The Amazon Cognito Identity API contains several data types that various actions use. This section describes each data type in detail.
Note
The order of each element in a data type structure is not guaranteed. Applications should not assume a particular order.
The following data types are supported:
• CognitoIdentityProvider (p. 85)
• Credentials (p. 86)
• IdentityDescription (p. 87)
• IdentityPoolShortDescription (p. 88)
• MappingRule (p. 89)
• RoleMapping (p. 90)
• RulesConfigurationType (p. 91)
• UnprocessedIdentityId (p. 92)
CognitoIdentityProvider
CognitoIdentityProvider
A provider representing an Amazon Cognito user pool and its client ID.
Contents
ClientId
The client ID for the Amazon Cognito user pool.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\w_]+
Required: No ProviderName
The provider name for an Amazon Cognito user pool. For example, cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\w._:/-]+
Required: No ServerSideTokenCheck
TRUE if server-side token validation is enabled for the identity provider’s token.
Once you set ServerSideTokenCheck to TRUE for an identity pool, that identity pool will check with the integrated user pools to make sure that the user has not been globally signed out or deleted before the identity pool provides an OIDC token or AWS credentials for the user.
If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error.
Type: Boolean Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
Credentials
Credentials
Credentials for the provided identity ID.
Contents
AccessKeyId
The Access Key portion of the credentials.
Type: String Required: No Expiration
The date at which these credentials will expire.
Type: Timestamp Required: No SecretKey
The Secret Access Key portion of the credentials Type: String
Required: No SessionToken
The Session Token portion of the credentials Type: String
Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
IdentityDescription
IdentityDescription
A description of the identity.
Contents
CreationDate
Date on which the identity was created.
Type: Timestamp Required: No IdentityId
A unique identifier in the format REGION:GUID.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 55.
Pattern: [\w-]+:[0-9a-f-]+
Required: No LastModifiedDate
Date on which the identity was last modified.
Type: Timestamp Required: No Logins
The provider names.
Type: Array of strings
Length Constraints: Minimum length of 1. Maximum length of 128.
Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
IdentityPoolShortDescription
IdentityPoolShortDescription
A description of the identity pool.
Contents
IdentityPoolId
An identity pool ID in the format REGION:GUID.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 55.
Pattern: [\w-]+:[0-9a-f-]+
Required: No IdentityPoolName
A string that you provide.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: [\w\s+=,.@-]+
Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
MappingRule
MappingRule
A rule that maps a claim name, a claim value, and a match type to a role ARN.
Contents
Claim
The claim name that must be present in the token, for example, "isAdmin" or "paid".
Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}]+
Required: Yes MatchType
The match condition that specifies how closely the claim value in the IdP token must match Value.
Type: String
Valid Values: Equals | Contains | StartsWith | NotEqual Required: Yes
RoleARN
The role ARN.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
Required: Yes Value
A brief string that the claim must match, for example, "paid" or "yes".
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
RoleMapping
RoleMapping
A role mapping.
Contents
AmbiguousRoleResolution
If you specify Token or Rules as the Type, AmbiguousRoleResolution is required.
Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type.
Type: String
Valid Values: AuthenticatedRole | Deny Required: No
RulesConfiguration
The rules to be used for mapping users to roles.
If you specify Rules as the role mapping type, RulesConfiguration is required.
Type: RulesConfigurationType (p. 91) object Required: No
Type
The role mapping type. Token will use cognito:roles and cognito:preferred_role claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.
Type: String
Valid Values: Token | Rules Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3