Getting started with Amazon Cognito identity pools

To create a new identity pool in the console

1. Sign in to the Amazon Cognito console and select Identity pools.

2. Choose Create identity pool.

3. In Configure identity pool trust, choose to set up your identity pool for Authenticated access, Guest access, or both.

   1. If you chose Authenticated access, select one or more Identity types that you want to set as the source of authenticated identities in your identity pool. If you configure a Custom developer provider, you can't modify or delete it after you create your identity pool.

4. In Configure permissions, choose a default IAM role for authenticated or guest users in your identity pool.

   1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.

   2. You can choose to Use an existing IAM role if you already have a role in your Amazon Web Services account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.

5. In Connect identity providers, enter the details of the identity providers (IdPs) that you chose in Configure identity pool trust. You might be asked to provide OAuth app client information, choose an Amazon Cognito user pool, choose an IAM IdP, or enter a custom identifier for a developer provider.

   1. Choose the Role settings for each IdP. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules. With an Amazon Cognito user pool IdP, you can also Choose role with preferred_role in tokens. For more information about the cognito:preferred_role claim, see Assigning precedence values to groups.

      1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.

      2. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.

   2. Configure Attributes for access control for each IdP. Attributes for access control maps user claims to principal tags that Amazon Cognito applies to their temporary session. You can build IAM policies to filter user access based on the tags that you apply to their session.

      1. To apply no principal tags, choose Inactive.

      2. To apply principal tags based on sub and aud claims, choose Use default mappings.

      3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.

6. In Configure properties, enter a Name under Identity pool name.

7. Under Basic (classic) authentication, choose whether you want to Activate basic flow. With the basic flow active, you can bypass the role selections you made for your IdPs and call AssumeRoleWithWebIdentity directly. For more information, see Identity pools (federated identities) authentication flow.

8. Under Tags, choose Add tag if you want to apply tags to your identity pool.

9. In Review and create, confirm the selections that you made for your new identity pool. Select Edit to return to the wizard and change any settings. When you're done, select Create identity pool.