1. Cognito User Pool
Purpose:
➡️ Manages user authentication (who you are).
Think of a User Pool as a user directory that stores user credentials and handles:
-
Sign-up and sign-in (username/password, email, phone, etc.)
-
MFA (Multi-Factor Authentication) and password policies
-
User profile attributes (name, email, etc.)
-
Token issuance:
-
ID Token (user identity)
-
Access Token (API access)
-
Refresh Token (to renew)
-
Example Use Case:
-
You want users to sign in directly to your app using email + password or Google login.
-
You want Cognito to handle authentication, user registration, password reset, etc.
→ Output: Authenticated user tokens (JWTs).
🧭 2. Cognito Identity Pool
Purpose:
➡️ Provides AWS credentials (what you can access).
An Identity Pool gives your users temporary AWS credentials (STS tokens) so they can access AWS resources (like S3, DynamoDB, or Lambda) directly.
It can:
-
Accept identities from Cognito User Pools
-
Or from federated identity providers, like:
-
Google, Facebook, Apple, etc.
-
SAML / OpenID Connect providers
-
Even unauthenticated (guest) users
-
→ Output: AWS access key and secret key (temporary credentials).
🧩 3. How They Work Together
They can be used independently or together:
| Scenario | What You Use | Description |
|---|---|---|
| Only need user sign-up/sign-in (like a typical web app) | User Pool only | You don’t need AWS resource access. |
| Need to allow users to access AWS services (like S3 upload, DynamoDB read, etc.) | Both User Pool + Identity Pool | Authenticate user via User Pool, then exchange JWT token for temporary AWS credentials from Identity Pool. |
| Want to allow guest users or social logins directly accessing AWS | Identity Pool only |
No comments:
Post a Comment