AWS Cognito Developer Authenticated Identities

learn Developer Authenticated Identities (Identity Pools)

With developer authenticated identities, you can register and authenticate users via your own existing authentication process, while still using Amazon Cognito to synchronize user data and access AWS resources.

Example using AWS CLI

  1. Add custom authentication provider (DEVELOPER_PROVIDER_NAME) to your identity pool via “Edit identity pool” UI

  2. setup shell variables

    IDENTITY_POOL_ID="us-east-1:335c1f44-87c9-4bbd-a314-93b47d91fadd"
    DEVELOPER_PROVIDER_NAME=com.brianpfeil.app01
    
    # this is YOUR applications userid
    DEVELOPER_PROVIDER_USERID=003
    
  3. create identity

    aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id $IDENTITY_POOL_ID --logins "$DEVELOPER_PROVIDER_NAME=$DEVELOPER_PROVIDER_USERID"
    

    example output

    {
        "Token": "eyJraWQiOiJ1cy1lYXN0LTExIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6YWVjYjU4YTgtMjc3Ni00NDMxLTk3OGMtZDYzOTVlMWI1Mzc5IiwiYXVkIjoidXMtZWFzdC0xOjMzNWMxZjQ0LTg3YzktNGJiZC1hMzE0LTkzYjQ3ZDkxZmFkZCIsImFtciI6WyJhdXRoZW50aWNhdGVkIiwiY29tLmJyaWFucGZlaWwuYXBwMDEiLCJjb20uYnJpYW5wZmVpbC5hcHAwMTp1cy1lYXN0LTE6MzM1YzFmNDQtODdjOS00YmJkLWEzMTQtOTNiNDdkOTFmYWRkOjAwMyJdLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRlbnRpdHkuYW1hem9uYXdzLmNvbSIsImV4cCI6MTU2OTUyMzg3NSwiaWF0IjoxNTY5NTIyOTc1fQ.F6ST-AQWETHUAAR7JM-IU1ZIFLDEVL9ZBNM49WDOL_RXLLCYEY2KYUICHSGYLERD4WWLHWEJG-AOHFMMS0DUXT-UANA3BENUFFZWWSBAYVD0N2BHCLHZG7PURTRKRDN2XRFGDGQQ2PIMURMWAIPSB0ZCM-EXMSV-QAGOGKE5C2QR0P91BICL_LB1OQRTF9VXANPEMFFSAMZED776WHKR8ZMP7NTXZBMRE453QFW7VGVNKV3KJDTAKSRVZJS6YVW7BXY74_OQUJCFF9KWXJSMTEBNOIMHEFI3LJ25HSDDJ4LMLBGODD_ET4PPSUORIVLGW4UQ-7PJYHCAYTBDV0MXAQ",
        "IdentityId": "us-east-1:aecb58a8-2776-4431-978c-d6395e1b5379"
    }
    
  4. get token

    aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id $IDENTITY_POOL_ID --identity-id  $IDENTITY_ID --logins "$DEVELOPER_PROVIDER_NAME=$DEVELOPER_PROVIDER_USERID"
    

    example output

    {
        "Token": "eyJraWQiOiJ1cy1lYXN0LTExIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6YWVjYjU4YTgtMjc3Ni00NDMxLTk3OGMtZDYzOTVlMWI1Mzc5IiwiYXVkIjoidXMtZWFzdC0xOjMzNWMxZjQ0LTg3YzktNGJiZC1hMzE0LTkzYjQ3ZDkxZmFkZCIsImFtciI6WyJhdXRoZW50aWNhdGVkIiwiY29tLmJyaWFucGZlaWwuYXBwMDEiLCJjb20uYnJpYW5wZmVpbC5hcHAwMTp1cy1lYXN0LTE6MzM1YzFmNDQtODdjOS00YmJkLWEzMTQtOTNiNDdkOTFmYWRkOjAwMyJdLCJpc3MiOiJodHRwczovL2NvZ25pdG8taWRlbnRpdHkuYW1hem9uYXdzLmNvbSIsImV4cCI6MTU2OTUyNDg5OCwiaWF0IjoxNTY5NTIzOTk4fQ.S8JRKAALQZV0FT0GX6WDBE2EZUH2UPHIJLQ1AX9_PQBXLDM4V7UFFVUDXMHGHMZ2T4VMC6R2ILUJATYO05EIKB4HKWPEHSJWHAT8ZUQ9MRVEZ4KJFAY-7ER4LCGKN8MW-ZTZWQRPXUAYGP3RHQFYDV7FGJCJ3GE-MTTCBGXRAY_0H8NNOQE2F1WRO0KPE-Q-8GXF2P89WGFM9FAHZYOBV0FCZYOH8LCAZ7CKQJQ6FO8NYIAQDXDWFJM5-SLMPRYJLBIW88PBLO00ASOP5OGTHFD61JJCUUXFDRB6UTUGM-RUNILJRCTZB5_AB0FXS2YWAG2YZ3_JOFPWDLL-FNQ2UA",
        "IdentityId": "us-east-1:aecb58a8-2776-4431-978c-d6395e1b5379"
    }    
    
