Cognito Identity Pool Example in AWS CDK - Complete Guide

avatar

Borislav Hadzhiev

Last updated: Apr 14, 2022

banner

Photo from Unsplash

Cognito Identity Pool Example in CDK #

In this article we're going to use CDK to provision a Cognito Identity Pool. We'll go through a step-by-step explanation of the different configuration options and things we should be aware of.

The code for this article is available on GitHub

In order to provision a Cognito identity pool in CDK, we have to use the CfnIdentityPool construct.

The Identity Pool's purpose is to grant temporary credentials to authenticated and unauthenticated users, to access AWS services.

Cognito Identity Pool in AWS CDK - Example #

I'll post a snippet of an identity pool with some common configuration properties and we are going to go over the code:

The code for this article is available on GitHub
lib/cdk-starter-stack.ts
import * as cognito from 'aws-cdk-lib/aws-cognito'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as cdk from 'aws-cdk-lib'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); const identityPool = new cognito.CfnIdentityPool(this, 'identity-pool', { identityPoolName: 'my-identity-pool', allowUnauthenticatedIdentities: true, cognitoIdentityProviders: [ { clientId: userPoolClient.userPoolClientId, providerName: userPool.userPoolProviderName, }, ], }); } }

We used the CfnIdentityPool level 1 construct to define a Cognito identity pool.

The props we used are:

Next, we are going to define 2 roles for the Identity Pool - one for authenticated and one for unauthenticated users.

The roles in this example provide the same permissions - just a Lambda logging policy.

The code for this article is available on GitHub
lib/cdk-starter-stack.ts
const isAnonymousCognitoGroupRole = new iam.Role( this, 'anonymous-group-role', { description: 'Default role for anonymous users', assumedBy: new iam.FederatedPrincipal( 'cognito-identity.amazonaws.com', { StringEquals: { 'cognito-identity.amazonaws.com:aud': identityPool.ref, }, 'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'unauthenticated', }, }, 'sts:AssumeRoleWithWebIdentity', ), managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName( 'service-role/AWSLambdaBasicExecutionRole', ), ], }, ); const isUserCognitoGroupRole = new iam.Role(this, 'users-group-role', { description: 'Default role for authenticated users', assumedBy: new iam.FederatedPrincipal( 'cognito-identity.amazonaws.com', { StringEquals: { 'cognito-identity.amazonaws.com:aud': identityPool.ref, }, 'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'authenticated', }, }, 'sts:AssumeRoleWithWebIdentity', ), managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName( 'service-role/AWSLambdaBasicExecutionRole', ), ], });

We defined 2 IAM roles that we're going to attach to the identity pool. In this example the roles have the same permissions, so you would have to tweak them for your use case.

Now we are going to attach the roles, we just defined, to the identity pool:

lib/cdk-starter-stack.ts
new cognito.CfnIdentityPoolRoleAttachment( this, 'identity-pool-role-attachment', { identityPoolId: identityPool.ref, roles: { authenticated: isUserCognitoGroupRole.roleArn, unauthenticated: isAnonymousCognitoGroupRole.roleArn, }, roleMappings: { mapping: { type: 'Token', ambiguousRoleResolution: 'AuthenticatedRole', identityProvider: `cognito-idp.${ cdk.Stack.of(this).region }.amazonaws.com/${userPool.userPoolId}:${ userPoolClient.userPoolClientId }`, }, }, }, );

Let's go over the configuration properties of the CfnIdentityPoolRoleAttachment construct:

  • identityPoolId - the id of the identity pool we're attaching IAM roles to
  • roles - the IAM roles we want to associate to the identity pool
  • roleMappings - specifies how authenticated users are mapped to roles
The code for this article is available on GitHub

I'll provision the resources with the cdk deploy command.

shell
npx aws-cdk deploy

If I open my CloudFormation console, I can see that the resources are provisioned:

cloudformation identity pool

And if I go to the Cognito console, I can see that the identity pool was provisioned successfully:

identity pool

Further Reading #

I wrote a book in which I share everything I know about how to become a better, more efficient programmer.
book cover
You can use the search field on my Home Page to filter through all of my articles.