Getting started with Amazon Cognito identity pools (federated identities) - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Getting started with Amazon Cognito identity pools (federated identities)


Currently, you must configure Amazon Cognito identity pools in the original console, even if you have migrated to the new console for Amazon Cognito user pools. From the new console, choose Federated identities to navigate to the identity pools console.

With Amazon Cognito identity pools, you can create unique identities and assign permissions for users. Your identity pool can include:

  • Users in an Amazon Cognito user pool

  • Users who authenticate with external identity providers such as Facebook, Google, Apple, or an OIDC or SAML identity provider.

  • Users authenticated via your own existing authentication process

With an identity pool, you can obtain temporary Amazon credentials with permissions you define to directly access other Amazon Web Services or to access resources through Amazon API Gateway.

Create an identity pool in Amazon Cognito

You can create an identity pool through the Amazon Cognito console, or you can use the Amazon Command Line Interface (CLI) or the Amazon Cognito APIs.

To create a new identity pool in the console
  1. Sign in to the Amazon Cognito console, choose Manage identity pools, and then choose Create new identity pool.

  2. Type a name for your identity pool.

  3. To enable unauthenticated identities, select Enable access to unauthenticated identities from the Unauthenticated identities collapsible section.

  4. If desired, configure an authentication provider in the Authentication providers section.

  5. Choose Create Pool.


    At least one identity is required for a valid identity pool.

  6. You will be prompted for access to your Amazon resources.

    Choose Allow to create the two default roles associated with your identity pool—one for unauthenticated users and one for authenticated users. These default roles provide your identity pool access to Amazon Cognito Sync. You can modify the roles associated with your identity pool in the Amazon Identity and Access Management (IAM) console.

Install the Mobile or JavaScript SDK

To use Amazon Cognito identity pools, you must install and configure the Amazon Mobile or JavaScript SDK. For more information, see the following topics:

Integrate the identity providers

Amazon Cognito identity pools (federated identities) support user authentication through Amazon Cognito user pools, federated identity providers—including Amazon, Facebook, Google, Apple, and SAML identity providers—as well as unauthenticated identities. This feature also supports Developer authenticated identities (identity pools), which lets you register and authenticate users via your own backend authentication process.

To learn more about using an Amazon Cognito user pool to create your own user directory, see Amazon Cognito user pools and Accessing Amazon services using an identity pool after sign-in.

To learn more about using external identity providers, see Identity pools (federated identities) external identity providers.

To learn more about integrating your own backend authentication process, see Developer authenticated identities (identity pools).

Get credentials

Amazon Cognito identity pools provide temporary Amazon credentials for users who are guests (unauthenticated) and for users who have authenticated and received a token. With those Amazon credentials, your app can securely access a back end in Amazon or outside Amazon through Amazon API Gateway. See Getting credentials.