Create AWS Identity Pool

Part ɪɪɪ: Connect UI to API │Story 02 : Create AWS Cognito Identity pool

GIT : Repo

In the previous post, we created an OpenId Connect Provider (OIDC) in AWS for our app adding the Google Client Ids of our iOS and Android apps.
In this post, we would create an Identity pool in AWS Cognito for our app and use the OIDC as an Authentication provider for the Identity pool.

So, let’s get started.

Get API Gateway Id and Region

Before we go to AWS Cognito to create our Identity pool, let’s first get the Gateway Id of the noteWordy serverless API. We would need this when specifying the access/permission policy for the Authenticated User IAM role.

The API Gateway ID and region can be obtained from our API’s endpoint URL that was given to us in the output of the serverless deploy command when we deployed the service to AWS.

Alternatively , your serverless API Gateway ID and API Gateway Region can also be obtained from AWS management console.

Go to AWS management console → API Gateway Services and select your API

Find the API Gateway Id and region at the top of the API resources page. 👆

📌 🅝🅞🅣🅔 # 4:
API-Gateway-Id: <<your API Gateway Id>>
API-Gateway-region: <<your API Gateway region>>

Creating Cognito Identity Pool

From AWS management console and select Cognito from the services

Create new Identity pool: 👇
‒ Add a name for the Identity pool.
‒ In the Authentication Providers section, select OpenId tab
‒ In the OpenId tab, you should see the OIDC we created in the last post.
‒ Select the OIDC
‒ Click ‘Create Pool’ button

In the next screen, AWS would create two roles for the Identity pool ‒ a role for Authenticated users and another for Unauthenticated users. Update the access policy for the Authenticated identity role 👇

Above, we updated policy for Authenticated users to access our API. Below is the json for the policy we updated to👇

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*",
        "cognito-identity:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke",
        "apigateway:DELETE"      
      ],
      "Resource": [
        "arn:aws:execute-api:API-GATEWAY-REGION:*:API-GATEWAY-ID/*/*/*"
      ]
    }
  ]
}

Replace the API-GATEWAY-REGION and API-GATEWAY-ID with the ones that we noted down above in 📌 NOTE # 4.

With above permission policy, a user authenticated with this role by the Identity pool would have access, to the Cognito Sync, Mobile Analytics and the APIs that we deploy to the API Gateway having the specified Id.

Click ‘Allow’ button at the bottom of the screen. Next you would probably see the below screen from where you can note down the Identity Pool Id and its region. If you don’t see the below screen, you can click on Edit Identity pool link and get the Identity Pool Id from there.

📌 🅝🅞🅣🅔 # 5:
Identity pool id: <<your Identity Pool Id>>
Identity pool region: <<your Identity Pool region>>

Now that we got our Identity pool set up, let’s move to react-native side in the next post to sign-in to this AWS Identity pool and the 403 error, that we were getting earlier to access API from the UI, should get fixed with this.

← Prev:OpenId Connect Provider┈🏠┈Next:AWS Sign-in with Amplify→