Tutorial: Creating an identity pool - Amazon Cognito

Tutorial: Creating an identity pool

With an identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB.

New console
To create a new identity pool in the console
  1. Sign in to the Amazon Cognito console and select Identity pools.

  2. Choose Create identity pool.

  3. In Configure identity pool trust, choose to set up your identity pool for Authenticated access, Guest access, or both.

    1. If you chose Authenticated access, select one or more Identity types that you want to set as the source of authenticated identities in your identity pool. If you configure a Custom developer provider, you can't modify or delete it after you create your identity pool.

  4. In Configure permissions, choose a default IAM role for authenticated or guest users in your identity pool.

    1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.

    2. You can choose to Use an existing IAM role if you already have a role in your AWS account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.

  5. In Connect identity providers, enter the details of the identity providers (IdPs) that you chose in Configure identity pool trust. You might be asked to provide OAuth app client information, choose a Amazon Cognito user pool, choose an IAM IdP, or enter a custom identifier for a developer provider.

    1. Choose the Role settings for each IdP. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules. With a Amazon Cognito user pool IdP, you can also Choose role with preferred_role in tokens. For more information about the cognito:preferred_role claim, see Assigning precedence values to groups.

      1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.

      2. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.

    2. Configure Attributes for access control for each IdP. Attributes for access control maps user claims to principal tags that Amazon Cognito applies to their temporary session. You can build IAM policies to filter user access based on the tags that you apply to their session.

      1. To apply no principal tags, choose Inactive.

      2. To apply principal tags based on sub and aud claims, choose Use default mappings.

      3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.

  6. In Configure properties, enter a Name under Identity pool name.

  7. Under Basic (classic) authentication, choose whether you want to Activate basic flow. With the basic flow active, you can bypass the role selections you made for your IdPs and call AssumeRoleWithWebIdentity directly. For more information, see Identity pools (federated identities) authentication flow.

  8. Under Tags, choose Add tag if you want to apply tags to your identity pool.

  9. In Review and create, confirm the selections that you made for your new identity pool. Select Edit to return to the wizard and change any settings. When you're done, select Create identity pool.

AWS Management Console
To create an identity pool
  1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

  2. Choose Manage Identity Pools.

  3. Choose Create new identity pool.

  4. Enter a name for your identity pool.

  5. To enable unauthenticated identities, select Enable access to unauthenticated identities from the Unauthenticated identities collapsible section.

  6. Choose Create Pool.

  7. You will be prompted for access to your AWS resources.

    Choose Allow to create the two default roles associated with your identity pool: one for unauthenticated users and one for authenticated users. These default roles provide your identity pool access to Amazon Cognito Sync. You can modify the roles associated with your identity pool in the IAM console.

  8. Make a note of your identity pool Id number. You will use it to set up policies that will allow your app users to access other AWS services, such as Amazon Simple Storage Service or DynamoDB

For more information on identity pools, see Amazon Cognito identity pools (federated identities).

For an example of using an identity pool with Amazon S3, see Uploading Photos to Amazon S3 from a Browser.