Amazon Cognito Identity
Amazon Cognito Identity
AWS Cognito Identity Pools API issues temporary AWS credentials to frontend apps — identity federation, guest users, direct AWS resource access.
Frontend obtains AWS short-lived credentials without backend proxy
Easy to confuse with Cognito User Pools (User Pools is user store, Identity Pools issues credentials)
CreateIdentityPool to create a pool, configure authenticated and guest IAM roles. Frontend calls GetCredentialsForIdentity for temp access keys.
Uptime · 30-day window
GitHub activity
About this API
Cognito Identity Pools addresses a specific problem: frontend apps want direct access to AWS resources (e.g. S3 upload, DynamoDB write), but can't embed long-term AWS access keys in app code (would leak). Identity Pool acts as an "identity exchange" middleware — user logs in via Cognito User Pools / Facebook / Google to get a token; frontend exchanges that token for temporary AWS credentials (15 minutes to 12 hours) and calls AWS services. Different IAM roles for "authenticated" vs "guest" users enable fine-grained control (e.g. authenticated users can upload to user-{id} path, guests can only read public/). Distinct from User Pools: User Pools is "user identity store" (registration, login, attributes); Identity Pools is "AWS credential issuer". Typically used together.
What you can build
- 1Mobile app directly accesses S3/DynamoDB without backend
- 2Assign read-only permissions to guest users
- 3Federate Facebook/Google login to AWS credentials
- 4Manage authenticated vs guest user permissions
Strengths & limitations
Strengths
- Frontend obtains AWS short-lived credentials without backend proxy
- Multiple identity providers (Cognito User Pools, Facebook, Google, SAML)
- Fine-grained IAM policy control
Limitations
- Easy to confuse with Cognito User Pools (User Pools is user store, Identity Pools issues credentials)
- Permission design is complex (must write IAM trust policy)
Example request
curl https://github.com/mermade/aws2openapi/<endpoint>Getting started
CreateIdentityPool to create a pool, configure authenticated and guest IAM roles. Frontend calls GetCredentialsForIdentity for temp access keys.
FAQ
Identity Pools vs. User Pools?+
User Pools manages user identity (account store); Identity Pools exchanges identity for temporary AWS credentials. A project typically uses both.
How do I implement guest users?+
Configure Identity Pool with "allow unauthenticated identities" — frontend gets credentials without a token (using guest role permissions).
Technical details
- Auth type
- unknown
- Pricing
- unknown
- Protocols
- REST
- SDKs
- javascript, swift, kotlin, java, python
- Response time
- 19 ms
- Last health check
- 5/12/2026, 7:36:33 AM
More from Amazon Web Services
AWS IAM Access Analyzer API analyzes IAM resource policies for over-privileged access or external access — proactively surfaces security risks.
Amazon Chime SDK API embeds real-time audio/video calling and chat into apps (meetings, messaging, PSTN calls).
Amazon CloudFront is the AWS CDN and edge service — accelerates static and dynamic content delivery, a standard for web performance.
Amazon CloudSearch is AWS's managed search service (gradually superseded by OpenSearch Service).
CloudWatch Application Insights API auto-detects application problems — intelligently identifies anomalies (slow SQL queries, memory leaks), reducing manual alarm configuration.
Amazon Cognito User Pools deliver managed user signup, login, password reset, and MFA for applications.
Amazon Connect Contact Lens API uses AI to analyze Amazon Connect calls in real time — sentiment, keywords, compliance detection, auto-summary.
Amazon Connect Customer Profiles API merges contact-center customer info with multi-source CRM data into unified profiles.