how to use AWS cognito with custom authentication to create temporary s3 upload security token

Question

So I'm a bit confused by the Amazon documentation on Cognito concerning one of their stated use cases: "use your own identity system... allowing your apps to save data to the AWS cloud".

In my case I want to give them aws tokens to upload directly to s3 from the mobile client without putting my aws keys on the client device.

In order to implement this on the server side - how do I generate the proper credentials so that the client can use this identity on the client app to upload to s3?

Do I first call

1. getId() (what values do I pass if I'm using my own login - since I'm not providing a facebook or twitter ID? How do I pass in my own db's generated user ids?

2. AWS.CognitoIdentity.getCredentialsForIdentity() method from the congito API... or maybe I have to new up an AWS.CognitoIdentity?

Any links to a good example? I couldn't find any full examples in the documentation itself.

For example in their documentation amazon says that

var identityId = AWS.config.credentials.identityId;

retrieves an identityid for your end user immediately, however looking at it, it seems to be a property and not an id factory. How does it generate unique ids, or is one identity id shared by all of my users? Are there credentials of some sort that I can derive from this that I can then pass on to my mobile client to get upload privileges to s3?

I also read something about AWS STS service - is that an alternative to using Cognito?

Answer 1

You can find an example in this AWS Mobile blog post and the differences between developer authenticated identities and regular identities in this other blog post.

Basically, the flow is that your app will authenticate against your backend, then your backend will call GetOpenIdTokenForDeveloperIdentity and send the resulting token and Identity ID to the user's app. The user's app can use this token to obtain Cognito credentials using the SDK, and with this credentials make calls to S3 or other AWS services. Each user will have its own credentials, so they only have access to their own resources in S3.

About STS, that's what the SDK will internally use to obtain the credentials, but as long as you use the SDK you don't need to worry about it. It's not an alternative to Cognito, but they both work together.