Amazon Cognito iOS

Question

I am trying to integrate Amazon Web Services into my app but frankly it has been a major challenge and it is extremely annoying.

I am using Amazon SDK (V2.1.0) for iOS and this is what I am trying to achieve:

1. In my app, I have a signup screen where my users can sign up for my app using either Facebook or by creating an account
2. If the user wishes to create an account, I plan on using Amazon Cognito to securely access Amazon DynamoDB (through the iOS app) where I will store the email and password.

I am trying to get Amazon Cognito working with the following code in my ViewController but I get nil for the variable cognitoId. My code is below:

AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1
                                                                                                identityPoolId:@"us-east-1:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"];
AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1
                                                                     credentialsProvider:credentialsProvider];
AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;

NSString *cognitoId = credentialsProvider.identityId; //NULL

Based on everything I explained above, I have the following questions:

1. Is my usage case of Amazon Cognito correct in this scenario?
2. Why is the code above not working?
3. I think the issue may have to do with iam roles configured in the Identity Pool. I am not sure what roles to give in terms of security. Once Users sign up, the app will need permission to write to my DynamoDB without exposing any security flaws. Can anyone offer any insight on this?

I appreciate anyone that can help. I am losing my mind over trying to get this to work the last couple of days.

Thanks!

Answer 1

The Cognito identity id isn't set by default. Are you making a call to getIdentityId or refresh with the provider? If not, I'd try that and see if you get a result.

As for your other questions, Cognito supports 'public providers' such as facebook, google, and amazon, as well as developer authenticated identities. For your suggested case with facebook, you could pretty easily use Cognito there. A blog post on Cognito roles and policies is available here.

Developer authenticated identities could be a valid (and more secure) way to implement your second use case. The workflow would require you to have a back end server, but you could only give access to the dynamo db table to that server. Users would log in, the app would send that data to your server, that server would validate and reply with credentials, and then the user could access your other AWS resources. A blog post describing the roles and policies in this context is available here and one giving more detail on the specifics and listing an end to end example is available here.