AWS.CognitoIdentityCredentials — AWS SDK for JavaScript (original) (raw)

We recommend that you migrate to AWS SDK for JavaScript v3. For dates, additional details, and information on how to migrate, please refer to the linked announcement.

Overview

Represents credentials retrieved from STS Web Identity Federation using the Amazon Cognito Identity service.

By default this provider gets credentials using theAWS.CognitoIdentity.getCredentialsForIdentity() service operation, which requires either an IdentityId or an IdentityPoolId (Amazon Cognito Identity Pool ID), which is used to call AWS.CognitoIdentity.getId() to obtain an IdentityId. If the identity or identity pool is not configured in the Amazon Cognito Console to use IAM roles with the appropriate permissions, then additionally a RoleArn is required containing the ARN of the IAM trust policy for the Amazon Cognito role that the user will log into. If a RoleArnis provided, then this provider gets credentials using theAWS.STS.assumeRoleWithWebIdentity() service operation, after first getting an Open ID token from AWS.CognitoIdentity.getOpenIdToken().

In addition, if this credential provider is used to provide authenticated login, the Logins map may be set to the tokens provided by the respective identity providers. See constructor() for an example on creating a credentials object with proper property values.

DISCLAIMER: This convenience method leverages the Enhanced (simplified) Authflow. The underlying implementation calls Cognito's getId() and GetCredentialsForIdentity(). In this flow there is no way to explicitly set a session policy, resulting in STS attaching the default policy and limiting the permissions of the federated role. To be able to explicitly set a session policy, do not use this convenience method. Instead, you can use the Cognito client to call getId(), GetOpenIdToken() and then use that token with your desired session policy to call STS's AssumeRoleWithWebIdentity()For further reading refer to: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html

Refreshing Credentials from Identity Service

In addition to AWS credentials expiring after a given amount of time, the login token from the identity provider will also expire. Once this token expires, it will not be usable to refresh AWS credentials, and another token will be needed. The SDK does not manage refreshing of the token value, but this can be done through a "refresh token" supported by most identity providers. Consult the documentation for the identity provider for refreshing tokens. Once the refreshed token is acquired, you should make sure to update this new token in the credentials object's params property. The following code will update the WebIdentityToken, assuming you have retrieved an updated token from the identity provider:

AWS.config.credentials.params.Logins['graph.facebook.com'] = updatedToken;

Future calls to credentials.refresh() will now use the new token.

Constructor Summarycollapse

Property Summarycollapse

Properties inherited from AWS.Credentials

expired, expireTime, accessKeyId, secretAccessKey, sessionToken, expiryWindow

Method Summarycollapse

Methods inherited from AWS.Credentials

needsRefresh, get, getPromise, refreshPromise

Constructor Details

new AWS.CognitoIdentityCredentials(params, clientConfig) ⇒ void

Note:

If a region is not provided in the global AWS.config, or specified in the clientConfig to the CognitoIdentityCredentials constructor, you may encounter a 'Missing credentials in config' error when calling making a service call.

Creates a new credentials object.

Property Details

data ⇒ map

identityId ⇒ String

params ⇒ map

Method Details

clearCachedId() ⇒ void

Clears the cached Cognito ID associated with the currently configured identity pool ID. Use this to manually invalidate your cache if the identity pool ID was deleted.

refresh(callback) ⇒ void