learn Developer Authenticated Identities (Identity Pools)
With developer authenticated identities, you can register and authenticate users via your own existing authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources.
Example using AWS CLI
Add custom authentication provider (
DEVELOPER_PROVIDER_NAME
) to your identity pool via “Edit identity pool” UIsetup shell variables
IDENTITY_POOL_ID="us-east-1:335c1f44-87c9-4bbd-a314-93b47d91fadd" DEVELOPER_PROVIDER_NAME=com.brianpfeil.app01 # this is YOUR applications userid DEVELOPER_PROVIDER_USERID=003
create identity
aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id $IDENTITY_POOL_ID --logins "$DEVELOPER_PROVIDER_NAME=$DEVELOPER_PROVIDER_USERID"
example output
{ "Token": "eyJraWQiOiJ1cy1lYXN0LTExIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6YWVjYjU4YTgtMjc3Ni00NDMxLTk3OGMtZDYzOTVlMWI1Mzc5IiwiYXVkIjoidXMtZWFzdC0xOjMzNWMxZjQ0LTg3YzktNGJiZC1hMzE0LTkzYjQ3ZDkxZmFkZCIsImFtciI6WyJhdXRoZW50aWNhdGVkIiwiY29tLmJyaWFucGZlaWwuYXBwMDEiLCJjb20uYnJpYW5wZmVpbC5hcHAwMTp1cy1lYXN0LTE6MzM1YzFmNDQtODdjOS00YmJkLWEzMTQtOTNiNDdkOTFmYWRkOjAwMyJdLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRlbnRpdHkuYW1hem9uYXdzLmNvbSIsImV4cCI6MTU2OTUyMzg3NSwiaWF0IjoxNTY5NTIyOTc1fQ.F6ST-AQWETHUAAR7JM-IU1ZIFLDEVL9ZBNM49WDOL_RXLLCYEY2KYUICHSGYLERD4WWLHWEJG-AOHFMMS0DUXT-UANA3BENUFFZWWSBAYVD0N2BHCLHZG7PURTRKRDN2XRFGDGQQ2PIMURMWAIPSB0ZCM-EXMSV-QAGOGKE5C2QR0P91BICL_LB1OQRTF9VXANPEMFFSAMZED776WHKR8ZMP7NTXZBMRE453QFW7VGVNKV3KJDTAKSRVZJS6YVW7BXY74_OQUJCFF9KWXJSMTEBNOIMHEFI3LJ25HSDDJ4LMLBGODD_ET4PPSUORIVLGW4UQ-7PJYHCAYTBDV0MXAQ", "IdentityId": "us-east-1:aecb58a8-2776-4431-978c-d6395e1b5379" }
get token
aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id $IDENTITY_POOL_ID --identity-id $IDENTITY_ID --logins "$DEVELOPER_PROVIDER_NAME=$DEVELOPER_PROVIDER_USERID"
example output
{ "Token": "eyJraWQiOiJ1cy1lYXN0LTExIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6YWVjYjU4YTgtMjc3Ni00NDMxLTk3OGMtZDYzOTVlMWI1Mzc5IiwiYXVkIjoidXMtZWFzdC0xOjMzNWMxZjQ0LTg3YzktNGJiZC1hMzE0LTkzYjQ3ZDkxZmFkZCIsImFtciI6WyJhdXRoZW50aWNhdGVkIiwiY29tLmJyaWFucGZlaWwuYXBwMDEiLCJjb20uYnJpYW5wZmVpbC5hcHAwMTp1cy1lYXN0LTE6MzM1YzFmNDQtODdjOS00YmJkLWEzMTQtOTNiNDdkOTFmYWRkOjAwMyJdLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRlbnRpdHkuYW1hem9uYXdzLmNvbSIsImV4cCI6MTU2OTUyNDg5OCwiaWF0IjoxNTY5NTIzOTk4fQ.S8JRKAALQZV0FT0GX6WDBE2EZUH2UPHIJLQ1AX9_PQBXLDM4V7UFFVUDXMHGHMZ2T4VMC6R2ILUJATYO05EIKB4HKWPEHSJWHAT8ZUQ9MRVEZ4KJFAY-7ER4LCGKN8MW-ZTZWQRPXUAYGP3RHQFYDV7FGJCJ3GE-MTTCBGXRAY_0H8NNOQE2F1WRO0KPE-Q-8GXF2P89WGFM9FAHZYOBV0FCZYOH8LCAZ7CKQJQ6FO8NYIAQDXDWFJM5-SLMPRYJLBIW88PBLO00ASOP5OGTHFD61JJCUUXFDRB6UTUGM-RUNILJRCTZB5_AB0FXS2YWAG2YZ3_JOFPWDLL-FNQ2UA", "IdentityId": "us-east-1:aecb58a8-2776-4431-978c-d6395e1b5379" }
