How do I obtain temporary AWS credentials for an unauthenticated role in PowerShell using a Cognito IdentityPool

0 votes
I was writing a PowerShell script that needed to access an AWS S3 bucket using an unauthenticated role via Cognito and had trouble finding much documentation. All of the documentation I was able to find for the AWS PowerShell SDK discussed storing your AccessKey and SecretKey but never how to get those credentials using Cognito when you aren't using a user pool.
Feb 16, 2023 in AWS by sarit
• 1,830 points

1 answer to this question.

0 votes

To obtain temporary AWS credentials for an unauthenticated role in PowerShell using a Cognito IdentityPool, you can use the AWS PowerShell SDK and the Get-CognitoIdentity cmdlet. Here are the steps:

  1. Install the AWS PowerShell SDK if you haven't already. You can do this by running the following command in PowerShell:


    Install-Module -Name AWSPowerShell.NetCore

  2. Create an IdentityPool in the AWS Console and note its ID.

  3. Set up an IAM Role with permissions to access the AWS resources you need, and make sure to enable the "Allow access from unauthenticated identities" option.

  4. In your PowerShell script, use the following code to get temporary credentials:

    # Import the AWS PowerShell module
    Import-Module AWSPowerShell

    # Set up the parameters for the Get-CognitoIdentity cmdlet
    $IdentityPoolId = "<your IdentityPool ID>"
    $AccountId = "<your AWS Account ID>"
    $RoleArn = "<your IAM Role ARN>"

    # Get a new Cognito identity ID
    $IdentityId = (Get-CognitoIdentity -IdentityPoolId $IdentityPoolId).IdentityId

    # Get temporary AWS credentials for the unauthenticated role
    $Credentials = Get-CognitoIdentityCredentials -IdentityId $IdentityId -AccountId $AccountId -RoleArn $RoleArn

    # Use the credentials to access the AWS resource (e.g. S3 bucket)
    Get-S3Object -BucketName "<your S3 bucket name>" -Key "<your object key>" -Credential $Credentials

    Replace the values for $IdentityPoolId, $AccountId, $RoleArn, <your S3 bucket name>, and <your object key> with your own values.

  5. Run the script and you should be able to access your AWS resource using temporary credentials obtained through Cognito.

Note that the temporary credentials obtained through Cognito have an expiration time, so you will need to refresh them periodically to continue accessing your AWS resource.

Elevate Your Expertise with Microservices Certification!

answered Feb 17, 2023 by anonymous

Related Questions In AWS

0 votes
1 answer

How do I disable detailed monitoring for instances in an auto scaling group in a CloudFormation template?

The property you want is InstanceMonitoring, not ...READ MORE

answered Aug 31, 2018 in AWS by Archana
• 4,170 points

edited Jun 16, 2023 by Khan Sarfaraz 1,066 views
0 votes
2 answers

How do I define the principal for an AWS policy statement?

Check with AWS Policy Documentations once, rest ...READ MORE

answered Jun 26, 2018 in AWS by Cloud gunner
• 4,670 points

edited Jun 26, 2018 by Cloud gunner 968 views
0 votes
1 answer

How can I disable a user's password in AWS using boto3

delete_login_profile is the one you should use if ...READ MORE

answered Sep 27, 2018 in AWS by Priyaj
• 58,090 points
0 votes
1 answer

Custom authorizer vs Cognito - authentication for amazon api gateway - Web application

okay, authentication and security is indeed hard ...READ MORE

answered Sep 24, 2018 in AWS by Priyaj
• 58,090 points
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

Why do I have heavy DeserializeSparse phase after EagerKernelExecutes on the multiple GPU training?

The heavy "DeserializeSparse" phase after the "EagerKernelExecutes" ...READ MORE

answered Feb 17, 2023 in AWS by anonymous
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP