CODEWITHSUNDEEP
javascriptamazon-web-servicesamazon-cognito
MyStackRunnethOver
MyStackRunnethOver

Reputation: 5285

AWS Cognito Identity Pool: AWS Credentials Expiration / Renewal

I'm building an AWS-backed site which, broadly speaking, does the following:

  1. Authenticates a user against a Cognito User Pool (the pool is backed by a third-party SAML provider), giving them tokens.
  2. Uses a Cognito Identity Pool to grant the user credentials for use with other services.
  3. Lets the user perform a series of long-running S3 uploads, directly from the front-end S3 client, using the credentials from above.

I'm trying to get clarity on the interactions I will have to have with tokens and credentials. I'm pretty clear on what I have to do with the tokens I get from the user pool:

  1. I can use them to call the Identity Pool, and get AWS credentials I can use for S3.
  2. I can use the refresh token to refresh the other tokens if they expire before I'm done.

The expiration details for these tokens are in the link above. The documentation is pretty clear on all of the above, but I'm confused about the Identity Pool credential functionality, and haven't been able to find explanations in the docs on the following questions:

  1. When I get AWS credentials from my Identity Pool, how long will they last before expiring? How can I configure this value, so that my CognitoIdentityCredentials gives me credentials with my desired expiration?
  2. If my AWS credentials expire before I'm done with my work, what's the right logic for attempting to 1. refresh the credentials and 2. if that fails, refresh the user pool tokens, so as to be able to complete the operation cleanly without making the user restart it?

Upvotes: 2

Views: 2351

Answers (1)

Ninad Gaikwad
Ninad Gaikwad

Reputation: 4480

The user pool is only for user management. Any interaction that the user has with AWS services and resources is done via Identity Pool. You assign the roles via Identity pool. To answer your 2 specific questions:

  1. Tokens last for 1 hour. This duration is fixed and cannot be changed.
  2. If your tokens expire you can use the refresh token to generate new identity and access tokens. However, most of the front end sdks (even javascript) do this automatically for you. You don't have to worry about tokens expiring. In fact you will have to forcefully invalidate them if you have that requirement.

Upvotes: 2

Related Questions