An Ultimate Guide to Exploring the Power of AWS Cognito User and Identity Pools

1. Introduction

AWS Cognito offers two essential components for managing user authentication and access to AWS resources: User Pools and Identity Pools. User Pools serve as a user directory system, facilitating user registration, authentication, and account recovery within your application. User Pools support various authentication methods, including traditional username/password, OAuth 2.0, and multi-factor authentication (MFA). Upon successful authentication, User Pools generate JSON Web Tokens (JWTs), enabling secure user identification and session management within your application.

Identity Pools, also known as Cognito Identity Pools, play a crucial role in providing temporary AWS credentials to access AWS resources on behalf of your users. Identity Pools issue temporary AWS credentials as a bridge between authenticated users and AWS services, granting access to specific AWS resources based on defined IAM roles. They support both authenticated and unauthenticated (guest) access, allowing fine-grained control over permissions for different user types. Integration with various identity providers, including User Pools, social identity providers, and custom authentication systems, is possible with Identity Pools. Leveraging Identity Pools ensures secure interaction between your application and AWS services, such as S3, DynamoDB, and API Gateway, with access levels tailored to users’ roles and permissions.

2. Create a Cognito User Pool

1. Sign in to AWS Console: Log in to your AWS account via the AWS Management Console.
2. Navigate to AWS Cognito: Access the Amazon Cognito service either by using the search bar in the AWS Console.
3. Create a User Pool:

• Click on “User Pools” followed by “Create a user pool”.
• In “Provider type,” Select “Cognito User Pool”. In Cognito user pool sign-in options, choose “Username and Email.”
• In the password policy, keep the Default setting. In MFA, you can select No MFA and keep the rest of the Default.
• Enter a name for your user pool, enable the “Use the Cognito Hosted UI,” and configure the domain (either use the Cognito domain or custom domain) as shown below.
• Adjust various settings such as user attributes, policies, and verification methods as needed.

4. Create a New App Client:

• Click on the “Add an app client” button.
• Provide a name for your app client in the “App client name” field.
• Optionally, you can uncheck the “Generate client secret” box if you don’t need a client secret for your app. Note that certain OAuth flows require a client secret.
• Configure App Client Settings: You can configure various settings for your app client, such as OAuth 2.0 settings, allowed OAuth flows, callback URLs, and more. Ensure these settings align with the requirements of your application.
• Review and create a “User Pool”. Grab the User Pool ID and Client ID; we will need it further to generate a token.

3. Create an Identity Pool

• Return to the Amazon Cognito dashboard and select “Identity Pools.”
• Under “Authentication providers,” In ” Authenticated identity sources,” choose Cognito User Pool.

1. Set up IAM Roles:

• Define IAM roles to specify the permissions for accessing AWS services.
• Opt to create new roles and grant Cognito the necessary permissions. Adjust permissions as required. For example, If you want the users to access S3, you can add the S3 policy in the Role attached for the Authenticated Role.

2. Integrate the User Pool with the Identity Pool(Connect identity providers)

• Specify the user pool previously created and select the App Client previously created in the User Pool

• Review the setting and create an Identity Pool. Grab the Identity Pool ID. You will need it in further steps.
• Add the user to the Cognito User Pool by Signing Up.

4. Generate an id-token

1. Obtain Your Cognito User Pool Information: Before proceeding, ensure you have the following information:

• Cognito User Pool ID
• Client ID of your Cognito App Client
• Username and password of a user registered in the Cognito User Pool

2. Configure Postman: If you haven’t already, download and install Postman from https://www.postman.com/downloads/.

3. Create a New Request: Open Postman and create a new request by clicking on the “New” button.

• In Authorization, Select the type OAuth2.0. Configure the Callback URL, Auth URL, Access Token URL, Client ID, and Client secret. Click on Get New Access Token. Enter the username and password of the Cognito user-created
• Grab the id_token from the Pop-up and copy it in Notepad.

5. Generate Temporary credentials with the Cognito Identity Pool.

Cognito Identity Pools issue temporary AWS credentials to authenticate users of your application. These credentials are obtained following user authentication with a supported identity provider, like Cognito User Pools or social identity providers. They grant access to AWS services for a limited time and are associated with specific permissions defined by IAM roles within the Identity Pool.

1. Now, to generate the Temporary Credentials, we need to compose a JSON file Consisting of the required headers, such as AccountId, IdentityPoolId, and Logins, to generate The Syntax for the same is shown below.
2. {
"AccountId": "string",
"IdentityPoolId": "string",
"Logins": {
"string" : "string"
}
}

3. • Execute the following command by giving the JSON file as input.

   
$ aws cognito-identity get-id --cli-input-json file://getid.json

   You should receive a Following Output
   

4. Generate the temporary credentials using GetCredentialsForIdentity
   • To generate credentials, create a JSON file using the IdentityId generated by the previous Step.

   
{
"IdentityId": "string",
"Logins": {
"string" : "string"
}
}


   • • Now execute the Following Command by passing the json file as input ss shown Below.

   
$ aws cognito-identity get-credentials-for-identity --cli-input-json file://get_cred.json

   You will receive the following Output.

   

6. Testing Temporary credentials generated by Identity ID using Postman

1. Pass the AccessKeyID, SecretKey, and SessionToken in Postman

You should be able to List the Objects from S3 Bucket as an Identity Provider Authenticated Role has S3 Policy (Permissions).

Output:

Conclusion

In summary, AWS Cognito User Pools handle user authentication within your application, issuing JWTs upon successful authentication, while AWS Cognito Identity Pools facilitate secure access to AWS resources by providing temporary credentials to authenticated users, subject to predefined IAM roles and permissions. This combined authentication and authorization process ensures seamless and secure user interactions with your application and AWS services. 

Reference

https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html

About CloudThat

Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the Cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients in all the major Cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Migration, Data Platforms, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than 8 awards combined in 11 years. Recently, it was recognized as the ‘Think Big’ partner from AWS and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging its position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.