Let's now create and configure an identity pool from the AWS CLI:
- Create a provider.json file, with Google as the provider name and the client ID received from the previous step:
{ "accounts.google.com" : "55367180174-6brhjc2v6kdllcejabnr1e46957f72te.apps.googleusercontent.com" }
- Create an identity pool:
aws cognito-identity create-identity-pool
--identity-pool-name qnatimepool
--no-allow-unauthenticated-identities
--supported-login-providers file://provider.json
--profile admin
You should get a response similar to this:
- Create a policy that allows the necessary permissions to the user:
aws iam create-policy
--policy-name identity-pool-policy
--policy-document file://role_policy.txt
--profile admin
- The role_policy.txt file has the following contents:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
}
]
}
There should be a role associated with a user who uses public APIs to log in, so that AWS can issue a token to access AWS services.
- Create a role named identity-pool-role and attach a policy to the role.
- Create a roles.json file with the ARN role as follows:
{"authenticated":"arn:aws:iam::<account id>:role/identity-pool-role"}
- Attach the role to the pool:
aws cognito-identity set-identity-pool-roles
--identity-pool-id <your identity pool id>
--roles file://roles.json
--region us-east-1
--profile admin