Accessing Amazon services using an identity pool after sign-in - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Accessing Amazon services using an identity pool after sign-in

You can enable your users to sign-in with a user pool, and then access Amazon services using an identity pool.

After a successful authentication, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to retrieve Amazon credentials that allow your app to access other Amazon services. For more information, see Getting started with Amazon Cognito identity pools (federated identities).

        Accessing Amazon credentials through a user pool with an identity pool

For more information about using identity pools together with user pool groups to control access your Amazon resources see Adding groups to a user pool and Role-based access control. See also Identity pools concepts (federated identities) for more information about identity pools and Amazon Identity and Access Management.

Setting up a user pool with the Amazon Web Services Management Console

Create an Amazon Cognito user pool and make a note of the User Pool ID and App Client ID for each of your client apps. For more information about creating user pools, see Getting started with user pools.

Setting up an identity pool with the Amazon Web Services Management Console

The following procedure describes how to use the Amazon Web Services Management Console to integrate an identity pool with one or more user pools and client apps.

To configure your identity pool
  1. Go to the Amazon Cognito console. If prompted, enter your Amazon credentials.

  2. Choose Federated identities.

  3. Choose the name of the identity pool for which you want to enable Amazon Cognito user pools as a provider.

  4. On the Dashboard page, choose Edit identity pool.

  5. Expand the Authentication providers section.

  6. Choose Cognito.

  7. Enter the User Pool ID.

  8. Enter the App Client ID. This must be the same client app ID that you received when you created the app in the User pools section of the console.

  9. If you have additional apps or user pools, choose Add Another Provider and enter the User Pool ID and App Client ID for each app in each user pool.

  10. When you have no more apps or user pools to add, choose Save Changes. If successful, you will see a Changes saved successfully message on the Dashboard page.

Integrating a user pool with an identity pool

After your app user is authenticated, add that user's identity token to the logins map in the credentials provider. The provider name will depend on your Amazon Cognito user pool ID. It will have the following structure:


The value for <region> will be the same as the region in the User Pool ID. For example,

var cognitoUser = userPool.getCurrentUser(); if (cognitoUser != null) { cognitoUser.getSession(function(err, result) { if (result) { console.log('You are now logged in.'); // Add the User's Id Token to the Cognito credentials login map. AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'YOUR_IDENTITY_POOL_ID', Logins: { 'cognito-idp.<region><YOUR_USER_POOL_ID>': result.getIdToken().getJwtToken() } }); } }); }
cognitoUser.getSessionInBackground(new AuthenticationHandler() { @Override public void onSuccess(CognitoUserSession session) { String idToken = session.getIdToken().getJWTToken(); Map<String, String> logins = new HashMap<String, String>(); logins.put("cognito-idp.<region><YOUR_USER_POOL_ID>", session.getIdToken().getJWTToken()); credentialsProvider.setLogins(logins); } });
iOS - objective-C
AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:nil]; AWSCognitoIdentityUserPoolConfiguration *userPoolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"YOUR_CLIENT_ID" clientSecret:@"YOUR_CLIENT_SECRET" poolId:@"YOUR_USER_POOL_ID"]; [AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration userPoolConfiguration:userPoolConfiguration forKey:@"UserPool"]; AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"]; AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1 identityPoolId:@"YOUR_IDENTITY_POOL_ID" identityProviderManager:pool];
iOS - swift
let serviceConfiguration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: nil) let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: "YOUR_CLIENT_ID", clientSecret: "YOUR_CLIENT_SECRET", poolId: "YOUR_USER_POOL_ID") AWSCognitoIdentityUserPool.registerCognitoIdentityUserPoolWithConfiguration(serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: "UserPool") let pool = AWSCognitoIdentityUserPool(forKey: "UserPool") let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: "YOUR_IDENTITY_POOL_ID", identityProviderManager:pool)