Using Amazon Cognito to access AWS resources from your web application

When accessing AWS resources in a web application, hardcoding the credentials is not a particularly good idea in terms of security. The AWS recommended way of doing it is to use Amazon Cognito, an authentication, authorization, and access control service.

In this article, I walk through setting up Amazon Cognito to fetch a file from S3 in a web application.

About Amazon Cognito

Source: AWS Security blog

Amazon Cognito lets you easily control user authentication and authorization for your web and mobile applications. It provides a mechanism of accessing AWS resources like DynamoDB and S3 from a client-side application. It also lets you integrate your application sign-in with external identity providers like Facebook, Google, Apple etc.

Setting up Amazon Cognito

1. In your Amazon console, search for AWS Cognito and click on Manage Identity Pools.

Creating an identity pool in the Cognito console

An identity pool is a group of identities that your application can provide your users with. For our demo, we are going to be reading the S3 file regardless of the user and are not going to be concerned with setting up individual user identities.

2. Enter an identity pool name

3. Enable access to unauthenticated identities

Identity pools allow access control for both authenticated and unauthenticated users. Since we need to fetch the file from S3 regardless of the user, we can enable this option. This will let you get temporary credentials for our web application without authenticating individual users.

You can ignore the other settings for the purpose of this demo. Read more about them here.

4. Click Create Pool

5. Set permissions for your identity pool

When creating a pool, Cognito lets you create IAM roles for authenticated and unauthenticated users separately. Edit the unauthenticated IAM role(since we aren’t performing any user authentication) and add permissions for your web app to read S3 data.

Setting up IAM roles for Cognito

Warning: Amazon Cognito does not let you access all AWS resources. There are limitations to the IAM policies that can be added to a Cognito user role. To view all the permitted actions and example policies, check the documentation here.

6. Click Allow to create the roles.

You are all set up to use Cognito in your application!

Accessing S3 data from your client-side application

Once you have created the identity pool, Cognito gives you an Identity Pool ID that you can use as part of your client-side application. The identity pool ID provided by Cognito is exchanged with credentials provided by AWS STS by your application.

Cognito Identity Pool ID

In your web app, import the AWS SDK library and update the AWS config object using the code snippet given by Cognito on identity pool creation. Fetching a file from S3 is standard procedure after this, you can use the s3.getObject( ) function to fetch a file from an S3 bucket.

References

You can read more about Amazon Cognito in the AWS documentation here.

You might also find it useful to use AWS Amplify when using Cognito for more sophisticated functionalities.