Preparing to use web identity federation - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Preparing to use web identity federation

If you are an application developer and want to use web identity federation for your app, follow these steps:

  1. Sign up as a developer with a third-party identity provider. The following external links provide information about signing up with supported identity providers:

  2. Register your app with the identity provider. When you do this, the provider gives you an ID that's unique to your app. If you want your app to work with multiple identity providers, you need to obtain an app ID from each provider.

  3. Create one or more IAM roles. You need one role for each identity provider for each app. For example, you might create a role that can be assumed by an app where the user signed in using Login with Amazon, a second role for the same app where the user has signed in using Facebook, and a third role for the app where users sign in using Google.

    As part of the role creation process, you need to attach an IAM policy to the role. Your policy document should define the DynamoDB resources required by your app, and the permissions for accessing those resources.

For more information, see About Web Identity Federation in IAM User Guide.


As an alternative to Amazon Security Token Service, you can use Amazon Cognito. Amazon Cognito is the preferred service for managing temporary credentials for mobile apps. For more information, see the Amazon Cognito Developer Guide.

Generating an IAM policy using the DynamoDB console

The DynamoDB console can help you create an IAM policy for use with web identity federation. To do this, you choose a DynamoDB table and specify the identity provider, actions, and attributes to be included in the policy. The DynamoDB console then generates a policy that you can attach to an IAM role.

  1. Sign in to the Amazon Web Services Management Console and open the DynamoDB console at

  2. In the navigation pane, choose Tables.

  3. In the list of tables, choose the table for which you want to create the IAM policy.

  4. Choose the Access control tab.

  5. Choose the identity provider, actions, and attributes for the policy.

    When the settings are as you want them, click Create policy. The generated policy appears.

  6. Click Attach policy instructions, and follow the steps required to attach the generated policy to an IAM role.