AWS Mobile SDK
iOS Developer Guide

Amazon Cognito for iOS

For your app to access AWS services and resources, it must facilitate getting an identity within AWS for each user. Use Amazon Cognito to create unique identities for your users. Amazon Cognito identities can be unauthenticated, or they can use a range of methods to sign in and become authenticated. For more information, see Integrating Identity Providers.

For information about Amazon Cognito Region availability, see AWS Service Region Availability.

Providing AWS Credentials

Most implementations of AWS services for mobile app features require identity management through Amazon Cognito. The following steps describe how to AWS credentials to your app users.

In this section:

1. Create an identity pool and roles

Take the following steps to create a new identity pool with Auth and Unauth roles.

  1. Sign in to the Amazon Cognito console.

  2. Choose Manage Federated Identities.

  3. Choose Create new identity pool.

  4. Type an Identity pool name.

  5. Optional: Select Enable access to unauthenticated identities.

  6. Choose Create Pool.

  7. Choose View Details to review or edit the role names and default access policy JSON document for the identity pool you just created. Note the names of your Auth and Unauth roles. You will use them to enact access policy for the AWS resources you use.

  8. Choose: Allow.

  9. Choose the language of your app code in the Platform menu. Note the identityPoolId value in the sample code provided.

For more information, see Identity Pools and IAM Roles.

2. Add the AWS SDK for iOS to your project

Follow the steps in Set Up the SDK for iOS.

3. Import AWScore and Amazon Cognito APIs

Add the following imports to your project.

import AWSCore import AWSCognito
#import <AWSCore/AWSCore.h> #import <AWSCognito/AWSCognito.h>

4. Initialize the Amazon Cognito credentials provider

Use the following code, replacing the value of YourIdentityPoolId with the identitPoolId value you noted when you created your identity pool.

let credentialProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: "YourIdentityPoolId") let configuration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: credentialProvider) AWSServiceManager.default().defaultServiceConfiguration = configuration
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1 identityPoolId:@"YourIdentityPoolId"]; AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider]; AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;


If you created your identity pool before February 2015, you must reassociate your roles with your identity pool to use this constructor. To do so, open the Amazon Cognito console, select your identity pool, choose Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes

5. Retrieve Amazon Cognito IDs and AWS Credentials

After the login tokens are set in the credentials provider, you can retrieve a unique Amazon Cognito identifier for your end user and temporary credentials that let the app access your AWS resources.

let cognitoId = credentialsProvider.identityId
// Retrieve your Amazon Cognito ID. NSString *cognitoId = credentialsProvider.identityId;

The unique identifier is available in the identityId property of the credentials provider object.

The credentialsProvider communicates with Amazon Cognito, retrieving a unique identifier for the user as well as temporary, limited privilege AWS credentials for the AWS Mobile SDK. The retrieved credentials are valid for one hour.

Identity Pools and IAM Roles

To use Amazon Cognito to incorporate sign-in through an external identity provider into your app, create an Amazon Cognito identity pool.

An identity in a pool gets access to the AWS resources used by your app by being assigned a role in AWS Identity and Access Management (IAM). The access level of an IAM role is defined by the policy that is attached to it. Typical roles for identity pools allow you to give different levels of access to authenticated (Auth)or signed in users, and unauthenticated (Unauth)users.

For more information on identity pools, see Amazon Cognito Identity: Using Federated Identities.

For more information on using IAM roles with Amazon Cognito, see IAM Roles in the Amazon Cognito Developer Guide.

Integrating Identity Providers

Amazon Cognito identities can be unauthenticated or use a range of methods to sign in and become authenticated, including:

  • Federating with an external provider such as Google or Facebook

    • For external providers, a developer account and an application registered with the identity provider you want to use (Facebook, Google, or Amazon)

  • Federating with a SAML Provider such as a Microsoft Active Directory instance

    • For SAML federation, the SAML federation metadata for the authenticating system

  • Federating with your existing custom authentication provider using developer authenticated identities

  • Creating your own AWS-managed identity provider using Amazon Cognito User Pool

Then, each time your mobile app interacts with Amazon Cognito, your user's identity is given a set of temporary credentials that give secure access to the AWS resources configured for your app.

For information see, External Identity Providers in the Amazon Cognito Developer Guide.

Amazon Cognito Sync: Sync User Data

Developer Authenticated Identities