Cognito Identity Pool Example in AWS CDK - Complete Guide


Borislav Hadzhiev

Mon Apr 19 20213 min read


Photo by Vadim Kaipov

Cognito Identity Pool Example in CDK #

In this article we're going to use CDK to provision a Cognito Identity Pool. We'll go through a step-by-step explanation of the different configuration options and things we should be aware of.

The code for this article is available on GitHub

In order to provision a Cognito identity pool in CDK we have to use the CfnIdentityPool construct.

The Identity Pool's purpose is to grant temporary credentials to authenticated and unauthenticated users, to access AWS services.

Cognito Identity Pool in AWS CDK - Example #

I'll post a snippet of an identity pool with some common configuration properties and we are going to go over the code:

import * as cognito from '@aws-cdk/aws-cognito'; import * as iam from '@aws-cdk/aws-iam'; import * as cdk from '@aws-cdk/core'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); const identityPool = new cognito.CfnIdentityPool(this, 'identity-pool', { identityPoolName: 'my-identity-pool', allowUnauthenticatedIdentities: true, cognitoIdentityProviders: [ { clientId: userPoolClient.userPoolClientId, providerName: userPool.userPoolProviderName, }, ], }); } }

We used the CfnIdentityPool level 1 construct to define a Cognito identity pool.

The props we used are:

Next, we are going to define 2 roles for the Identity Pool - one for authenticated and one for unauthenticated users.

The roles in this example provide the same permissions - just a Lambda logging policy.

const isAnonymousCognitoGroupRole = new iam.Role( this, 'anonymous-group-role', { description: 'Default role for anonymous users', assumedBy: new iam.FederatedPrincipal( '', { StringEquals: { '': identityPool.ref, }, 'ForAnyValue:StringLike': { '': 'unauthenticated', }, }, 'sts:AssumeRoleWithWebIdentity', ), managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName( 'service-role/AWSLambdaBasicExecutionRole', ), ], }, ); const isUserCognitoGroupRole = new iam.Role(this, 'users-group-role', { description: 'Default role for authenticated users', assumedBy: new iam.FederatedPrincipal( '', { StringEquals: { '': identityPool.ref, }, 'ForAnyValue:StringLike': { '': 'authenticated', }, }, 'sts:AssumeRoleWithWebIdentity', ), managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName( 'service-role/AWSLambdaBasicExecutionRole', ), ], });

In the code we've defined 2 IAM roles, that we're going to attach to the identity pool. In this example the roles have the same permissions, so you would have to tweak them for your use case.

Now we are going to attach the roles, we just defined, to the identity pool:

new cognito.CfnIdentityPoolRoleAttachment( this, 'identity-pool-role-attachment', { identityPoolId: identityPool.ref, roles: { authenticated: isUserCognitoGroupRole.roleArn, unauthenticated: isAnonymousCognitoGroupRole.roleArn, }, roleMappings: { mapping: { type: 'Token', ambiguousRoleResolution: 'AuthenticatedRole', identityProvider: `cognito-idp.${ cdk.Stack.of(this).region }${userPool.userPoolId}:${ userPoolClient.userPoolClientId }`, }, }, }, );

Let's go over the configuration properties of the CfnIdentityPoolRoleAttachment construct:

  • identityPoolId - the id of the identity pool we're attaching IAM roles to
  • roles - the IAM roles we want to associate to the identity pool
  • roleMappings - specifies how authenticated users are mapped to roles
The code for this article is available on GitHub

I'll provision the resources with the cdk deploy command.

npx cdk deploy

If I open my CloudFormation console, I can see that the resources are provisioned:

cloudformation identity pool

And if I go to the Cognito console, I can see that the identity pool was provisioned successfully:

identity pool

Further Reading #

Add me on LinkedIn

I'm a Web Developer with TypeScript, React.js, Node.js and AWS experience.

Let's connect on LinkedIn

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee