From the course: AWS Certified Developer - Associate (DVA-C02) Cert Prep
Amazon Cognito identity pool - Amazon Web Services (AWS) Tutorial
From the course: AWS Certified Developer - Associate (DVA-C02) Cert Prep
Amazon Cognito identity pool
- [Instructor] Now let's look at identity pools. Amazon Cognito identity pools provide a different functionality compared to user pools. If user pools are used for authentication, then identity pools are used for user authorization or access control. Identity pools are used for obtaining temporary AWS credentials to access other AWS services, such as Amazon S3 or DynamoDB. So how do we get temporary AWS credentials? Here's the user pool authentication flow from the last video. So after a user has been successfully verified, Cognito aids adjacent web token and returns it to the client. Now, the role of user pool stops at this point and identity pool takes over. So from the client, you will use the AWS SDK to send a request to Cognito Identity Pool. Then Identity Pool, which uses AWS STS under the hood exchanges the JSON web token for temporary AWS credentials that can be used to grant your users permissions to access AWS resources in your accounts. When you create an identity pool, you get to choose an authentication provider, which could be Cognito user pool, Amazon, Google, Twitter, Open Id Connect Provider, a SAML IDP, or you could also authenticate users via your own authentication process using the developer authenticated identities feature. Take note that an identity pool can work without a user pool. If you want to get the token from an identity provider like Google, it's fine. You don't have to use Cognito user pool. However, in the exam, user pool and identity pool usually come up together in scenarios or options where they're combined to form a solution. Amazon Cognito Identity Pool supports two types of identities, authenticated and unauthenticated. Authenticated identities are users who are authenticated by a trusted identity provider, such as Cognito User Pool, Amazon, Facebook, Twitter and many more. Unauthenticated identities on the other hand, simply refer to the guest users or users who don't have to be logged in to access your application. If you have an application that serves media files like images or videos from Amazon S3, you may want to have some control over what your users can and cannot do. For example, you can make it in such a way that only registered users can upload and share images, while guest users are only allowed to view photos posted by those who actually have an accounts, kind of like how Facebook and Instagram work. Obviously, the permissions that you assign to guest users should be more restrictive than those four authenticated identities. You can enable an authenticated identities upon the creation of an identity pool or by modifying the setting of an existing identity pool. Cognito Identity Pool with unauthenticated access works by providing a unique identifier and AWS credentials for your guest users. You can control their permissions by defining the policy associated with your unauthenticated identity's role. You can, for example, set read only access in the policy so that any guest user can only see media files from your S3 bucket. As a result, they won't be able to delete, update, or post any files to the S3 buckets.
Contents
-
-
-
-
AWS security services12m 56s
-
(Locked)
AWS Identity Services4m 32s
-
(Locked)
AWS audit and compliance services3m 22s
-
(Locked)
IAM overview8m 13s
-
(Locked)
IAM identities9m
-
(Locked)
IAM policy types7m 42s
-
(Locked)
IAM policy basics9m 14s
-
(Locked)
IAM policy evaluation logic9m 8s
-
(Locked)
Amazon Cognito user pool2m 47s
-
Amazon Cognito identity pool3m 30s
-
(Locked)
AWS Secrets Manager overview3m 53s
-
(Locked)
AWS Systems Manager Parameter Store overview3m 46s
-
(Locked)
AWS Systems Manager Parameter Store vs. AWS Secrets Manager3m 54s
-
(Locked)
Amazon S3 encryption6m 59s
-
(Locked)
Amazon S3 bucket policy5m 5s
-
(Locked)
AWS Key Management Service (AWS KMS) overview6m 58s
-
(Locked)
AWS KMS API commands2m 39s
-
(Locked)
Hands-on lab: Encryption and Decryption using AWS KMS CLI7m 30s
-
(Locked)
Amazon API Gateway authorizer3m 42s
-
(Locked)
Amazon CloudFront security features11m 35s
-
(Locked)
AWS CloudTrail overview3m 13s
-
(Locked)
Cross-origin resource sharing (CORS)6m 14s
-
-
-