Authentication providers section.

  5. Choose Create Pool.

    Note

    At least one identity is required for a valid identity pool.

  6. You will be prompted for access to your AWS resources.

    Choose Allow to create the two default roles associated with your identity pool—one for unauthenticated users, and one for authenticated users. These default roles provide your identity pool access to Amazon Cognito Sync. You can modify the roles associated with your identity pool in the IAM console. For additional instructions on working with the Amazon Cognito console, see Using the Amazon Cognito console.

User IAM roles

An IAM role defines the permissions for your users to access AWS resources, like Amazon Cognito Sync. Users of your application will assume the roles you create. You can specify different roles for authenticated and unauthenticated users. To learn more about IAM roles, see IAM roles.

Authenticated and unauthenticated identities

Amazon Cognito identity pools support both authenticated and unauthenticated identities. Authenticated identities belong to users who are authenticated by any supported identity provider. Unauthenticated identities typically belong to guest users.

Enable or disable unauthenticated identities

Amazon Cognito identity pools can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider. If your application allows users who do not log in, you can enable access for unauthenticated identities. To learn more, see Getting started with Amazon Cognito identity pools (federated identities).

Choose Manage identity pools from the Amazon Cognito console:

  1. Select the name of the identity pool for which you want to enable or disable unauthenticated identities. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, select Edit identity pool. The Edit identity pool page appears.

  3. Scroll down and select Unauthenticated identities to expand it.

  4. Select the check box to enable or disable access to unauthenticated identities.

  5. Select Save Changes.

Change the role associated with an identity type

Every identity in your identity pool is either authenticated or unauthenticated. Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools, Login with Amazon, Sign in with Apple, Facebook, Google, SAML, or any OpenID Connect Providers) or a developer provider (your own backend authentication process). Unauthenticated identities typically belong to guest users.

For each identity type, there is an assigned role. This role has a policy attached to it which dictates which AWS services that role can access. When Amazon Cognito receives a request, the service determines the identity type, determines the role assigned to that identity type, and uses the policy attached to that role to respond. By modifying a policy or assigning a different role to an identity type, you can control which AWS services an identity type can access. To view or modify the policies associated with the roles in your identity pool, see the AWS IAM Console.

You can change which role is associated with an identity type using the Amazon Cognito identity pool (federated identities) console. Choose Manage identity pools from the Amazon Cognito console:

  1. Select the name of the identity pool for which you want to modify roles. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, select Edit identity pool. The Edit identity pool page appears.

  3. Use the dropdown lists next to Unauthenticated role and Authenticated role to change roles. Select Create new role to create or modify the roles associated with each identity type in the AWS IAM console. For more information, see IAM Roles.

Enable or edit authentication providers

If you allow your users to authenticate using public identity providers (for example, Amazon Cognito user pools, Login with Amazon, Sign in with Apple, Facebook, or Google), you can specify your application identifiers in the Amazon Cognito identity pools (federated identities) console. This associates the application ID (provided by the public login provider) with your identity pool.

You can also configure authentication rules for each provider from this page. Each provider allows up to 25 rules. The rules are applied in the order you save for each provider. For more information, see Role-based access control.

Warning

Changing the application ID to which an identity pool is linked disables existing users from authenticating with that identity pool. Learn more about Identity pools (federated identities) external identity providers.

Choose Manage identity pools from the Amazon Cognito console:

  1. Select the name of the identity pool for which you want to enable the external provider. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, select Edit identity pool. The Edit identity pool page appears.

  3. Scroll down and select Authentication providers to expand it.

  4. Select the tab for the appropriate provider and enter the required information associated with that authentication provider.

Delete an identity pool

Choose Manage identity pools from the Amazon Cognito console:

  1. Select the name of the identity pool that you want to delete. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, select Edit identity pool. The Edit identity pool page appears.

  3. Scroll down and select Delete identity pool to expand it.

  4. Select Delete identity pool.

  5. Select Delete pool.

Warning

When you select the Delete button, you will permanently delete your identity pool and all the user data it contains. Deleting an identity pool will cause applications and other services utilizing the identity pool to stop working.

Delete an identity from an identity pool

Choose Manage identity pools from the Amazon Cognito console:

  1. Select the name of the identity pool that contains the identity that you want to delete. The Dashboard page for your identity pool appears.

  2. In the left-hand navigation on the Dashboard page, select Identity browser. The Identities page appears.

  3. On the Identities page, enter the identity ID that you want to delete, and then select Search.

  4. On the Identity details page, select the Delete identity button, and then select Delete.