Amazon Cognito identity pool - Amazon Web Services (AWS) Tutorial

- [Instructor] Now let's look at identity pools. Amazon Cognito identity pools provide a different functionality compared to user pools. If user pools are used for authentication, then identity pools are used for user authorization or access control. Identity pools are used for obtaining temporary AWS credentials to access other AWS services, such as Amazon S3 or DynamoDB. So how do we get temporary AWS credentials? Here's the user pool authentication flow from the last video. So after a user has been successfully verified, Cognito aids adjacent web token and returns it to the client. Now, the role of user pool stops at this point and identity pool takes over. So from the client, you will use the AWS SDK to send a request to Cognito Identity Pool. Then Identity Pool, which uses AWS STS under the hood exchanges the JSON web token for temporary AWS credentials that can be used to grant your users permissions to access AWS resources in your accounts. When you create an identity pool, you get to choose an authentication provider, which could be Cognito user pool, Amazon, Google, Twitter, Open Id Connect Provider, a SAML IDP, or you could also authenticate users via your own authentication process using the developer authenticated identities feature. Take note that an identity pool can work without a user pool. If you want to get the token from an identity provider like Google, it's fine. You don't have to use Cognito user pool. However, in the exam, user pool and identity pool usually come up together in scenarios or options where they're combined to form a solution. Amazon Cognito Identity Pool supports two types of identities, authenticated and unauthenticated. Authenticated identities are users who are authenticated by a trusted identity provider, such as Cognito User Pool, Amazon, Facebook, Twitter and many more. Unauthenticated identities on the other hand, simply refer to the guest users or users who don't have to be logged in to access your application. If you have an application that serves media files like images or videos from Amazon S3, you may want to have some control over what your users can and cannot do. For example, you can make it in such a way that only registered users can upload and share images, while guest users are only allowed to view photos posted by those who actually have an accounts, kind of like how Facebook and Instagram work. Obviously, the permissions that you assign to guest users should be more restrictive than those four authenticated identities. You can enable an authenticated identities upon the creation of an identity pool or by modifying the setting of an existing identity pool. Cognito Identity Pool with unauthenticated access works by providing a unique identifier and AWS credentials for your guest users. You can control their permissions by defining the policy associated with your unauthenticated identity's role. You can, for example, set read only access in the policy so that any guest user can only see media files from your S3 bucket. As a result, they won't be able to delete, update, or post any files to the S3 buckets.