Summary Prerequisites and limitations Architecture Tools Epics Troubleshooting Related resources Attachments

Access AWS services from an ASP.NET Core app using Amazon Cognito identity pools

Created by Bibhuti Sahu (AWS) and Marcelo Barbosa (AWS)

Environment: PoC or pilot

Technologies: Security, identity, compliance; Web & mobile apps

AWS services: Amazon Cognito

Summary

This pattern discusses how you can configure Amazon Cognito user pools and identity pools, and then enable an ASP.NET Core app to access AWS resources after successful authentication.

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. The two main components of Amazon Cognito are user pools and identity pools.

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers such as Google, Facebook, Amazon, or Apple, and through SAML identity providers.

Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services. Before you can begin using your new Amazon Cognito identity pool, you must assign one or more AWS Identity and Access Management (IAM) roles to determine the level of access you want your application users to have to your AWS resources. Identity pools define two types of identities: authenticated and unauthenticated. Each identity type can be assigned its own role in IAM. Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools, Facebook, Google, SAML, or any OpenID Connect providers) or a developer provider (your own backend authentication process), whereas unauthenticated identities typically belong to guest users. When Amazon Cognito receives a user request, the service determines whether the request is authenticated or unauthenticated, determines which role is associated with that authentication type, and then uses the policy attached to that role to respond to the request.

Prerequisites and limitations

Prerequisites

An AWS account with Amazon Cognito and IAM permissions
Access to the AWS resources you want to use
ASP.NET Core 2.0.0 or later

Architecture

Technology stack

Amazon Cognito
ASP.NET Core

Target architecture

How to access AWS services from an ASP.NET Core app using Amazon Cognito identity pools.

Tools

Tools, SDKs, and AWS services

Visual Studio or Visual Studio Code
Amazon.AspNetCore.Identity.Cognito (1.0.4) – NuGet package
AWSSDK.S3 (3.3.110.32) – NuGet package
Amazon Cognito

Code

The attached .zip file includes sample files that illustrate the following:

How to retrieve an access token for the logged in user
How to exchange an access token for AWS credentials
How to access the Amazon Simple Storage Service (Amazon S3) service with AWS credentials

IAM role for authenticated identities


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*",
        "cognito-identity:*",
        "s3:ListAllMyBuckets*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Epics

Task	Description	Skills required
Create a user pool.	Sign in to the AWS Management Console and open the Amazon Cognito console at https://console.aws.amazon.com/cognito/home. Choose Manage User Pools. In the top-right corner of the page, choose Create a user pool. Provide a name for your user pool, choose Review defaults, and then choose Create pool. Note the pool ID.	Developer
Add an app client.	You can create an app to use the built-in webpages for signing up and signing in your users. On the navigation bar on the left side of the user pool page, choose App clients under General settings, and then choose Add an app client. Give your app a name, and then choose Create app client. Note the app client ID and the client secret (choose Show Details to see the client secret).	Developer

Task	Description	Skills required
Create an identity pool.	On the Amazon Cognito console, choose Manage Identity Pools, and then choose Create new identity pool. Type a name for the identity pool. If you want to enable unauthenticated identities, select that option from the Unauthenticated identities section. In the Authentication providers section, configure the Cognito identity pool by setting the user pool ID and the app client ID, and then choose Create Pool.	Developer
Assign IAM roles for the identity pool.	You can edit the IAM roles for authenticated and unauthenticated users, or keep the defaults, and then choose Allow. For this pattern, we will edit the authenticated IAM role and provide access for `s3:ListAllMyBuckets`. For sample code, see the IAM role provided earlier in the Tools section.	Developer
Copy the identity pool ID.	When you choose Allow in the previous step, the Getting started with Amazon Cognito page is displayed. On this page, you can either copy the identity pool ID from the Get AWS Credentials section or choose Edit identity pool in the upper right and copy the identity pool ID from the screen that's displayed.	Developer

Task	Description	Skills required
Clone the sample ASP.NET Core web app.	Clone the sample .NET core web app from https://github.com/aws/aws-aspnet-cognito-identity-provider.git. Navigate to the `samples` folder and open the solution. In this project, you'll configure the `appsettings.json` file and add a new page that will render all S3 buckets after successful sign in.	Developer
Add dependencies.	Add a NuGet dependency for `Amazon.AspNetCore.Identity.Cognito` to your ASP.NET Core application.	Developer
Add the configuration keys and values to appsettings.json.	Include the code from the attached `appsettings.json` file in your `appsettings.json` file, and then replace the placeholders with the values from the previous steps.	Developer
Create a new user and sign in.	Create a new user in the Amazon Cognito user pool, and verify that the user exists under Users and Groups in the user pool.	Developer
Create a new Razor Page called MyS3Buckets.	Add a new ASP.NET Core Razor Page to your sample app, and replace the content for `MyS3Bucket.cshtml` and `MyS3Bucket.cshtml.cs` from the attached sample. Add the new MyS3Bucket page under navigation in the `_Layout.cshtml` page.	Developer

Troubleshooting

Issue	Solution
After you open the sample application from the GitHub repository, you get an error when you try to add the NuGet package to the Samples project.	In the `src` folder, make sure to remove from the reference to the `Amazon.AspNetCore.Identity.Cognito` project from the `Samples.sln` file. You can then add the NuGet package to the Samples project without any issues.

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security, identity, compliance

Authenticate SQL Server using AWS Directory Service