Getting started with Amazon Cognito identity pools - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting started with Amazon Cognito identity pools

With Amazon Cognito identity pools, you can create unique identities and assign permissions for users. Your identity pool can include:

  • Users in an Amazon Cognito user pool

  • Users who authenticate with external identity providers such as Facebook, Google, Apple, or an OIDC or SAML identity provider.

  • Users authenticated via your own existing authentication process

With an identity pool, you can obtain temporary Amazon credentials with permissions you define to directly access other Amazon Web Services or to access resources through Amazon API Gateway.

Create an identity pool in Amazon Cognito

You can create an identity pool through the Amazon Cognito console, or you can use the Amazon Command Line Interface (CLI) or the Amazon Cognito APIs.

To create a new identity pool in the console
  1. Sign in to the Amazon Cognito console and select Identity pools.

  2. Choose Create identity pool.

  3. In Configure identity pool trust, choose to set up your identity pool for Authenticated access, Guest access, or both.

    1. If you chose Authenticated access, select one or more Identity types that you want to set as the source of authenticated identities in your identity pool. If you configure a Custom developer provider, you can't modify or delete it after you create your identity pool.

  4. In Configure permissions, choose a default IAM role for authenticated or guest users in your identity pool.

    1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.

    2. You can choose to Use an existing IAM role if you already have a role in your Amazon Web Services account that you want to use. You must configure your IAM role trust policy to include Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.

  5. In Connect identity providers, enter the details of the identity providers (IdPs) that you chose in Configure identity pool trust. You might be asked to provide OAuth app client information, choose an Amazon Cognito user pool, choose an IAM IdP, or enter a custom identifier for a developer provider.

    1. Choose the Role settings for each IdP. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules. With an Amazon Cognito user pool IdP, you can also Choose role with preferred_role in tokens. For more information about the cognito:preferred_role claim, see Assigning precedence values to groups.

      1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.

      2. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.

    2. Configure Attributes for access control for each IdP. Attributes for access control maps user claims to principal tags that Amazon Cognito applies to their temporary session. You can build IAM policies to filter user access based on the tags that you apply to their session.

      1. To apply no principal tags, choose Inactive.

      2. To apply principal tags based on sub and aud claims, choose Use default mappings.

      3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.

  6. In Configure properties, enter a Name under Identity pool name.

  7. Under Basic (classic) authentication, choose whether you want to Activate basic flow. With the basic flow active, you can bypass the role selections you made for your IdPs and call AssumeRoleWithWebIdentity directly. For more information, see Identity pools (federated identities) authentication flow.

  8. Under Tags, choose Add tag if you want to apply tags to your identity pool.

  9. In Review and create, confirm the selections that you made for your new identity pool. Select Edit to return to the wizard and change any settings. When you're done, select Create identity pool.

Set up an SDK

To use Amazon Cognito identity pools, set up Amazon Amplify, the Amazon SDK for Java, or the Amazon SDK for .NET. For more information, see the following topics.

Integrate the identity providers

Amazon Cognito identity pools (federated identities) support user authentication through Amazon Cognito user pools, federated identity providers—including Amazon, Facebook, Google, Apple, and SAML identity providers—and unauthenticated identities. This feature also supports Developer-authenticated identities (identity pools), which lets you register and authenticate users via your own backend authentication process.

To learn more about using an Amazon Cognito user pool to create your own user directory, see Amazon Cognito user pools and Accessing Amazon Web Services using an identity pool after sign-in.

To learn more about using external identity providers, see Identity pools external identity providers.

To learn more about integrating your own backend authentication process, see Developer-authenticated identities (identity pools).

Get credentials

Amazon Cognito identity pools provide temporary Amazon credentials for users who are guests (unauthenticated) and for users who have authenticated and received a token. With those Amazon credentials, your app can securely access a backend in Amazon or outside Amazon through Amazon API Gateway. See Getting credentials.