Actions, resources, and condition keys for Amazon Cognito Identity - Service Authorization Reference

Actions, resources, and condition keys for Amazon Cognito Identity

Amazon Cognito Identity (service prefix: cognito-identity) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Cognito Identity

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateIdentityPool Grants permission to create a new identity pool Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteIdentities Grants permission to delete identities from an identity pool. You can specify a list of 1-60 identities that you want to delete Write
DeleteIdentityPool Grants permission to delete a user pool. Once a pool is deleted, users will not be able to authenticate with the pool Write

identitypool*

DescribeIdentity Grants permission to return metadata related to the given identity, including when the identity was created and any associated linked logins Read
DescribeIdentityPool Grants permission to get details about a particular identity pool, including the pool name, ID description, creation date, and current number of users Read

identitypool*

GetCredentialsForIdentity Grants permission to return credentials for the provided identity ID Read
GetId Grants permission to generate (or retrieve) a Cognito ID. Supplying multiple logins will create an implicit linked account Write
GetIdentityPoolRoles Grants permission to get the roles for an identity pool Read

identitypool*

GetOpenIdToken Grants permission to get an OpenID token, using a known Cognito ID Read
GetOpenIdTokenForDeveloperIdentity Grants permission to register (or retrieve) a Cognito IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process Read

identitypool*

GetPrincipalTagAttributeMap Grants permission to get the principal tags for an identity pool and provider Read

identitypool*

ListIdentities Grants permission to list the identities in an identity pool List

identitypool*

ListIdentityPools Grants permission to list all of the Cognito identity pools registered for your account List
ListTagsForResource Grants permission to list the tags that are assigned to an Amazon Cognito identity pool Read

identitypool

LookupDeveloperIdentity Grants permission to retrieve the IdentityId associated with a DeveloperUserIdentifier or the list of DeveloperUserIdentifiers associated with an IdentityId for an existing identity Read

identitypool*

MergeDeveloperIdentities Grants permission to merge two users having different IdentityIds, existing in the same identity pool, and identified by the same developer provider Write

identitypool*

SetIdentityPoolRoles Grants permission to set the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action Write
SetPrincipalTagAttributeMap Grants permission to set the principal tags for an identity pool and provider. These tags are used when making calls to GetOpenIdToken action Write
TagResource Grants permission to assign a set of tags to an Amazon Cognito identity pool Tagging

identitypool

aws:RequestTag/${TagKey}

aws:TagKeys

UnlinkDeveloperIdentity Grants permission to unlink a DeveloperUserIdentifier from an existing identity Write

identitypool*

UnlinkIdentity Grants permission to unlink a federated identity from an existing account Write
UntagResource Grants permission to remove the specified tags from an Amazon Cognito identity pool Tagging

identitypool

aws:TagKeys

UpdateIdentityPool Grants permission to update an identity pool Write

identitypool*

Resource types defined by Amazon Cognito Identity

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
identitypool arn:${Partition}:cognito-identity:${Region}:${Account}:identitypool/${IdentityPoolId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Cognito Identity

Amazon Cognito Identity defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters access by a key that is present in the request String