Amazon-cognito-identity-js: Accessing AWS resources without using Federated Identities

Created on 24 Feb 2017  路  3Comments  路  Source: amazon-archives/amazon-cognito-identity-js

Posts such as this one walk through the process of authenticating users using Amazon Cognito Identity SDK. But at the end, it says that in order for your application to leverage other AWS resources, you need to create a federated identity pool.

Then, this blog post (which is newer) indicates that groups and the roles you assign to those groups means that "you can use groups to control permissions to access your resources in AWS by assigning an AWS IAM roles for the groups". But I am not understanding how this can be done.

In the readme for this repository, "Use case 4" indicates that you can set credentials like this:

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId : '...', // your identity pool id here
  Logins : {
    'cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>' : result.getIdToken().getJwtToken()
  }
});

So, I think what I don't understand is what to set for IdentityPoolId. Or do I need to use IdentityId? Either way, where does this value come from?

Thanks in advance for your help. I think some others were asking about this at the end of #7

Most helpful comment

To give some background, previously federated identities supported only two roles. Authenticated role and Unauthenticated role. With recent launch of Group support and RBAC, a developer can select between multiple roles.
So, if you edit your identity pool and in 'Authentication Provider' section, in 'Cognito' tab you provide user pool id and client id. After saving it, and opening it for edit again, you will see a section 'Authenticated role selection' in Cognito tab. You can select 'Choose roles from token', this will pick the role from the Cognito User pool group a user belongs to. Authenticated role can be used as a fallback in your setup, when user does not belong to a group.

All 3 comments

Looks like it was not clear in new blog post but you still need to create a federated identity pool. Group support in User Pool provides an easier way to assign the role while integrating User Pools with federated identities. You get the IdentityPoolId from federated identities console.

Thanks. So I have a Cognito User Pool, with a Group, where I assign IAM Role "A". Then, I create a Federated Identity Pool, which requires me to set roles for Unauthenticated and Authenticated: "B" and "C" respectively.

When my users authenticate using IdentityPoolId from the Federated Identity pool, I assume that the role that is being leveraged is "C". How is "A" (the Cognity Group role) relevant?

I should say I am fairly new to Cognito so any guidance is appreciated.

To give some background, previously federated identities supported only two roles. Authenticated role and Unauthenticated role. With recent launch of Group support and RBAC, a developer can select between multiple roles.
So, if you edit your identity pool and in 'Authentication Provider' section, in 'Cognito' tab you provide user pool id and client id. After saving it, and opening it for edit again, you will see a section 'Authenticated role selection' in Cognito tab. You can select 'Choose roles from token', this will pick the role from the Cognito User pool group a user belongs to. Authenticated role can be used as a fallback in your setup, when user does not belong to a group.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

bradennapier picture bradennapier  路  6Comments

RashmiPandey picture RashmiPandey  路  4Comments

sarah-pixvana picture sarah-pixvana  路  4Comments

daordonez11 picture daordonez11  路  5Comments

magnattic picture magnattic  路  5Comments