  5. get credentials

    aws cognito-identity get-credentials-for-identity --identity-id $IDENTITY_ID --logins "cognito-identity.amazonaws.com=$TOKEN"
    

    example output

    {
        "Credentials": {
            "SecretKey": "U6hHM5cdTBjcXG3hxb6VcIwkijvskj72M+81CHBi",
            "SessionToken": "AgoJb3JpZ2luX2VjEIv//////////wEaCXVzLWVhc3QtMSJHMEUCIBbT6h4a8ZGV4lCrmmTIulJJkG9PnVCx4Cy2ddoU06ROAiEAzFVPpVhXwV3HAqhif23WOyn7j6I3sH4oCJjV6xZdK/gq3wQIZBAAGgw1MjkyNzYyMTQyMzAiDL0IwoimnbzRFyLAAiq8BIZJyKSEKLiEYpr45CDmkze7rxFb15buX2/L/9RGiAEThi0SmPF4eq+92c3UAsV7gkqajqdYHTEkksErAHrEAyyxLg62X6csqcAUo2rxdjvcG020qAbIEQ4d9m7ZfdZtsb9ByedAHCeJBNpDuIxio7EZfnfB/CUzElgLhWBIsWp+/3xCLoT4D2ElkfmjFEQ2Or6Hy/vcSc+ypaHIaaDN7bRrUDfZDFGkJaypqg7TKfCz8W1NV8UGjkc03x3EtxEawHb9om8Nb6KjZOjRoZf9HL9U4BGaHGmkx2Jlp2VB5k2zZks5+u2udZYDyYCrKOT+9Af+4KAyMtfooBfmvkY+n1hoS/7bgW1NgOGTPOfO7oTbuBBwCdtdN5EdJGkWmQDF0//y/m37kv6aPGefyc8XPz2gK1insPp67J/S1mGpMkSgLMijw60JkY2JZLc1shZg8hNZjxCnLd+ADMwxj27/jro/vypng8bq/9zQHCQT0NrH3PUrvyYdDjXo/58DLYLb8hoQmHx0gMBACdmcL9f3v0mNdi0rPKFuOtxOw9Z136cotgZeeRiQvJeRATQ2c8rUNWM2O4duc9+0CxguDZlvLpo+p3XsOPD8Ti5BS89R2lIU0p8iiNhCdHbp41ISxEzYNG4kFjw6uLnHM7Icni98K+QRTNQTISPNZTLALCFRNGEHFTJ3T7SMY0MPLV1EF7MODNOWMTO9SFJP0ITA5RQ6VXWLN6PU8II2OGXUSTWU9VGWG+AYUOKS5AKOQ5JVMIWTTOWFORQBWWGQ8G2OBX9WQLE7KCJHV7PEEQX2Z7/IY9SHDLV1MNP7SQBPJKS+MPGCK+DLCL8ZBMJLZCEL4H7VMIV+9TMCPK9J3LADATRGXCFYXEMMXLXG0YIK8GBTLU8QRJFYKWEDMZHARZ8MGRIOT7I9RSI6DAIBKWRNSKJ/EWTI4AJNQJLIDUAMOPBUDIUSJQHA5/WQMHQHORMYEKTXZBC2+8VAGR+WGL2F48IDWFFGWI1FS7UK7OFR",
            "Expiration": 1569527701.0,
            "AccessKeyId": "ASIAXWO2SDPLARQRZ55K"
        },
        "IdentityId": "us-east-1:aecb58a8-2776-4431-978c-d6395e1b5379"
    }
    

    NOTE: --logins cognito-identity.amazonaws.com=. See https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-4-enhanced-flow/

    When using an Amazon Cognito token with GetCredentialsForIdentity, you use the key cognito-identity.amazonaws.com in the logins parameter.

  6. You can now use AccessKeyId, SecretKey, and SessionToken to access AWS resources.

Resources