You can use Amazon Cognito authentication as an alternative to directly using AWS Identity and Access Management (IAM) users with frontend SDK requests.
Amazon Cognito provides authentication, authorization, and user management for web and mobile apps. You can use Amazon Cognito unauthenticated identity pools with Amazon Location as a way for applications to retrieve temporary, scoped-down AWS credentials.
For more information, see Getting Started with User Pools in the Amazon Cognito Developer Guide.
You may want to use this form of authentication for the following reasons:
-
Unauthenticated users – If you have a website with anonymous users, you can use Amazon Cognito identity pools.
For more information, see the section on Use Amazon Cognito to authenticate.
-
Your own authentication – If you would like to use your own authentication process, or combine multiple authentication methods, you can use Amazon Cognito Federated Identities.
For more information, see Getting Started with Federated Identities in the Amazon Cognito Developer Guide.
Use Amazon Cognito and Amazon Location Service
You can use AWS Identity and Access Management (IAM) policies associated with unauthenticated identity roles with the following actions:
List of maps actions
geo-maps:GetStaticMapgeo-maps:GetTile
Note
Resource names for the actions above are:
arn:aws:geo-maps:region::provider/defaultCreate an Amazon Cognito identity pool
You can create Amazon Cognito identity pools to allow unauthenticated guest access to your application through the Amazon Cognito console, the AWS CLI, or the Amazon Cognito APIs.
Important
The pool that you create must be in the same AWS account and AWS Region as the Amazon Location Service resources that you're using.
To create an identity pool using the Amazon Cognito console
-
Go to the Amazon Cognito console
. -
Choose Manage Identity Pools.
-
Choose Create new identity pool, then enter a name for your identity pool.
-
From the Unauthenticated identities collapsible section, choose Enable access to unauthenticated identities.
-
Choose Create Pool.
-
Choose which IAM roles you want to use with your identity pool.
-
Expand View Details.
-
Under Unauthenticated identities, enter a role name.
-
Expand the View Policy Document section, then choose Edit to add your policy.
-
Add your policy to grant access to your resources.
Note
See the Use Amazon Cognito and Amazon Location Service section above for a list of actions.
{ "Version": "2012-10-17", "Statement": [ { Sid": "RoutesReadOnly", Effect": "Allow", Action": [ // add comma separated value from the previous section ], Resource": "value from previous section" } ] } Choose Allow to create your identity pools.
Use the Amazon Cognito identity pool in web
The following example exchanges the unauthenticated identity pool that you created for credentials that are then used to call CalculateIsolines. To
simplify this work, the example uses the Amazon Location How to use authentication helpers procedures. This is in place of
both getting and refreshing the credentials.
This example uses the AWS SDK for JavaScript v3.
import { GeoRoutesClient, CalculateIsolinesCommand , } from "@aws-sdk/client-geo-routes"; // ES Modules import
import { withIdentityPoolId } from "@aws/amazon-location-utilities-auth-helper";
const identityPoolId = "<identity pool ID>"; // for example, us-east-1:1sample4-5678-90ef-aaaa-1234abcd56ef
const authHelper = await withIdentityPoolId(identityPoolId);
const client = new GeoRoutesClient({
...authHelper.getClientConfig(),
region: "<region>", // The region containing the identity pool
});
const input = {
DepartNow: true,
TravelMode: "Car",
Origin: [-123.12327, 49.27531],
Thresholds: {
Time: [5, 10, 30],
},
};
const command = new CalculateIsolinesCommand(input);
const response = await client.send(command);
console.log(JSON.stringify(response, null, 2))