GetCredentialsForIdentity
Returns credentials for the provided identity ID. Any provided logins will be
validated against supported login providers. If the token is for
cognito-identity.amazonaws.com
, it will be passed through to AWS Security Token Service with the appropriate role for the token.
This is a public API. You do not need any credentials to call this API.
Request Syntax
{
"CustomRoleArn": "string
",
"IdentityId": "string
",
"Logins": {
"string
" : "string
"
}
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- CustomRoleArn
-
The Amazon Resource Name (ARN) of the role to be assumed when multiple roles were received in the token from the identity provider. For example, a SAML-based identity provider. This parameter is optional for identity providers that do not support role customization.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
Required: No
- IdentityId
-
A unique identifier in the format REGION:GUID.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 55.
Pattern:
[\w-]+:[0-9a-f-]+
Required: Yes
- Logins
-
A set of optional name-value pairs that map provider names to provider tokens. The name-value pair will follow the syntax "provider_name": "provider_user_identifier".
Logins should not be specified when trying to get credentials for an unauthenticated identity.
The Logins parameter is required when using identities associated with external identity providers such as Facebook. For examples of
Logins
maps, see the code examples in the External Identity Providers section of the Amazon Cognito Developer Guide.Type: String to string map
Map Entries: Maximum number of 10 items.
Key Length Constraints: Minimum length of 1. Maximum length of 128.
Value Length Constraints: Minimum length of 1. Maximum length of 50000.
Required: No
Response Syntax
{
"Credentials": {
"AccessKeyId": "string",
"Expiration": number,
"SecretKey": "string",
"SessionToken": "string"
},
"IdentityId": "string"
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- Credentials
-
Credentials for the provided identity ID.
Type: Credentials object
- IdentityId
-
A unique identifier in the format REGION:GUID.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 55.
Pattern:
[\w-]+:[0-9a-f-]+
Errors
For information about the errors that are common to all actions, see Common Errors.
- ExternalServiceException
-
An exception thrown when a dependent service such as Facebook or Twitter is not responding
HTTP Status Code: 400
- InternalErrorException
-
Thrown when the service encounters an error during processing the request.
HTTP Status Code: 500
- InvalidIdentityPoolConfigurationException
-
If you provided authentication information in the request, the identity pool has no authenticated role configured, or AWS STS returned an error response to the request to assume the authenticated role from the identity pool. If you provided no authentication information in the request, the identity pool has no unauthenticated role configured, or AWS STS returned an error response to the request to assume the unauthenticated role from the identity pool.
Your role trust policy must grant
AssumeRoleWithWebIdentity
permissions tocognito-identity.amazonaws.com
.HTTP Status Code: 400
- InvalidParameterException
-
Thrown for missing or bad input parameter(s).
HTTP Status Code: 400
- NotAuthorizedException
-
Thrown when a user is not authorized to access the requested resource.
HTTP Status Code: 400
- ResourceConflictException
-
Thrown when a user tries to use a login which is already linked to another account.
HTTP Status Code: 400
- ResourceNotFoundException
-
Thrown when the requested resource (for example, a dataset or record) does not exist.
HTTP Status Code: 400
- TooManyRequestsException
-
Thrown when a request is throttled.
HTTP Status Code: 400
Examples
GetCredentialsForIdentity
The following example shows a GetCredentialsForIdentity
request.
Sample Request
POST / HTTP/1.1
CONTENT-TYPE: application/x-amz-json-1.1
CONTENT-LENGTH: 250
X-AMZ-TARGET: com.amazonaws.cognito.identity.model.AWSCognitoIdentityService.GetCredentialsForIdentity
HOST: <endpoint>
X-AMZ-DATE: 20151020T232759Z
{
"IdentityId":"us-east-1:88b5cc2c-c8c4-4932-a4e5-fc85EXAMPLE"
}
Sample Response
1.1 200 OK
content-length: 1168,
content-type: application/x-amz-json-1.1,
date: Mon, 21 Sep 2015 22:38:52 GMT,
x-amzn-requestid: 8906cbc7-60b1-11e5-9f63-1bfexample,
{
"Credentials":{
"SecretKey":"2gZ8QJQqkAHBzebQmghavFAfgmYpKWRqexample",
"SessionToken":"AQoDYXdzEMf//////////wEasAWDYyZbsv2CTPExziDyYEXAMPLE",
"Expiration":1442877512.0,
"AccessKeyId":"ASIAJIOA37R6EXAMPLE"
},
"IdentityId":"us-east-1:88b5cc2c-c8c4-4932-a4e5-fc85EXAMPLE"
}
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: