Amazon Cognito

To add Cognito as an identity provider for accessing AgentCore Gateway and Runtime, you must:

Configure discovery URL from your IDP directory. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys.
Provide valid clientId or aud claims for the token. This helps validate the tokens coming from your IDP and allow access for tokens that contain expected claims.

Amazon Cognito can be used as an identity provider for inbound authentication.

Inbound

To create a Cognito user pool as an inbound identity provider for user authentication with AgentCore Runtime

Create a file named setup_cognito.sh with the following content:


#!/bin/bash

# Create User Pool and capture Pool ID directly
export POOL_ID=$(aws cognito-idp create-user-pool \
  --pool-name "MyUserPool" \
  --policies '{"PasswordPolicy":{"MinimumLength":8}}' \
  --region us-east-1 | jq -r '.UserPool.Id')

# Create App Client and capture Client ID directly
export CLIENT_ID=$(aws cognito-idp create-user-pool-client \
  --user-pool-id $POOL_ID \
  --client-name "MyClient" \
  --no-generate-secret \
  --explicit-auth-flows "ALLOW_USER_PASSWORD_AUTH" "ALLOW_REFRESH_TOKEN_AUTH" \
  --region us-east-1 | jq -r '.UserPoolClient.ClientId')

# Create User
aws cognito-idp admin-create-user \
  --user-pool-id $POOL_ID \
  --username "testuser" \
  --temporary-password "Temp123!" \
  --region us-east-1 \
  --message-action SUPPRESS > /dev/null

# Set Permanent Password
aws cognito-idp admin-set-user-password \
  --user-pool-id $POOL_ID \
  --username "testuser" \
  --password "MyPassword123!" \
  --region us-east-1 \
  --permanent > /dev/null

# Authenticate User and capture Access Token
export BEARER_TOKEN=$(aws cognito-idp initiate-auth \
  --client-id "$CLIENT_ID" \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters USERNAME='testuser',PASSWORD='MyPassword123!' \
  --region us-east-1 | jq -r '.AuthenticationResult.AccessToken')

# Output the required values
echo "Pool id: $POOL_ID"
echo "Discovery URL: https://cognito-idp.us-east-1.amazonaws.com/$POOL_ID/.well-known/openid-configuration"
echo "Client ID: $CLIENT_ID"
echo "Bearer Token: $BEARER_TOKEN"

Run the script to create the Cognito resources:


source setup_cognito.sh

Note the output values, which will look similar to:


Pool id: us-east-1_poolid
Discovery URL: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_userpoolid/.well-known/openid-configuration
Client ID: clientid
Bearer Token: bearertoken

You'll need these values in the next steps.

This script creates a Cognito user pool, a user pool client, adds a user, and generates a bearer token for the user. The token is valid for 60 minutes by default.

To create a Cognito user pool as an inbound identity provider for machine-to-machine authentication with AgentCore Gateway

Create a user pool:


aws cognito-idp create-user-pool \
  --region us-west-2 \
  --pool-name "gateway-user-pool"

Note the user pool ID from the response or retrieve it using:


aws cognito-idp list-user-pools \
  --region us-west-2 \
  --max-results 60

Create a resource server for the user pool:


aws cognito-idp create-resource-server \
  --region us-west-2 \
  --user-pool-id <UserPoolId> \
  --identifier "gateway-resource-server" \
  --name "GatewayResourceServer" \
  --scopes '[{"ScopeName":"read","ScopeDescription":"Read access"}, {"ScopeName":"write","ScopeDescription":"Write access"}]'

Create a client for the user pool:


aws cognito-idp create-user-pool-client \
  --region us-west-2 \
  --user-pool-id <UserPoolId> \
  --client-name "gateway-client" \
  --generate-secret \
  --allowed-o-auth-flows client_credentials \
  --allowed-o-auth-scopes "gateway-resource-server/read" "gateway-resource-server/write" \
  --allowed-o-auth-flows-user-pool-client \
  --supported-identity-providers "COGNITO"

Note the client ID and client secret from the response.

If needed, create a domain for your user pool:
```
aws cognito-idp create-user-pool-domain \
  --domain <UserPoolIdWithoutUnderscore> \
  --user-pool-id <UserPoolId> \
  --region us-west-2
```
Note
Remove any underscore from the UserPoolId when creating the domain. For example, if your user pool ID is "us-west-2_gmSGKKGr9", use "us-west-2gmSGKKGr9" as the domain.

Construct the discovery URL for your Cognito user pool:


https://cognito-idp.us-west-2.amazonaws.com/<UserPoolId>/.well-known/openid-configuration

Configure the Gateway Inbound Auth with the following values:
- Discovery URL: The URL constructed in the previous step
- Allowed clients: The client ID obtained when creating the user pool client

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity provider setup

Microsoft