Reputation: 13085
To call AWS SDK APIs using secret key credentials versus using cognito credentials
In the AWS Xamarin SDK docs, the Amazon Cognito Identity API documentation for GetOpenIdTokenForDeveloperIdentity() says in its second paragraph that "You must use AWS Developer credentials to call this API."
Now, the general idea is to try to never expose API secrets & keys in the source code especially if there are other mechanisms available. AWS provides the IAM mechanism so that we can assume a role and then we can define which privileges can be assumed by that role.
But this text mentioned in bold above, does it mean i cannot use IAM roles and/or policies to call those APIs? Does it mean i HAVE TO include my accessKey and secretKey in my application source code?
Edit:
AWS provides the Cognito mechanism through which we can requested temporary credentials via
`credentials = new CognitoAWSCredentials ("IDENTITY_POOL_ID", "REGION_NAME");`
without directly using Developer credentials like the accesskey and secretkey etc.
But this text mentioned in bold above, does it mean i cannot use the credentials obtained via cognito because these credentials were not produced with Developer credentials?
Trying to figure out this new cognito thing.
Upvotes: 0
Views: 1259
Answers (1)
Reputation: 1797
You can use IAM roles to call this API, same way you would call any other AWS sigv4 API. Purpose of the text is to emphasize that unlike other Cognito unauth APIs (getId, getOpenIdToken, getCredetialsForIdentity) you will need to call GetOpenIdTokenForDeveloperIdentity from your server and with AWS credentials. These credentials can be obtained with IAM user or IAM roles.
Edit:
Cognito is meant for vending credentials on the client side applications, for eg: Mobile apps. Typically credentials are vended after federating with social identity providers, eg: Facebook, google, Amazon etc.
The API 'GetOpenIdTokenForDeveloperIdentity' was introduced to allow you to federate with Cognito with your own authentication system. If you don't have your own authentication system, you should not be using this API. This API is meant to be called from your server side application. Of course you can use Cognito to get the credentials on server side and call GetOpenIdTokenForDeveloperIdentity, but that's not what Cognito is meant for. Simpler will be to just use credentials with help of IAM on server side.
Upvotes: 2
Related Questions
- Possible to authenticate an AWS Cognito user via the API?
- AWS Cognito InitiateAuth with/without Access Key and Secret Access Key
- AWS Cognito - verify token using JWT vs cognito.getUser SDK
- Authentication AWS Cognito SRP
- How do I get credentials on AWS? Must I use AWS Cognito SDK or AWS SDK?
- Access Key to Replace Authentication for AWS
- Why do I need to provide AWS Credentials when using the Cognito SDK?
- Unauthenticated access to AWS services using Cognito
- Authenticate app to AWS API Gateway with Cognito
- Using Cognito AccessKeyId / SecretAccessKey to access AWS services