Creating a Cognito Identity Pool

Once we set up a Cognito User Pool, it is time to create a Cognito Identity Pool. Amazon Cognito identity pools provide temporary AWS credentials for users who have been authenticated and recieved a token through an identity provider such as a Cognito user pool. It can also provide temporary credentials to guests who are unauthenticated.

Using the SDK and making SDK calls requires a set of IAM credentials with the necessary permissions. Since you want to make direct SDK calls to AWS resources in a game, you can use an identity pool to provide those IAM credentials in a secure manner. Using Cognito to provide temporary AWS credentials is more secure than embedded them in the game client directly. If you embed credentials in the game client and do not rotate them, those credentials can be compromised and allow access to your AWS resources.

  • To create an identity pool, first go to the Amazon Cognito console.

  • Choose Manage Identity Pools and then select Create new identity pool.

  • Enter a name for the identity pool.

  • Enable access to unauthenticated identities. This provides a unique identifier and AWS credentials to users who do not authenticate with an identity provider. An example of when you might want to do this with a game is if you want to reduce the amount of friciton required to get started playing your game by allowing users to play without creating an account and authenticating.

  • Leave the authentication flow settings unchecked - do not select the basic flow.

  • Next, select an authentication provider. There are many options, including common identity providers such as Amazon, Apple, Facebook, and Google. Choose Cognito as the authentication provider.

  • Enter the User Pool ID and App client ID of the Cognito user pool that you created in the previous section.

Your settings should look like this:

  • Choose Create Pool.

  • You will be directed to a page that says Identify the IAM roles to use with your new Identity pool.

  • For both authenticated and unauthenticated identities, leave the IAM Policy Document as default. When we start creating backend resources that have Amazon Resource Names (ARN), we will come back and edit the permissions.

The IAM Policy Document is the IAM role, which is a set of AWS permissions, that your players assume when they sign into the game. This will allow access to backend AWS resources so you can do things like send data directly to a data analytics pipeline.

In production, it is very important to operate by the principle of least privilege, which is an important principle of AWS Cloud security. The idea is to give the minimal amount of permissions that are required to get a job done, and nothing more. You do not want to overextend permissions.

  • Finally, select Allow.

  • On the Getting started with Amazon Cognito page, you should see a sample Cognito credentials provider with your Identity Pool ID highlighted in red.

  • Make sure to take note of your Identity Pool ID, which we will need to use when writing code for our Unity project.