Create an identity pool User IAM roles Authenticated and unauthenticated identities Activate or deactivate guest access Change the role associated with an identity type Edit identity providers Delete an identity pool Delete an identity from an identity pool Using Amazon Cognito Sync with identity pools

Identity pools console overview

Amazon Cognito identity pools provide temporary Amazon credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identifiers linked to your external identity providers.

One way to understand the features and options of identity pools is to create one in the Amazon Cognito console. You can explore the effect of different settings on authentication flows, role-based and attribute-based access control, and guest access. From there, you can proceed to later chapters in this guide and add the appropriate components to your application so that you can implement identity pool authentication.

Topics

Create an identity pool
User IAM roles
Authenticated and unauthenticated identities
Activate or deactivate guest access
Change the role associated with an identity type
Edit identity providers
Delete an identity pool
Delete an identity from an identity pool
Using Amazon Cognito Sync with identity pools

Create an identity pool

To create a new identity pool in the console

Sign in to the Amazon Cognito console and select Identity pools.
Choose Create identity pool.
In Configure identity pool trust, choose to set up your identity pool for Authenticated access, Guest access, or both.
1. If you chose Authenticated access, select one or more Identity types that you want to set as the source of authenticated identities in your identity pool. If you configure a Custom developer provider, you can't modify or delete it after you create your identity pool.
In Configure permissions, choose a default IAM role for authenticated or guest users in your identity pool.
1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.
2. You can choose to Use an existing IAM role if you already have a role in your Amazon Web Services account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.
In Connect identity providers, enter the details of the identity providers (IdPs) that you chose in Configure identity pool trust. You might be asked to provide OAuth app client information, choose a Amazon Cognito user pool, choose an IAM IdP, or enter a custom identifier for a developer provider.
1. Choose the Role settings for each IdP. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules. With a Amazon Cognito user pool IdP, you can also Choose role with preferred_role in tokens. For more information about the cognito:preferred_role claim, see Assigning precedence values to groups.
  1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.
  2. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.
2. Configure Attributes for access control for each IdP. Attributes for access control maps user claims to principal tags that Amazon Cognito applies to their temporary session. You can build IAM policies to filter user access based on the tags that you apply to their session.
  1. To apply no principal tags, choose Inactive.
  2. To apply principal tags based on sub and aud claims, choose Use default mappings.
  3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.
In Configure properties, enter a Name under Identity pool name.
Under Basic (classic) authentication, choose whether you want to Activate basic flow. With the basic flow active, you can bypass the role selections you made for your IdPs and call AssumeRoleWithWebIdentity directly. For more information, see Identity pools authentication flow.
Under Tags, choose Add tag if you want to apply tags to your identity pool.
In Review and create, confirm the selections that you made for your new identity pool. Select Edit to return to the wizard and change any settings. When you're done, select Create identity pool.

User IAM roles

An IAM role defines the permissions for your users to access Amazon resources, like Amazon Cognito Sync. Users of your application will assume the roles you create. You can specify different roles for authenticated and unauthenticated users. To learn more about IAM roles, see IAM roles.

Authenticated and unauthenticated identities

Amazon Cognito identity pools support both authenticated and unauthenticated identities. Authenticated identities belong to users who are authenticated by any supported identity provider. Unauthenticated identities typically belong to guest users.

To configure authenticated identities with a public login provider, see Identity pools third-party identity providers.
To configure your own backend authentication process, see Developer-authenticated identities.

Activate or deactivate guest access

Amazon Cognito identity pools guest access (unauthenticated identities) provides a unique identifier and Amazon credentials for users who do not authenticate with an identity provider. If your application allows users who do not log in, you can activate access for unauthenticated identities. To learn more, see Getting started with Amazon Cognito identity pools.

To update guest access in an identity pool

Choose Identity pools from the Amazon Cognito console. Select an identity pool.
Choose the User access tab.
Locate Guest access. In an identity pool that doesn't currently support guest access, Status is Inactive.
1. If Guest access is Active and you want to deactivate it, select Deactivate.
2. If Guest access is Inactive and you want to activate it, select Edit.
  1. Choose a default IAM role for guest users in your identity pool.
    1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.
    2. You can choose to Use an existing IAM role if you already have a role in your Amazon Web Services account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.
    3. Select Save changes.
    4. To activate guest access, select Activate in the User access tab.

