Using identity pools (federated identities)

Amazon Cognito identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to your account.

New console

To create a new identity pool in the console

1. Sign in to the Amazon Cognito console and select Identity pools.

2. Choose Create identity pool.

3. In Configure identity pool trust, choose to set up your identity pool for Authenticated access, Guest access, or both.

   1. If you chose Authenticated access, select one or more Identity types that you want to set as the source of authenticated identities in your identity pool. If you configure a Custom developer provider, you can't modify or delete it after you create your identity pool.

4. In Configure permissions, choose a default IAM role for authenticated or guest users in your identity pool.

   1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.

   2. You can choose to Use an existing IAM role if you already have a role in your AWS account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.

5. In Connect identity providers, enter the details of the identity providers (IdPs) that you chose in Configure identity pool trust. You might be asked to provide OAuth app client information, choose a Amazon Cognito user pool, choose an IAM IdP, or enter a custom identifier for a developer provider.

   1. Choose the Role settings for each IdP. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules. With a Amazon Cognito user pool IdP, you can also Choose role with preferred_role in tokens. For more information about the cognito:preferred_role claim, see Assigning precedence values to groups.

      1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.

      2. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.

   2. Configure Attributes for access control for each IdP. Attributes for access control maps user claims to principal tags that Amazon Cognito applies to their temporary session. You can build IAM policies to filter user access based on the tags that you apply to their session.

      1. To apply no principal tags, choose Inactive.

      2. To apply principal tags based on sub and aud claims, choose Use default mappings.

      3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.

6. In Configure properties, enter a Name under Identity pool name.

7. Under Basic (classic) authentication, choose whether you want to Activate basic flow. With the basic flow active, you can bypass the role selections you made for your IdPs and call AssumeRoleWithWebIdentity directly. For more information, see Identity pools (federated identities) authentication flow.

8. Under Tags, choose Add tag if you want to apply tags to your identity pool.

9. In Review and create, confirm the selections that you made for your new identity pool. Select Edit to return to the wizard and change any settings. When you're done, select Create identity pool.

Original console

To create a new identity pool in the console

1. Sign in to the Amazon Cognito console, choose Manage identity pools, and then choose Create new identity pool.

2. Type a name for your identity pool.

3. To enable unauthenticated identities, select Enable access to unauthenticated identities from the Unauthenticated identities collapsible section.

4. If desired, configure an authentication provider in the Authentication providers section.

5. Choose Create Pool.

   Note

   At least one identity is required for a valid identity pool.

6. You will be prompted for access to your AWS resources.

   Choose Allow to create the two default roles associated with your identity pool—one for unauthenticated users, and one for authenticated users. These default roles provide your identity pool access to Amazon Cognito Sync. You can modify the roles associated with your identity pool in the IAM console. For additional instructions on working with the Amazon Cognito console, see Using the Amazon Cognito console.

User IAM roles

An IAM role defines the permissions for your users to access AWS resources, like Amazon Cognito Sync. Users of your application will assume the roles you create. You can specify different roles for authenticated and unauthenticated users. To learn more about IAM roles, see IAM roles.

Authenticated and unauthenticated identities

Amazon Cognito identity pools support both authenticated and unauthenticated identities. Authenticated identities belong to users who are authenticated by any supported identity provider. Unauthenticated identities typically belong to guest users.

• To configure authenticated identities with a public login provider, see Identity pools (federated identities) external identity providers.

• To configure your own backend authentication process, see Developer-authenticated identities (identity pools).

Activate or deactivate guest access

Amazon Cognito identity pools guest access (unauthenticated identities) provides a unique identifier and AWS credentials for users who do not authenticate with an identity provider. If your application allows users who do not log in, you can activate access for unauthenticated identities. To learn more, see Getting started with Amazon Cognito identity pools (federated identities).

New console

To update guest access in an identity pool

1. Choose Identity pools from the Amazon Cognito console. Select an identity pool.

2. Choose the User access tab.

3. Locate Guest access. In an identity pool that doesn't currently support guest access, Status is Inactive.

   1. If Guest access is Active and you want to deactivate it, select Deactivate.

   2. If Guest access is Inactive and you want to activate it, select Edit.

      1. Choose a default IAM role for guest users in your identity pool.

         1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.

         2. You can choose to Use an existing IAM role if you already have a role in your AWS account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.

         3. Select Save changes.

         4. To activate guest access, select Activate in the User access tab.

Original console

Choose Manage identity pools from the Amazon Cognito console:

1. Select the name of the identity pool for which you want to enable or disable unauthenticated identities. The Dashboard page for your identity pool appears.

2. In the top-right corner of the Dashboard page, select Edit identity pool. The Edit identity pool page appears.

3. Scroll down and select Unauthenticated identities to expand it.

4. Select the check box to enable or disable access to unauthenticated identities.

5. Select Save Changes.

Change the role associated with an identity type

Every identity in your identity pool is either authenticated or unauthenticated. Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools, Login with Amazon, Sign in with Apple, Facebook, Google, SAML, or any OpenID Connect Providers) or a developer provider (your own backend authentication process). Unauthenticated identities typically belong to guest users.

