Class: AWS.CognitoIdentityCredentials
- Inherits:
-
AWS.Credentials
- Object
- AWS.Credentials
- AWS.CognitoIdentityCredentials
- Defined in:
- lib/credentials/cognito_identity_credentials.js
Overview
Represents credentials retrieved from STS Web Identity Federation using the Amazon Cognito Identity service.
By default this provider gets credentials using the
AWS.CognitoIdentity.getCredentialsForIdentity() service operation, which
requires either an IdentityId
or an IdentityPoolId
(Amazon Cognito
Identity Pool ID), which is used to call AWS.CognitoIdentity.getId() to
obtain an IdentityId
. If the identity or identity pool is not configured in
the Amazon Cognito Console to use IAM roles with the appropriate permissions,
then additionally a RoleArn
is required containing the ARN of the IAM trust
policy for the Amazon Cognito role that the user will log into. If a RoleArn
is provided, then this provider gets credentials using the
AWS.STS.assumeRoleWithWebIdentity() service operation, after first getting an
Open ID token from AWS.CognitoIdentity.getOpenIdToken().
In addition, if this credential provider is used to provide authenticated
login, the Logins
map may be set to the tokens provided by the respective
identity providers. See constructor() for an example on creating a credentials
object with proper property values.
DISCLAIMER: This convenience method leverages the Enhanced (simplified) Authflow. The underlying
implementation calls Cognito's getId()
and GetCredentialsForIdentity()
.
In this flow there is no way to explicitly set a session policy, resulting in
STS attaching the default policy and limiting the permissions of the federated role.
To be able to explicitly set a session policy, do not use this convenience method.
Instead, you can use the Cognito client to call getId()
, GetOpenIdToken()
and then use
that token with your desired session policy to call STS's AssumeRoleWithWebIdentity()
For further reading refer to: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
Refreshing Credentials from Identity Service
In addition to AWS credentials expiring after a given amount of time, the login token from the identity provider will also expire. Once this token expires, it will not be usable to refresh AWS credentials, and another token will be needed. The SDK does not manage refreshing of the token value, but this can be done through a "refresh token" supported by most identity providers. Consult the documentation for the identity provider for refreshing tokens. Once the refreshed token is acquired, you should make sure to update this new token in the credentials object's params property. The following code will update the WebIdentityToken, assuming you have retrieved an updated token from the identity provider:
AWS.config.credentials.params.Logins['graph.facebook.com'] = updatedToken;
Future calls to credentials.refresh()
will now use the new token.
Constructor Summary collapse
-
new AWS.CognitoIdentityCredentials(params, clientConfig) ⇒ void
constructor
Creates a new credentials object.
Property Summary collapse
-
data ⇒ map
readwrite
The raw data response from the call to AWS.CognitoIdentity.getCredentialsForIdentity(), or AWS.STS.assumeRoleWithWebIdentity().
-
identityId ⇒ String
readwrite
The Cognito ID returned by the last call to AWS.CognitoIdentity.getOpenIdToken().
-
params ⇒ map
readwrite
The map of params passed to AWS.CognitoIdentity.getId(), AWS.CognitoIdentity.getOpenIdToken(), and AWS.STS.assumeRoleWithWebIdentity().
Properties inherited from AWS.Credentials
expired, expireTime, accessKeyId, secretAccessKey, sessionToken, expiryWindow
Method Summary collapse
-
clearCachedId() ⇒ void
Clears the cached Cognito ID associated with the currently configured identity pool ID.
-
refresh(callback) ⇒ void
Refreshes credentials using AWS.CognitoIdentity.getCredentialsForIdentity(), or AWS.STS.assumeRoleWithWebIdentity().
Methods inherited from AWS.Credentials
needsRefresh, get, getPromise, refreshPromise
Constructor Details
new AWS.CognitoIdentityCredentials(params, clientConfig) ⇒ void
If a region is not provided in the global AWS.config, or
specified in the clientConfig
to the CognitoIdentityCredentials
constructor, you may encounter a 'Missing credentials in config' error
when calling making a service call.
Creates a new credentials object.
Property Details
data ⇒ map (readwrite)
Returns the raw data response from the call to AWS.CognitoIdentity.getCredentialsForIdentity(), or AWS.STS.assumeRoleWithWebIdentity(). Use this if you want to get access to other properties from the response.
identityId ⇒ String (readwrite)
Returns the Cognito ID returned by the last call to AWS.CognitoIdentity.getOpenIdToken(). This ID represents the actual final resolved identity ID from Amazon Cognito.
params ⇒ map (readwrite)
Returns the map of params passed to
AWS.CognitoIdentity.getId(),
AWS.CognitoIdentity.getOpenIdToken(), and
AWS.STS.assumeRoleWithWebIdentity(). To update the token, set the
params.WebIdentityToken
property.
Method Details
clearCachedId() ⇒ void
Clears the cached Cognito ID associated with the currently configured identity pool ID. Use this to manually invalidate your cache if the identity pool ID was deleted.
refresh(callback) ⇒ void
Refreshes credentials using AWS.CognitoIdentity.getCredentialsForIdentity(), or AWS.STS.assumeRoleWithWebIdentity().