I am currently building a C++ client which is successfully authenticating to AWS Cognito User Pools. I wish to obtain temporary AWS credentials via exchanging the received ID token from Cognito.
Using the Advanced Flow with AWS CLI it seems to be two separate calls which I have working.
aws cognito-identity get-id aws cognito-identity get-credentials-for-identity
The end goal is to receive AccessKeyId,SecretKey,SessionToken,IdentityId for subsequent AWS service calls.
I have worked out the get-id side so the rest will fall easily now.
Aws::SDKOptions options;
Aws::Utils::Logging::LogLevel logLevel{ Aws::Utils::Logging::LogLevel::Error };
options.loggingOptions.logger_create_fn = [logLevel] {return make_shared<Aws::Utils::Logging::ConsoleLogSystem>(logLevel); };
Aws::InitAPI(options);
Aws::Client::ClientConfiguration clientConfiguration;
clientConfiguration.region = REGION; // region must be set for Cognito operations
s_AmazonCognitoIdentityClient = Aws::MakeShared<Aws::CognitoIdentity::CognitoIdentityClient>("CognitoIdentityClient",clientConfiguration);
Aws::CognitoIdentity::Model::GetIdRequest getIdRequest;
getIdRequest.SetAccountId(AWS_ACCOUNT_ID);
getIdRequest.SetIdentityPoolId(IDENTITY_POOL_ID);
map<string, string> logins{
{"cognito-idp.[REGION].amazonaws.com/[Your Pool ID]", s_IDToken}
};
getIdRequest.SetLogins(logins);
Aws::CognitoIdentity::Model::GetIdOutcome getIdOutcome{s_AmazonCognitoIdentityClient->GetId(getIdRequest)};
if (getIdOutcome.IsSuccess())
{
Aws::CognitoIdentity::Model::GetIdResult getIdResult{getIdOutcome.GetResult()};
cout << "\tIdentity Token: " << getIdResult.GetIdentityId() << endl;
s_IdentityId = getIdResult.GetIdentityId(); //Set for subsequent call to get credentials
}
else {
Aws::Client::AWSError<Aws::CognitoIdentity::CognitoIdentityErrors> error = getIdOutcome.GetError();
cout << "Error logging in: " << error.GetMessage() << endl << endl;
}
Aws::ShutdownAPI(options);