My simple words to clarify the confusion between AWS Cognito User Pools and Identity Pools

While I am building an architecture for a serverless application, I have chosen to not reinvent the wheel, and decided to offload the user management to AWS Cognito to securely authenticate the users to the application.

Unfortunately, unlike other AWS services, I got confused when started digging deeper into the AWS documentation to understand how Cognito works, as Cognito consists of two services; User Pools and Identity Pools that are similar on the surface but different under the hood. These two services solve the same problem (i.e. authentication and authorization) but do so in very different ways, and for different purposes which provides both flexibility and a source of confusion at first.

With this article, I am giving it a try to clear this confusion.

User Pool

AWS Cognito User Pools is there to authenticate users for your applications.

Say you were creating a new web or mobile app and you were thinking about how to handle user registration, authentication, and account recovery, you don’t need to implement user authentication inside your application, rather you can integrate AWS Cognito User Pools, which will manage user sign-up, sign-in, password policies.

simple, and straight forward..isn't it? Here is where the confusion starts..!

Identity Pool

This is a service which was designed to authorize your users to use the various AWS services. The source of these users could be a Cognito User Pool or even Facebook or Google.

In other words, Identity Pools are used to assign IAM roles to users (who had been authenticated through a separate Identity Provider which could be Cognito UserPools or Social logins (e.g; Gmail, Facebook & etc.)). Because these users are assigned an IAM role, they each have their own set of IAM permissions, allowing them to access AWS resources directly.

The following diagram, explain the above paragraph... Notice how you could use the User Pool, social networks, or even our own custom authentication system as the identity provider for the Cognito Identity Pool. And with all of this it can now give your users secure access to your AWS services, regardless of where they come from.

 So the Difference is:

• AWS Cognito User Pools: Granting access to a application
• AWS Cognito Identity Pools: Granting access to amazon services.

To get a practical insight into using these, let us take an example of using both AWS Cognito UserPools and Identity Pools together. In this use case, an user logins through AWS Cognito UserPools is granted access to Amazon S3 to upload file.

As shown in the below diagram, application first redirects the user to AWS Cognito UserPool to enter the username and password which will return a token(s) back to the application for legitimate users.

This token is used to call the AWS Cognito Identity Pools and get temporary IAM credentials.

Using these temporary access tokens, the application is capable of accessing AWS services, that are granted access to the assumed IAM policy for individual users. So, the user will be able to upload file to S3 using the temporary tokens issued by the Identity Pools

I came across the following Flowchart which you could could follow to help you choose the service you want based on your needs:

Long Story Short

It depends in your use case:

If your use case is to grant your users an access to AWS services directly, use Cognito Identity Pools.

Otherwise, if it is only for authenticating your users and granting them an access to your application, you only need User Pools.

I hope this article helped you to understand Cognito better! and with getting your head around the fundamentals of its variations, you can dive into Cognito deeper using AWS Documentation