Part-4 Serverless

Temporary AWS credentials to access S3 using cognito and federated identities.

We discussed several things in part 1, 2 and 3 of this series. How to make cognito user pools, Lambda functions to interact with these user pools, executing these lambda function behind API gateway for access and protecting your private API endpoints using cognito authorizers.

In this blog, We will understand the utility of federated identities available with cognito to provide our users temporary access to AWS resources.

Here is what AWS defines the Cognito User Pool as:

Amazon Cognito User Pool makes it easy for developers to add sign-up and sign-in functionality to web and mobile applications. It serves as your own identity provider to maintain a user directory. It supports user registration and sign-in, as well as provisioning identity tokens for signed-in users.

And the Cognito Federated Identities or Identity Pool is defined as:

Amazon Cognito Federated Identities enables developers to create unique identities for your users and authenticate them with federated identity providers. With a federated identity, you can obtain temporary, limited-privilege AWS credentials to securely access other AWS services such as Amazon DynamoDB, Amazon S3, and Amazon API Gateway.

Cognito user pools can also act as a federated identity provider in addtion to other providers like facebook, google etc.

Cognito Identity Pool (or Cognito Federated Identities) is a way to authorize your users to use the various AWS services. Say you wanted to allow a user to have access to your S3 bucket so that they could upload, delete a file; you could specify that while creating an Identity Pool in an IAM role. The IAM role attached to the Cognito federated Identities will decide the permissions and access to AWS resources.

User Pool vs Identity Pool

To clarify this a bit more, let’s put these two services in context of each other. Here is how they play together.

copied from

Steps in this blog:

  1. Create an IAM role which will define the permissions and the access to aws resources for an authentic user.
  2. Create a federated identity pool.
  3. Create a private bucket on S3.
  4. Lambda function to handle the logic for creation of identity_id for a cognito username and for providing temporary credentials. Once made, attach it to API gateway.
  5. Get the temporary credentials for a registered user.
  6. Upload a file on S3 bucket using these temporary credentials.

Create an IAM role

This IAM role will serve as the last checkpoint between your authorised users and your AWS resources . Always follow “Grant Least Privilege”.

When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks.

Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.

We will only provide our users to access only a folder inside our s3 bucket. Their CRUD operations are limited only to their folder which is identified by their identity_id.

  • IdentityId is the Id of your user in the Identity pool from Cognito Federated Identities.

Go to your IAM console and create a new policy limited_s3.

Copy and Paste the following json.

Here represents user cognito identity_id.

This is to provide Get/Put/Delete permission to a user in a folder in your S3 bucket.

Create another policy “cognito-sync-events” and paste the following json.

Now create Two new roles

  1. “federated_identity” and attach limited_s3 policy to it.
  2. “unauthenticated_federated_identity” and attach “cognito-sync-events” to it.

Create a federated identity pool

Go to your Cognito dashboar, click Managed identity pools and then click create new identity pool.

Select cognito Authentication providers and enter your UserpoolId and App client id created in Part-1 of this series. Make sure you dont allow unauthenticated users to access your application by leaving “Enable access to unauthenticated identities” unchecked.

Hit create. On the next page and hit cancel, There is no need to create new roles now as we have created them already in the above section.

Now click on Edit identity pool and select the roles made from the drop down for authenticated_role and for unauthenticated_role carefully.

Make note of your federated identity pool id, It will be in form

Your Federated identity Pool is ready for use.

Private s3 bucket

Most easiest part of this Blog, Go to your s3 console and create a s3 bucket with a unique name which is available. Make you leave Block public section as it is which gurantees the privacy of this bucket and ensures no user with proper credentials can access any object on this bucket.

  • Note: Make sure the name of the bucket is same as was mentioned in the limitesd_s3 policy created above.

Lambda function for temporary credentials.

Create a new lambda function with an IAM role defined in Part-3 of this tutorial and with python 3.7 as its runtime.

Copy and paste the following code in your Lambda console.

This function takes in a valid id_token as an argument and returns the temporary aws crdentials for the user. A user receives id_token on successful login.

Create a new API gateway with this Lambda function. Now try to access this API endpoint with a valid user id_token, You will receive a response which has a users temporary credentials.

With these user credentials a user can access a folder with the name “ap-south-1:a76dvg67–9434-ghiy-9iou-cd1hh7d30ba1” in your bucket. Use this function, A user can upload any file in foldername (identified by user’s identity_id) in the private bucket created above .

Try changing the identity_id and it will show you authentication error because a user is only allowed to upload file to his/her foldername.

Analytics Vidhya

Analytics Vidhya is a community of Analytics and Data Science professionals. We are building the next-gen data science ecosystem

Graphicaldot (Saurav verma)

Written by

Interested in Blockchain, Python, Go, Erlang and Devops. Pretendotype vs Prototype.

Analytics Vidhya

Analytics Vidhya is a community of Analytics and Data Science professionals. We are building the next-gen data science ecosystem

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade