Step-by-Step Guide to Setting Up AWS Cognito Identity Pools for Federated Identity Access to AWS Services
Amazon Cognito is a powerful AWS service that simplifies user authentication and identity management for your applications. It offers a secure and scalable solution for managing user directories and handling sign-ins. By leveraging Amazon Cognito, you can seamlessly authenticate users, manage their identities, and control their access to AWS resources. Cognito provides essential tools through User Pools and Identity Pools, each serving a specific role in managing authentication and access.
User Pools are designed to handle user authentication, manage user directories, and generate authentication tokens. They allow you to create and manage user accounts, handle sign-ups and sign-ins, and authenticate users via various methods. Essentially, User Pools are the backbone of user identity management, ensuring that only authorized users can access your application.
Identity Pools, in contrast, are focused on providing federated identities with temporary AWS credentials. They allow users authenticated through different sources, including User Pools, to access AWS services securely. By mapping these federated identities to IAM roles, Identity Pools control the level of access to AWS resources.
In this step-by-step guide, we will walk through the process of setting up AWS Cognito Identity Pools to enable federated identity access to AWS services. Whether you are integrating with existing user directories or implementing federated access, this guide will provide you with the insights and instructions needed to leverage Cognito Identity Pools effectively.
Create User Pool and Identity Pool
Create User Pool
To set up a Cognito User Pool, follow the steps outlined in the “Configure a Cognito User Pool” section in this guide. Once the User Pool is successfully created, add a new user to it. This user will be essential later in the process when we retrieve the ID token following authentication.
Create Identity Pool
Navigate to the Identity Pools section in AWS Cognito and click on the Create Identity Pool button to launch the wizard. Select Authenticated access since we don’t want to allow guest access in this scenario. Choose Amazon Cognito User Pool as the identity provider, which specifies that users will be authenticated using the Cognito User Pool. You’ll also notice that you can define different identity sources based on your requirements.
On the next screen, select the “Create a new IAM role option” to generate the default IAM role that authenticated users will assume. In this scenario, we will create a role that grants read-only access to an S3 bucket.
Next, we’ll configure the identity provider that will authenticate our users. Since we’ve already chosen the AWS Cognito User Pool as the identity provider in previous steps, select the User Pool you created earlier. This ensures that all users will be authenticated through the designated Cognito User Pool.
After selecting the User Pool, you’ll need to choose the App Client associated with this User Pool. The App Client represents the application that users will interact with, and selecting the correct one is crucial for ensuring seamless authentication.
For the “Role Settings” section, you can leave the default options, as they are typically configured for common use cases. Similarly, in the “Claim Mappings” section, it’s best to retain the default settings unless you have specific claims that need to be mapped to the identity provider. This approach keeps the identity and access management process straightforward and aligned with your initial setup.
Next, enter the identity pool name and leave Basic authentication as it is. Once you’ve entered the name and reviewed all the settings, click Create Identity Pool to complete the setup. After the Identity Pool is created, you’ll be provided with essential information such as the Identity Pool ID, which will be required in later steps for configuring access to AWS resources.
Add S3 Read-Only Policy to the IAM Role
To enable authenticated users to access your S3 bucket, navigate to the IAM service in the AWS Management Console and open the IAM role named “identitypools3access”, which we created earlier during the Identity Pool setup. In this role, we’ll add the AmazonS3ReadOnlyAccess policy so that authenticated users can read from the S3 bucket.
On the role’s details page, select the Add permissions option, then choose Attach policies. Search for the AmazonS3ReadOnlyAccess policy, which grants read-only access to all S3 buckets. Select this policy and attach it to the IAM role by clicking Attach policy. This configuration ensures that users authenticated via your Cognito User Pool will have the necessary permissions to read from the specified S3 bucket. If your use case requires additional permissions, such as write access or access to other AWS services, you can attach other relevant policies to this role as needed.
Authenticate and Get Credentials for Identity
Once the User Pool and Identity Pool are set up, the next step is to authenticate the user using the Cognito User Pool. This authentication process will provide us with an ID token and an access token. To accomplish this, we will use Postman to authenticate the user with the Cognito User Pool.
After successfully retrieving tokens from the Cognito User Pool, we will use these tokens to obtain temporary credentials through the AWS Cognito Identity Pool. This process involves using the GetCredentialsForIdentity API, which provides temporary AWS credentials based on the identity pool and the associated IAM role. These temporary credentials allow us to interact with AWS resources securely. Let’s walk through these steps one by one to ensure a clear and effective setup.
Alternatively, we can use the AssumeRoleWithWebIdentity API to get temporary credentials. This approach is primarily used for assuming a role based on a web identity token, which is often employed when integrating with external identity providers (IdPs) such as social login services. While AssumeRoleWithWebIdentity is used in scenarios where we have web identity tokens from various external sources, GetCredentialsForIdentity is specifically designed to work within the Amazon Cognito framework for obtaining credentials based on identities managed by Cognito Identity Pools.
Authenticate using Postman
To authenticate the user created earlier and obtain the tokens, follow the steps outlined in the “OAuth 2.0 Authorization” section of this guide. Be sure to adjust the settings for the User Pool and App Client ID according to your specific configuration. This will ensure that you are authenticating against the correct User Pool and using the appropriate App Client for token generation.
Get Temporary Credentials using GetCredentialsForIdentity
In this step, we will use the AWS Security Token Service (STS) API, specifically the GetCredentialsForIdentity API, to obtain credentials for the authenticated identity. This API call will issue temporary credentials, including an AccessKeyId, SecretAccessKey, and SessionToken. These credentials will grant us read-only access to resources, as the default role associated with this identity is configured to provide S3 read-only access.
First, we need to retrieve the Identity ID for the authenticated user. This can be achieved using the following AWS CLI command, which returns the IdentityId for the user. The IdentityId is a unique identifier for the user in the context of the Identity Pool and is necessary for obtaining temporary credentials. Make sure to replace any placeholders with actual values specific to your setup to ensure accurate results.
aws cognito-identity get-id \
- identity-pool-id <identity-pool-id> \
- logins cognito-idp.<region>.amazonaws.com/<user-pool-id>=<id-token>After obtaining the IdentityId, we will use the following AWS CLI command to get the temporary credentials. This command retrieves the AccessKeyId, SecretAccessKey, and SessionToken for the user, which are essential for accessing AWS resources. Ensure that you replace the placeholders in the command with your actual values to get the correct credentials. These temporary credentials will allow us to interact with AWS services securely, in line with the permissions granted by the associated IAM role.
aws cognito-identity get-credentials-for-identity \
- identity-id <identity-id> \
- logins cognito-idp.<region>.amazonaws.com/<user-pool-id>=<id-token>Use the following commands in the CLI to set the temporary credentials:
set AWS_ACCESS_KEY_ID=<AccessKeyId>
set AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
set AWS_SESSION_TOKEN=<SessionToken>Replace <AccessKeyId>, <SecretAccessKey>, and <SessionToken> with the values obtained from the previous step. These commands configure your CLI environment with the temporary credentials, allowing you to authenticate and interact with AWS services using these credentials. In this context, we will be able to read the contents of S3 buckets, as demonstrated below.
Conclusion
In this guide, we’ve walked through the process of setting up AWS Cognito User Pools and Identity Pools to manage authenticated access to AWS services. We covered the steps for user authentication, obtaining temporary credentials via the GetCredentialsForIdentity API, and configuring the CLI environment with these credentials. This setup not only ensures robust security but also provides a flexible framework for integrating user authentication into your applications. With these configurations, you can effectively manage user access and protect your AWS resources.
