Some days ago I have created an Identity Pool. My region is eu-west-1.
And today I don't know how to see the information relative to this:
when I go to the Amazon Cognito console, it says me:
Region not supported
Cognito User Pools are currently only available in US East (Virginia).
And after it only propose me to create a new User Pool.
So why the console say me that Cognito is only available in US East in spite of I could created a pool for my region which is EU West and how can I access to my identity pool ?
When you enter Cognito Console, you should select 'Manage Federated Identities' and not 'Manage User Pools' to see your identity pools.
Cognito User Pools is a new service that allows you to easily provide sign up and sign in functionality to your users and is only available in us-east-1.
Related
I don't get the difference between the User Pools > Identity providers and
Federated Identities > Authentication providers.
Can someone explain?
Identity pools (Federated identities) allow you to grant users authenticated by third parties (e.g. login with Google) temporary IAM credentials to use you AWS resources in a limited way. Identity pools are free of cost and you only pay for the resources your users use via the IAM credentials.
User pools allow you to store your own users, they can sign up directly to the user pool and not have to use a third party provider like Google or Facebook. Confusingly user pools also have a 'federation' option (Identity providers) but this will actually create externally federated users in the pool. User pools provide OpenID tokens (access, id, refresh), not IAM credentials, which you can use with your own endpoints (ec2, fargate, api-gateway). User pools have costs associated with them based on the active users per month.
I am setting up an AWS Account, the account will be used by an organization of employees for EC2 use/experimentation. Obviously, I do not want to distribute the root login info or set up one single IAM user for everyone to use. Unfortunately, I do not have the time to manage creating individual IAM users for everyone on a regular basis.
So, is there a way to auto-create IAM users based on a given email's domain on their first login attempt? The users should have read-only roles to begin, then an Administrator could give more roles as needed to each user. I am open to suggestions, perhaps lambda functions or linking to an identity provider?
Keep in mind that these new IAM users need to have access to the AWS Management Console, this is not necessarily intended for login to applications hosted on AWS.
Update:
Moving forward using this AWS Management Console Federation Proxy Sample found in Amazon's code reference, using with Microsoft Exchange hosted email.
If your existing identity provider supports SAML2 Federation, you can set it up to login to the AWS Management Console.
For more details refer Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Else you can implement a custom Federation Broker to return an URL to the user, after they authenticate with their corporate credentials.
For more details refer Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).
I'm a newbie to AWS, I'm building an application where the users should be logged in via AWS account.
So I created a user pool and authenticated via AWS SDK using the federated identities. But the users were created manually in the Cognito UI.But the requirement is to authenticate the user if they already resides in AWS as an IAM user. But AWS cognito does not provide a workflow to import the IAM users to cognito pool. So is there another way to accomplish this via AWS ? Thanks in Advance.
This is currently not possible. Although AWS Cognito Federated Identities allows, federating an external identity provider to grant AWS access, the other way around is not possible.
In addition, there is no method in AWS IAM SDK to verify AWS Username and Password, which also limits verifying them through your own implementation.
I am working on a proof of concept using Amazon Cognito and AWS IoT and I need some help. I have everything working, I just need to lock things down. My Cognito User Pool is the only authentication provider I have for my Identity Pool.
I would like to restrict the IoT topics that can be subscribed to based on a custom attribute for the user in my User Pool. Is that possible with the IAM roles? I already can restrict it by entering the topic filter in a role, I just need to know if there is a variable I can use there.
For my use-case the application can have several organizations using the application, with each being completely separated from each other but using the same code and infrastructure. I am hoping I can specify the organization id on the users and then require all topics to have the user's organization id at the start.
I think what I am looking for is way beyond what IAM roles can do, but I want to check first.
Custom attributes are not exposed as policy variables in IAM policies directly.
I think you can use the Group support in Cognito User Pools for this. You can assign users from different organizations to the group for that organization. The IAM role assigned to each of these groups can be the role with your locked down IoT policy.
Using the Federated Identities and User Pools integration you can get temporary AWS credentials for your users. Using the role based access control feature in Cognito Federated Identities will make sure that the credentials are assumed using the role assigned to the Cognito User Pools group to which user belongs.
Hope this helps.
Why does Amazon Cognito have it's own region? And does the region for Amazon Cognito need to be the same as the region I have set in AWS Console?
Like other AWS services, Cognito is available as a service in multiple regions. To access the service, you have to supply which region of it you want to access. Data for users in each region is only available for that region - if I were to create an identity inside an identity pool configured in us-east-1, I wouldn't be able to access it if I supplied region eu-west-1.
Specifically, for Cognito identity, it tracks each identity id vended and any public provider information possibly used by that identity to know if anything it is given is a valid identifier of the user.
For Cognito sync, it manages the sync data/metadata for each identity.
Yes, the region in which you configure your Cognito identity pool in the console needs to be the same as the one you give the client.
If you're using Cognito identity to get credentials for a resource in another region, that's totally supported. Credentials vended from one region can be used from another.
Amazon Cognito is only available in 3 regions as of right now. They are US East (N. Virginia), EU (Ireland) and Asia Pacific (Tokyo). But I had a region other than one of these in console.aws.com. But now that I tried to created a Cognito identity at console.aws.amazon.com/cognito, I had to choose one of the regions listed above it is only supported in a subset of console.aws.com regions.
To answer the more important part of my question, it is OK to choose a different region here while Beanstalk is setup to serve your application from a different region is Yes. That is how I have it setup right now.