Posts such as this one walk through the process of authenticating users using Amazon Cognito Identity SDK. But at the end, it says that in order for your application to leverage other AWS resources, you need to create a federated identity pool.
Then, this blog post (which is newer) indicates that groups and the roles you assign to those groups means that "you can use groups to control permissions to access your resources in AWS by assigning an AWS IAM roles for the groups". But I am not understanding how this can be done.
In the readme for this repository, "Use case 4" indicates that you can set credentials like this:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId : '...', // your identity pool id here
Logins : {
'cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>' : result.getIdToken().getJwtToken()
}
});
So, I think what I don't understand is what to set for IdentityPoolId. Or do I need to use IdentityId? Either way, where does this value come from?
Thanks in advance for your help. I think some others were asking about this at the end of #7
Looks like it was not clear in new blog post but you still need to create a federated identity pool. Group support in User Pool provides an easier way to assign the role while integrating User Pools with federated identities. You get the IdentityPoolId from federated identities console.
Thanks. So I have a Cognito User Pool, with a Group, where I assign IAM Role "A". Then, I create a Federated Identity Pool, which requires me to set roles for Unauthenticated and Authenticated: "B" and "C" respectively.
When my users authenticate using IdentityPoolId from the Federated Identity pool, I assume that the role that is being leveraged is "C". How is "A" (the Cognity Group role) relevant?
I should say I am fairly new to Cognito so any guidance is appreciated.
To give some background, previously federated identities supported only two roles. Authenticated role and Unauthenticated role. With recent launch of Group support and RBAC, a developer can select between multiple roles.
So, if you edit your identity pool and in 'Authentication Provider' section, in 'Cognito' tab you provide user pool id and client id. After saving it, and opening it for edit again, you will see a section 'Authenticated role selection' in Cognito tab. You can select 'Choose roles from token', this will pick the role from the Cognito User pool group a user belongs to. Authenticated role can be used as a fallback in your setup, when user does not belong to a group.
Most helpful comment
To give some background, previously federated identities supported only two roles. Authenticated role and Unauthenticated role. With recent launch of Group support and RBAC, a developer can select between multiple roles.
So, if you edit your identity pool and in 'Authentication Provider' section, in 'Cognito' tab you provide user pool id and client id. After saving it, and opening it for edit again, you will see a section 'Authenticated role selection' in Cognito tab. You can select 'Choose roles from token', this will pick the role from the Cognito User pool group a user belongs to. Authenticated role can be used as a fallback in your setup, when user does not belong to a group.