get credentials
aws cognito-identity get-credentials-for-identity --identity-id $IDENTITY_ID --logins "cognito-identity.amazonaws.com=$TOKEN"
example output
{ "Credentials": { "SecretKey": "U6hHM5cdTBjcXG3hxb6VcIwkijvskj72M+81CHBi", "SessionToken": "AgoJb3JpZ2luX2VjEIv//////////wEaCXVzLWVhc3QtMSJHMEUCIBbT6h4a8ZGV4lCrmmTIulJJkG9PnVCx4Cy2ddoU06ROAiEAzFVPpVhXwV3HAqhif23WOyn7j6I3sH4oCJjV6xZdK/gq3wQIZBAAGgw1MjkyNzYyMTQyMzAiDL0IwoimnbzRFyLAAiq8BIZJyKSEKLiEYpr45CDmkze7rxFb15buX2/L/9RGiAEThi0SmPF4eq+92c3UAsV7gkqajqdYHTEkksErAHrEAyyxLg62X6csqcAUo2rxdjvcG020qAbIEQ4d9m7ZfdZtsb9ByedAHCeJBNpDuIxio7EZfnfB/CUzElgLhWBIsWp+/3xCLoT4D2ElkfmjFEQ2Or6Hy/vcSc+ypaHIaaDN7bRrUDfZDFGkJaypqg7TKfCz8W1NV8UGjkc03x3EtxEawHb9om8Nb6KjZOjRoZf9HL9U4BGaHGmkx2Jlp2VB5k2zZks5+u2udZYDyYCrKOT+9Af+4KAyMtfooBfmvkY+n1hoS/7bgW1NgOGTPOfO7oTbuBBwCdtdN5EdJGkWmQDF0//y/m37kv6aPGefyc8XPz2gK1insPp67J/S1mGpMkSgLMijw60JkY2JZLc1shZg8hNZjxCnLd+ADMwxj27/jro/vypng8bq/9zQHCQT0NrH3PUrvyYdDjXo/58DLYLb8hoQmHx0gMBACdmcL9f3v0mNdi0rPKFuOtxOw9Z136cotgZeeRiQvJeRATQ2c8rUNWM2O4duc9+0CxguDZlvLpo+p3XsOPD8Ti5BS89R2lIU0p8iiNhCdHbp41ISxEzYNG4kFjw6uLnHM7Icni98K+QRTNQTISPNZTLALCFRNGEHFTJ3T7SMY0MPLV1EF7MODNOWMTO9SFJP0ITA5RQ6VXWLN6PU8II2OGXUSTWU9VGWG+AYUOKS5AKOQ5JVMIWTTOWFORQBWWGQ8G2OBX9WQLE7KCJHV7PEEQX2Z7/IY9SHDLV1MNP7SQBPJKS+MPGCK+DLCL8ZBMJLZCEL4H7VMIV+9TMCPK9J3LADATRGXCFYXEMMXLXG0YIK8GBTLU8QRJFYKWEDMZHARZ8MGRIOT7I9RSI6DAIBKWRNSKJ/EWTI4AJNQJLIDUAMOPBUDIUSJQHA5/WQMHQHORMYEKTXZBC2+8VAGR+WGL2F48IDWFFGWI1FS7UK7OFR", "Expiration": 1569527701.0, "AccessKeyId": "ASIAXWO2SDPLARQRZ55K" }, "IdentityId": "us-east-1:aecb58a8-2776-4431-978c-d6395e1b5379" }
NOTE:
--logins cognito-identity.amazonaws.com=
. See https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-4-enhanced-flow/When using an Amazon Cognito token with GetCredentialsForIdentity, you use the key cognito-identity.amazonaws.com in the logins parameter.
You can now use
AccessKeyId
,SecretKey
, andSessionToken
to access AWS resources.
Resources
- Developer Authenticated Identities (Identity Pools)
- Understanding Amazon Cognito Authentication Part 2: Developer Authenticated Identities
Twitter • Reddit