Amazon Cognito Identity
Amazon Cognito Identity
AWS Cognito Identity Pools API issues temporary AWS credentials to frontend apps — identity federation, guest users, direct AWS resource access.
Frontend obtains AWS short-lived credentials without backend proxy
Easy to confuse with Cognito User Pools (User Pools is user store, Identity Pools issues credentials)
CreateIdentityPool to create a pool, configure authenticated and guest IAM roles. Frontend calls GetCredentialsForIdentity for temp access keys.
Uptime · 30-day window
GitHub activity
About this API
Cognito Identity Pools addresses a specific problem: frontend apps want direct access to AWS resources (e.g. S3 upload, DynamoDB write), but can't embed long-term AWS access keys in app code (would leak). Identity Pool acts as an "identity exchange" middleware — user logs in via Cognito User Pools / Facebook / Google to get a token; frontend exchanges that token for temporary AWS credentials (15 minutes to 12 hours) and calls AWS services. Different IAM roles for "authenticated" vs "guest" users enable fine-grained control (e.g. authenticated users can upload to user-{id} path, guests can only read public/). Distinct from User Pools: User Pools is "user identity store" (registration, login, attributes); Identity Pools is "AWS credential issuer". Typically used together.
What you can build
- 1Mobile app directly accesses S3/DynamoDB without backend
- 2Assign read-only permissions to guest users
- 3Federate Facebook/Google login to AWS credentials
- 4Manage authenticated vs guest user permissions
Strengths & limitations
Strengths
- Frontend obtains AWS short-lived credentials without backend proxy
- Multiple identity providers (Cognito User Pools, Facebook, Google, SAML)
- Fine-grained IAM policy control
Limitations
- Easy to confuse with Cognito User Pools (User Pools is user store, Identity Pools issues credentials)
- Permission design is complex (must write IAM trust policy)
Getting started
CreateIdentityPool to create a pool, configure authenticated and guest IAM roles. Frontend calls GetCredentialsForIdentity for temp access keys.
FAQ
Identity Pools vs. User Pools?+
User Pools manages user identity (account store); Identity Pools exchanges identity for temporary AWS credentials. A project typically uses both.
How do I implement guest users?+
Configure Identity Pool with "allow unauthenticated identities" — frontend gets credentials without a token (using guest role permissions).
Technical details
- Auth type
- unknown
- Pricing
- unknown
- Protocols
- REST
- SDKs
- javascript, swift, kotlin, java, python
- Response time
- 60 ms
- Last health check
- 6/26/2026, 6:22:15 AM
More from Amazon Web Services
AWS IAM Access Analyzer API analyzes IAM resource policies for over-privileged access or external access — proactively surfaces security risks.
Alexa for Business helps you use Alexa in your organization.
Amazon API Gateway helps developers deliver robust, secure, and scalable mobile and web application back ends.
Use AppConfig, a capability of Amazon Web Services Systems Manager, to create, manage, and quickly deploy application configurations.
Welcome to the Amazon AppFlow API reference.
The Amazon AppIntegrations service enables you to configure and reuse connections to external applications.
Amazon AppStream 2.0 API Reference.
Amazon Athena is an interactive query service that lets you use standard SQL to analyze data directly in Amazon S3.