For each identity type, there is an assigned role. This role has a policy attached to it that dictates which AWS services that role can access. When Amazon Cognito receives a request, the service determines the identity type, determines the role assigned to that identity type, and uses the policy attached to that role to respond. By modifying a policy or assigning a different role to an identity type, you can control which AWS services an identity type can access. To view or modify the policies associated with the roles in your identity pool, see the AWS IAM Console.

New console

To change the identity pool default authenticated or unauthenticated role

1. Choose Identity pools from the Amazon Cognito console. Select an identity pool.

2. Choose the User access tab.

3. Locate Guest access or Authenticated access. In an identity pool that isn't currently configured for that access type, Status is Inactive. Select Edit.

4. Choose a default IAM role for guest or authenticated users in your identity pool.

   1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.

   2. You can choose to Use an existing IAM role if you already have a role in your AWS account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.

5. Select Save changes.

Original console

You can change which role is associated with an identity type using the Amazon Cognito identity pool (federated identities) console. Choose Manage identity pools from the Amazon Cognito console:

1. Select the name of the identity pool for which you want to modify roles. The Dashboard page for your identity pool appears.

2. In the top-right corner of the Dashboard page, select Edit identity pool. The Edit identity pool page appears.

3. Use the dropdown lists next to Unauthenticated role and Authenticated role to change roles. Select Create new role to create or modify the roles associated with each identity type in the AWS IAM console. For more information, see IAM Roles.

Edit identity providers

If you allow your users to authenticate using consumer identity providers (for example, Amazon Cognito user pools, Login with Amazon, Sign in with Apple, Facebook, or Google), you can specify your application identifiers in the Amazon Cognito identity pools (federated identities) console. This associates the application ID (provided by the public login provider) with your identity pool.

You can also configure authentication rules for each provider from this page. Each provider allows up to 25 rules. The rules are applied in the order you save for each provider. For more information, see Using role-based access control.

Warning

Changing the linked IdP application ID in your identity pool prevents existing users from authenticating with that identity pool. For more information, see Identity pools (federated identities) external identity providers.

New console

To update an identity pool identity provider (IdP)

1. Choose Identity pools from the Amazon Cognito console. Select an identity pool.

2. Choose the User access tab.

3. Locate Identity providers. Choose the identity provider that you want to edit. If you want to add a new IdP, select Add identity provider.

   1. If you chose Add identity provider, choose one of the Identity types that you want to add.

4. To change the application ID, choose Edit in Identity provider information.

5. To change the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, choose Edit in Role settings.

   1. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules. With a Amazon Cognito user pool IdP, you can also Choose role with preferred_role in tokens. For more information about the cognito:preferred_role claim, see Assigning precedence values to groups.

      1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.

      2. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.

6. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, choose Edit in Attributes for access control.

   1. To apply no principal tags, choose Inactive.

   2. To apply principal tags based on sub and aud claims, choose Use default mappings.

   3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.

7. Select Save changes.

Original console

Choose Manage identity pools from the Amazon Cognito console:

1. Select the name of the identity pool for which you want to enable the external provider. The Dashboard page for your identity pool appears.

2. In the top-right corner of the Dashboard page, select Edit identity pool. The Edit identity pool page appears.

3. Scroll down and select Authentication providers to expand it.

4. Select the tab for the appropriate provider and enter the required information associated with that authentication provider.

Delete an identity pool

You can't undo identity pool deletion. After you delete an identity pool, all apps and users that depend on it stop working.

New console

To delete an identity pool

1. Choose Identity pools from the Amazon Cognito console. Select the radio button next to the identity pool that you want to delete.

2. Select Delete.

3. Enter or paste the name of your identity pool and select Delete.

Original console

Choose Manage identity pools from the Amazon Cognito console:

1. Select the name of the identity pool that you want to delete. The Dashboard page for your identity pool appears.

2. In the top-right corner of the Dashboard page, select Edit identity pool. The Edit identity pool page appears.

3. Scroll down and select Delete identity pool to expand it.

4. Select Delete identity pool.

5. Select Delete pool.

Warning

When you select the Delete button, you will permanently delete your identity pool and all the user data it contains. Deleting an identity pool will cause applications and other services using the identity pool to stop working.

Delete an identity from an identity pool

When you delete an identity from an identity pool, you remove the identifying information that Amazon Cognito has stored for that federated user. When your user requests credentials again, they receive a new identity ID if your identity pool still trusts their identity provider. You can't undo this operation.

New console

To delete an identity

1. Choose Identity pools from the Amazon Cognito console. Select an identity pool.

2. Choose the Identity browser tab.

3. Select the check boxes next to the identities that you want to delete and choose Delete. Confirm that you want to delete the identities and choose Delete.

Original console

Choose Manage identity pools from the Amazon Cognito console:

1. Select the name of the identity pool that contains the identity you want to delete. The Dashboard page for your identity pool appears.

2. In the left-hand navigation on the Dashboard page, select Identity browser. The Identities page appears.

3. On the Identities page, enter the identity ID that you want to delete, and then select Search.

4. On the Identity details page, select the Delete identity button, and then select Delete.