Change the role associated with an identity type

Every identity in your identity pool is either authenticated or unauthenticated. Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools, Login with Amazon, Sign in with Apple, Facebook, Google, SAML, or any OpenID Connect Providers) or a developer provider (your own backend authentication process). Unauthenticated identities typically belong to guest users.

For each identity type, there is an assigned role. This role has a policy attached to it that dictates which Amazon Web Services services that role can access. When Amazon Cognito receives a request, the service determines the identity type, determines the role assigned to that identity type, and uses the policy attached to that role to respond. By modifying a policy or assigning a different role to an identity type, you can control which Amazon Web Services services an identity type can access. To view or modify the policies associated with the roles in your identity pool, see the Amazon IAM Console.

To change the identity pool default authenticated or unauthenticated role

Choose Identity pools from the Amazon Cognito console. Select an identity pool.
Choose the User access tab.
Locate Guest access or Authenticated access. In an identity pool that isn't currently configured for that access type, Status is Inactive. Select Edit.
Choose a default IAM role for guest or authenticated users in your identity pool.
1. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.
2. You can choose to Use an existing IAM role if you already have a role in your Amazon Web Services account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.
Select Save changes.

Edit identity providers

If you allow your users to authenticate using consumer identity providers (for example, Amazon Cognito user pools, Login with Amazon, Sign in with Apple, Facebook, or Google), you can specify your application identifiers in the Amazon Cognito identity pools (federated identities) console. This associates the application ID (provided by the public login provider) with your identity pool.

You can also configure authentication rules for each provider from this page. Each provider allows up to 25 rules. The rules are applied in the order you save for each provider. For more information, see Using role-based access control.

Warning

Changing the linked IdP application ID in your identity pool prevents existing users from authenticating with that identity pool. For more information, see Identity pools third-party identity providers.

To update an identity pool identity provider (IdP)

Choose Identity pools from the Amazon Cognito console. Select an identity pool.
Choose the User access tab.
Locate Identity providers. Choose the identity provider that you want to edit. If you want to add a new IdP, select Add identity provider.
1. If you chose Add identity provider, choose one of the Identity types that you want to add.
To change the application ID, choose Edit in Identity provider information.
To change the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, choose Edit in Role settings.
1. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules. With a Amazon Cognito user pool IdP, you can also Choose role with preferred_role in tokens. For more information about the cognito:preferred_role claim, see Assigning precedence values to groups.
  1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.
  2. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.
To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, choose Edit in Attributes for access control.
1. To apply no principal tags, choose Inactive.
2. To apply principal tags based on sub and aud claims, choose Use default mappings.
3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.
Select Save changes.

Delete an identity pool

You can't undo identity pool deletion. After you delete an identity pool, all apps and users that depend on it stop working.

To delete an identity pool

Choose Identity pools from the Amazon Cognito console. Select the radio button next to the identity pool that you want to delete.
Select Delete.
Enter or paste the name of your identity pool and select Delete.

Warning

When you select the Delete button, you will permanently delete your identity pool and all the user data it contains. Deleting an identity pool will cause applications and other services using the identity pool to stop working.

Delete an identity from an identity pool

When you delete an identity from an identity pool, you remove the identifying information that Amazon Cognito has stored for that federated user. When your user requests credentials again, they receive a new identity ID if your identity pool still trusts their identity provider. You can't undo this operation.

To delete an identity

Choose Identity pools from the Amazon Cognito console. Select an identity pool.
Choose the Identity browser tab.
Select the check boxes next to the identities that you want to delete and choose Delete. Confirm that you want to delete the identities and choose Delete.

Using Amazon Cognito Sync with identity pools

Amazon Cognito Sync is an Amazon Web Services service and client library that makes it possible to sync application-related user data across devices. Amazon Cognito Sync can synchronize user profile data across mobile devices and the web without using your own backend. The client libraries cache data locally so that your app can read and write data regardless of device connectivity status. When the device is online, you can synchronize data. If you set up push sync, you can notify other devices immediately that an update is available.

