Amazon Cognito identity pools - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Cognito identity pools

An Amazon Cognito identity pool is a directory of federated identities that you can exchange for Amazon credentials. Identity pools generate temporary Amazon credentials for the users of your app, whether they’ve signed in or you haven’t identified them yet. With Amazon Identity and Access Management (IAM) roles and policies, you can choose the level of permission that you want to grant to your users. Users can start out as guests and retrieve assets that you keep in Amazon Web Services. Then they can sign in with a third-party identity provider to unlock access to assets that you make available to registered members. The third-party identity provider can be a consumer (social) OAuth 2.0 provider like Apple or Google, a custom SAML or OIDC identity provider, or a custom authentication scheme, also called a developer provider, of your own design.

Features of Amazon Cognito identity pools
Sign requests for Amazon Web Services

Sign API requests to Amazon Web Services like Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB. Analyze user activity with services like Amazon Pinpoint and Amazon CloudWatch.

Filter requests with resource-based policies

Exercise granular control over user access to your resources. Transform user claims into IAM session tags, and build IAM policies that grant resource access to distinct subsets of your users.

Assign guest access

For your users who haven’t signed in yet, configure your identity pool to generate Amazon credentials with a narrow scope of access. Authenticate users through a single sign-on provider to elevate their access.

Assign IAM roles based on user characteristics

Assign a single IAM role to all of your authenticated users, or choose the role based on the claims of each user.

Accept a variety of identity providers

Exchange an ID or access token, a user pool token, a SAML assertion, or a social-provider OAuth token for Amazon credentials.

Validate your own identities

Perform your own user validation and use your developer Amazon credentials to issue credentials for your users.

You might already have an Amazon Cognito user pool that provides authentication and authorization services to your app. You can set up your user pool as an identity provider (IdP) to your identity pool. When you do, your users can authenticate through your user pool IdPs, consolidate their claims into a common OIDC identity token, and exchange that token for Amazon credentials. Your user can then present their credentials in a signed request to your Amazon Web Services.

You can also present authenticated claims from any of your identity providers directly to your identity pool. Amazon Cognito customizes user claims from SAML, OAuth, and OIDC providers into an AssumeRoleWithWebIdentity API request for short-term credentials.

Amazon Cognito user pools are like OIDC identity providers to your SSO-enabled apps. Identity pools act as an Amazon identity provider to any app with resource dependencies that work best with IAM authorization.

Amazon Cognito identity pools support the following identity providers:

For information about Amazon Cognito identity pools Region availability, see Amazon Service Region Availability.

For more information about Amazon Cognito identity pools, see the following topics.