Set up authentication for your Amazon Location application

The application that you create in this tutorial has anonymous usage, meaning that your users are not required to sign into AWS to use the application. However, the Amazon Location Service APIs require authentication to use. You can use either API keys or Amazon Cognito to provide authentication and authorization for anonymous users. This tutorial will use Amazon Cognito and API keys to authenticate your application.

Note

For more information about using Amazon Cognito or API keys with Amazon Location Service, see Grant access to Amazon Location Service.

The following tutorials show you how to set up authentication for the map, the place index, and tracker you created in as well setting up permissions for Amazon Location.

Set up authentication

Navigate to the Amazon Location console and select API keys from the left-hand menu.
Click on 'Create API key'. Remember that the API key must be in the same AWS account and region as the previously created Amazon Location Service resources.
Fill in the required details on the 'Create API key' page:
- Name: Provide a name for your API key, like MyAppKey.
- Resources: Choose the Amazon Location Service Map and Place index resources created earlier. You can add multiple resources by selecting 'Add Resource'. This allows the API key to be used with specified resources.
- Actions: Specify authorized actions for this API key. At a minimum, select geo:GetMap and geo:SearchPlaceIndexForPosition to ensure the tutorial functions as intended.
- Optional you can add a Description, Expiration time, Tags, or a referrer for example https://www.example.com to limit the key's usage to a specific domain, enabling the tutorial to function only within that domain.
Click Create API Key to generate the API key.
Select Show API Key and copy the key value for example v1.public.a1b2c3d4 for later use in the tutorial.

Create an IAM policy for tracking

Sign in to the IAM console at https://console.aws.amazon.com/iam/ with your user that has administrator permissions.
In the navigation pane, choose Policies.
In the content pane, choose Create policy.

Choose the JSON option, then copy and paste this JSON policy into the JSON text box.


{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "geo:GetMapTile",
                    "geo:GetMapStyleDescriptor",
                    "geo:GetMapSprites",
                    "geo:GetMapGlyphs",
                    "geo:SearchPlaceIndexForPosition",
                    "geo:GetDevicePositionHistory",
                    "geo:BatchUpdateDevicePosition"
                ],
                "Resource": [
                    "arn:aws:geo:{Region}:{Account}:map/{MapName}",
                    "arn:aws:geo:{Region}:{Account}:place-index/{IndexName}",
                    "arn:aws:geo:{Region}:{Account}:tracker/{TrackerName}"
                ]
            }
        ]
    }

This is a policy example for Tracking. To use the example for your own policy, replace the Region, Account, and TrackerName placeholders.

Note

While unauthenticated identity pools are intended for exposure on unsecured internet sites, note that they will be exchanged for standard, time-limited AWS credentials.

It's important to scope the IAM roles associated with unauthenticated identity pools appropriately. For more information about using and appropriately scoping policies in Amazon Cognito with Amazon Location Service, see Granting access to Amazon Location Service.

On the Review and Create page, provide a name for the policy name field. Review the permissions granted by your policy, and then choose Create Policy to save your work.

The new policy appears in the list of managed policies and is ready to attach.

Set up authentication for your tracking

Set up authentication for your map application in the Amazon Cognito console.
Open the Identity pools page.

Note
The pool that you create must be in the same AWS account and AWS Region as the Amazon Location Service resources that you created in the previous section.
Choose Create Identity pool.
Starting with the Configure identity pool trust step. For user access authentication, select Guest access, and press next.
On the Configure permissions page select the Use an existing IAM role and enter the name of the IAM role you created in the previous step. When ready press next to move on to the next step.
On the Configure properties page, provide a name for your identity pool. Then press Next.
On the Review and create page, review all the information present then press Create identity pool.
Open the Identity pools page, and select the identity pool you just created. Then copy or write down the IdentityPoolId that you will use later in your browser script.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create resources

Create the app