Managing datasets

If you have implemented Amazon Cognito Sync functionality in your application, the Amazon Cognito identity pools console enables you to manually create and delete datasets and records for individual identities. Any change you make to an identity's dataset or records in the Amazon Cognito identity pools console isn't saved until you select Synchronize in the console. The change isn't visible to the end user until the identity calls Synchronize. The data being synchronized from other devices for individual identities is visible once you refresh the list datasets page for a particular identity.

Create a dataset for an identity

Amazon Cognito Sync associates a dataset with one identity. You can populate your dataset with identifying information about the user that the identity represents, then sync that information to all of your user's devices.

To add a dataset and dataset records to an identity

Choose Identity pools from the Amazon Cognito console. Select an identity pool.
Choose the Identity browser tab.
Select the identity that you want to edit.
In Datasets, choose Create dataset.
Enter a Dataset name and select Create dataset.
If you want to add records to your dataset, choose your dataset from identity details. In Records, select Create record.
Enter a Key and Value for your record. Choose Confirm. Repeat to add more records.

Delete a dataset associated with an identity

To delete a dataset and its records from an identity

Choose Identity pools from the Amazon Cognito console. Select an identity pool.
Choose the Identity browser tab.
Select the identity that contains the dataset that you want to delete.
In Datasets, choose the radio button next to the dataset that you want to delete.
Select Delete. Review your choice and select Delete again.

Bulk publish data

Bulk publish can be used to export data already stored in your Amazon Cognito Sync store to a Amazon Kinesis stream. For instructions on how to bulk publish all of your streams, see Implementing Amazon Cognito Sync streams.

Activate push synchronization

Amazon Cognito automatically tracks the association between identity and devices. Using the push sync feature, you can make sure that every instance of a given identity is notified when identity data changes. Push sync makes it so that, whenever the dataset changes for an identity, all devices associated with that identity receive a silent push notification informing them of the change.

You can activate push sync in the Amazon Cognito console.

To activate push synchronization

Choose Identity pools from the Amazon Cognito console. Select an identity pool.
Choose the Identity pool properties tab.
In Push synchronization, select Edit
Select Activate push synchronization with your identity pool.
Choose one of the Amazon Simple Notification Service (Amazon SNS) Platform applications that you created in the current Amazon Web Services Region. Amazon Cognito publishes push notifications to your platform application. Select Create platform application to navigate to the Amazon SNS console and create a new one.
To publish to your platform application, Amazon Cognito assumes an IAM role in your Amazon Web Services account. Choose to Create a new IAM role if you want Amazon Cognito to create a new role for you with basic permissions and a trust relationship with your identity pool. Enter an IAM role name to identify your new role, for example myidentitypool_authenticatedrole. Select View policy document to review the permissions that Amazon Cognito will assign to your new IAM role.
You can choose to Use an existing IAM role if you already have a role in your Amazon Web Services account that you want to use. You must configure your IAM role trust policy to include cognito-identity.amazonaws.com. Configure your role trust policy to only allow Amazon Cognito to assume the role when it presents evidence that the request originated from an authenticated user in your specific identity pool. For more information, see Role trust and permissions.
Select Save changes.

Set up Amazon Cognito Streams

Amazon Cognito Streams gives developers control and insight into their data stored in Amazon Cognito Sync. Developers can now configure a Kinesis stream to receive events as data. Amazon Cognito can push each dataset change to a Kinesis stream you own in real time. For instructions on how to set up Amazon Cognito Streams in the Amazon Cognito console, see Implementing Amazon Cognito Sync streams.

Set up Amazon Cognito Events

Amazon Cognito Events allows you to run an Amazon Lambda function in response to important events in Amazon Cognito Sync. Amazon Cognito Sync raises the Sync Trigger event when a dataset is synchronized. You can use the Sync Trigger event to take an action when a user updates data. For instructions on setting up Amazon Cognito Events from the console, see Customizing workflows with Amazon Cognito Events.

To learn more about Amazon Lambda, see Amazon Lambda.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon Cognito identity pools

Identity pools authentication flow