GetCredentialsForIdentity - Amazon Cognito Federated Identities

GetCredentialsForIdentity

Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers. If the token is for cognito-identity.amazonaws.com, it will be passed through to AWS Security Token Service with the appropriate role for the token.

This is a public API. You do not need any credentials to call this API.

Request Syntax

{ "CustomRoleArn": "string", "IdentityId": "string", "Logins": { "string" : "string" } }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

CustomRoleArn

The Amazon Resource Name (ARN) of the role to be assumed when multiple roles were received in the token from the identity provider. For example, a SAML-based identity provider. This parameter is optional for identity providers that do not support role customization.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: No

IdentityId

A unique identifier in the format REGION:GUID.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 55.

Pattern: [\w-]+:[0-9a-f-]+

Required: Yes

Logins

A set of optional name-value pairs that map provider names to provider tokens. The name-value pair will follow the syntax "provider_name": "provider_user_identifier".

Logins should not be specified when trying to get credentials for an unauthenticated identity.

The Logins parameter is required when using identities associated with external identity providers such as Facebook. For examples of Logins maps, see the code examples in the External Identity Providers section of the Amazon Cognito Developer Guide.

Type: String to string map

Map Entries: Maximum number of 10 items.

Key Length Constraints: Minimum length of 1. Maximum length of 128.

Value Length Constraints: Minimum length of 1. Maximum length of 50000.

Required: No

Response Syntax

{ "Credentials": { "AccessKeyId": "string", "Expiration": number, "SecretKey": "string", "SessionToken": "string" }, "IdentityId": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Credentials

Credentials for the provided identity ID.

Type: Credentials object

IdentityId

A unique identifier in the format REGION:GUID.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 55.

Pattern: [\w-]+:[0-9a-f-]+

Errors

For information about the errors that are common to all actions, see Common Errors.

ExternalServiceException

An exception thrown when a dependent service such as Facebook or Twitter is not responding

HTTP Status Code: 400

InternalErrorException

Thrown when the service encounters an error during processing the request.

HTTP Status Code: 500

InvalidIdentityPoolConfigurationException

If you provided authentication information in the request, the identity pool has no authenticated role configured, or AWS STS returned an error response to the request to assume the authenticated role from the identity pool. If you provided no authentication information in the request, the identity pool has no unauthenticated role configured, or AWS STS returned an error response to the request to assume the unauthenticated role from the identity pool.

Your role trust policy must grant AssumeRoleWithWebIdentity permissions to cognito-identity.amazonaws.com.

HTTP Status Code: 400

InvalidParameterException

Thrown for missing or bad input parameter(s).

HTTP Status Code: 400

NotAuthorizedException

Thrown when a user is not authorized to access the requested resource.

HTTP Status Code: 400

ResourceConflictException

Thrown when a user tries to use a login which is already linked to another account.

HTTP Status Code: 400

ResourceNotFoundException

Thrown when the requested resource (for example, a dataset or record) does not exist.

HTTP Status Code: 400

TooManyRequestsException

Thrown when a request is throttled.

HTTP Status Code: 400

Examples

GetCredentialsForIdentity

The following example shows a GetCredentialsForIdentity request.

Sample Request

POST / HTTP/1.1 CONTENT-TYPE: application/x-amz-json-1.1 CONTENT-LENGTH: 250 X-AMZ-TARGET: com.amazonaws.cognito.identity.model.AWSCognitoIdentityService.GetCredentialsForIdentity HOST: <endpoint> X-AMZ-DATE: 20151020T232759Z { "IdentityId":"us-east-1:88b5cc2c-c8c4-4932-a4e5-fc85EXAMPLE" }

Sample Response

1.1 200 OK content-length: 1168, content-type: application/x-amz-json-1.1, date: Mon, 21 Sep 2015 22:38:52 GMT, x-amzn-requestid: 8906cbc7-60b1-11e5-9f63-1bfexample, { "Credentials":{ "SecretKey":"2gZ8QJQqkAHBzebQmghavFAfgmYpKWRqexample", "SessionToken":"AQoDYXdzEMf//////////wEasAWDYyZbsv2CTPExziDyYEXAMPLE", "Expiration":1442877512.0, "AccessKeyId":"ASIAJIOA37R6EXAMPLE" }, "IdentityId":"us-east-1:88b5cc2c-c8c4-4932-a4e5-fc85EXAMPLE" }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: