Create AWS Identity Pool
Part ɪɪɪ: Connect UI to API │Story 02 : Create AWS Cognito Identity pool
GIT : Repo
In the previous post, we created an OpenId Connect Provider (OIDC) in AWS for our app adding the Google Client Ids of our iOS and Android apps.
In this post, we would create an Identity pool in AWS Cognito for our app and use the OIDC as an Authentication provider for the Identity pool.
So, let’s get started.
Get API Gateway Id and Region
Before we go to AWS Cognito to create our Identity pool, let’s first get the Gateway Id
of the noteWordy serverless API. We would need this when specifying the access/permission policy for the Authenticated User IAM role.
The API Gateway ID and region can be obtained from our API’s endpoint URL that was given to us in the output of the serverless deploy
command when we deployed the service to AWS.
Alternatively , your serverless API Gateway ID
and API Gateway Region
can also be obtained from AWS management console.
Go to AWS management console → API Gateway Services and select your API
Find the API Gateway Id and region at the top of the API resources page. 👆
📌 🅝🅞🅣🅔 # 4:API-Gateway-Id: <<your API Gateway Id>>
API-Gateway-region: <<your API Gateway region>>
Creating Cognito Identity Pool
From AWS management console and select Cognito from the services
Create new Identity pool: 👇
‒ Add a name for the Identity pool.
‒ In the Authentication Providers section, select OpenId tab
‒ In the OpenId tab, you should see the OIDC we created in the last post.
‒ Select the OIDC
‒ Click ‘Create Pool’ button
In the next screen, AWS would create two roles for the Identity pool ‒ a role for Authenticated users and another for Unauthenticated users. Update the access policy for the Authenticated identity role 👇
Above, we updated policy for Authenticated users to access our API. Below is the json for the policy we updated to👇
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke",
"apigateway:DELETE"
],
"Resource": [
"arn:aws:execute-api:API-GATEWAY-REGION:*:API-GATEWAY-ID/*/*/*"
]
}
]
}
Replace the API-GATEWAY-REGION
and API-GATEWAY-ID
with the ones that we noted down above in 📌 NOTE # 4.
With above permission policy, a user authenticated with this role by the Identity pool would have access, to the Cognito Sync, Mobile Analytics and the APIs that we deploy to the API Gateway having the specified Id.
Click ‘Allow’ button at the bottom of the screen. Next you would probably see the below screen from where you can note down the Identity Pool Id
and its region
. If you don’t see the below screen, you can click on Edit Identity pool
link and get the Identity Pool Id from there.
📌 🅝🅞🅣🅔 # 5:Identity pool id: <<your Identity Pool Id>>
Identity pool region: <<your Identity Pool region>>
Now that we got our Identity pool set up, let’s move to react-native side in the next post to sign-in to this AWS Identity pool and the 403 error, that we were getting earlier to access API from the UI, should get fixed with this.
← Prev:OpenId Connect Provider
┈🏠
┈Next:AWS Sign-in with Amplify
→