Access AWS services from an ASP.NET Core app using Amazon Cognito identity pools
Bibhuti Sahu and Marcelo Barbosa, Amazon Web Services
Summary
This pattern discusses how you can configure Amazon Cognito user pools and identity pools, and then enable an ASP.NET Core app to access AWS resources after successful authentication.
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. The two main components of Amazon Cognito are user pools and identity pools.
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers such as Google, Facebook, Amazon, or Apple, and through SAML identity providers.
Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services. Before you can begin using your new Amazon Cognito identity pool, you must assign one or more AWS Identity and Access Management (IAM) roles to determine the level of access you want your application users to have to your AWS resources. Identity pools define two types of identities: authenticated and unauthenticated. Each identity type can be assigned its own role in IAM. Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools, Facebook, Google, SAML, or any OpenID Connect providers) or a developer provider (your own backend authentication process), whereas unauthenticated identities typically belong to guest users. When Amazon Cognito receives a user request, the service determines whether the request is authenticated or unauthenticated, determines which role is associated with that authentication type, and then uses the policy attached to that role to respond to the request.
Prerequisites and limitations
Prerequisites
- An AWS account with Amazon Cognito and IAM permissions 
- Access to the AWS resources you want to use 
- ASP.NET Core 2.0.0 or later 
Architecture
Technology stack
- Amazon Cognito 
- ASP.NET Core 
Target architecture

Tools
Tools, SDKs, and AWS services
- Visual Studio or Visual Studio Code 
- Amazon.AspNetCore.Identity.Cognito (1.0.4) - – NuGet package 
- AWSSDK.S3 (3.3.110.32) - – NuGet package 
Code
The attached .zip file includes sample files that illustrate the following:
- How to retrieve an access token for the logged in user 
- How to exchange an access token for AWS credentials 
- How to access the Amazon Simple Storage Service (Amazon S3) service with AWS credentials 
IAM role for authenticated identities
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*", "cognito-identity:*", "s3:ListAllMyBuckets*" ], "Resource": [ "*" ] } ] }
Epics
| Task | Description | Skills required | 
|---|---|---|
| Create a user pool. | 
 | Developer | 
| Add an app client. | You can create an app to use the built-in webpages for signing up and signing in your users. 
 | Developer | 
| Task | Description | Skills required | 
|---|---|---|
| Create an identity pool. | 
 | Developer | 
| Assign IAM roles for the identity pool. | You can edit the IAM roles for authenticated and unauthenticated users, or keep the defaults, and then choose Allow. For this pattern, we will edit the authenticated IAM role and provide access for  | Developer | 
| Copy the identity pool ID. | When you choose Allow in the previous step, the Getting started with Amazon Cognito page is displayed. On this page, you can either copy the identity pool ID from the Get AWS Credentials section or choose Edit identity pool in the upper right and copy the identity pool ID from the screen that's displayed. | Developer | 
| Task | Description | Skills required | 
|---|---|---|
| Clone the sample ASP.NET Core web app. | 
 | Developer | 
| Add dependencies. | Add a NuGet dependency for  | Developer | 
| Add the configuration keys and values to  | Include the code from the attached  | Developer | 
| Create a new user and sign in. | Create a new user in the Amazon Cognito user pool, and verify that the user exists under Users and Groups in the user pool. | Developer | 
| Create a new Razor Page called  | Add a new ASP.NET Core Razor Page to your sample app, and replace the content for  | Developer | 
Troubleshooting
| Issue | Solution | 
|---|---|
| After you open the sample application from the GitHub repository, you get an error when you try to add the NuGet package to the Samples project. | In the  | 
Related resources
Attachments
To access additional content that is associated with this document, unzip the following file: attachment.zip