I believe AWS should separate User Pool and Identity Pool, and change the names. Because mixing up different services under the same name causes confusions, and the names do not give any clue about the services.
- User Pool -> AWS Authentication and Token vending service, similar to Auth0. You can use Auth0 instead of unnecessarily complicated User Pool
- Identity Pool -> AWS IAM Authorization service for the authentication tokens such as Auth0 token or AWS JWT token (from User Pool)
An analogy would be:
Use Pool is an agency in your country that identifies who you are and issues a VISA (The VISA is the token which the Identity Provider provides you as a user).
Identity Pool is the border control of the foreign country called "AWS" that you visit with the VISA. They verify who you are with the VISA and authorize what you can do in there. If the border control does not recognize the VISA, you cannot do anything. If they recognize it, then they have fine grained rules defined for each VISA what actions are allowed and where.
Forget about User Pool
Better focus on Identity Pool. Because User Pool is just another Identity Provider service like MSAD, Google, Facebook, Auth0, etc. An Identity Provider authenticates and provides a token e.g. Kerberos Token for a MS AD users, or a Cognito Userpool JWT token for a AWS Cognito Userpool user. Then Identity Pool can utilize the token to authorize access to AWS resources.
AWS has been mixing up this Identity Provider/Authentication service with Identity Pool/Authorization service, besides their strange naming, hence causing massive confusions, incurring the questions.
The name "Identity Pool" does not make any sense as it has no indication on what the service does. A word must navigate thinking that leads to understanding, not confusion. AWS exactly does the opposite.
Preparation
Before jumping to what Identity Pool does/is, better to understand a few things.
AWS STS Token
Naively saying, AWS STS Token allow us to create, use, update, delete AWS resources programmatically.
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN
If you have an AWS account user, you can get AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for the user, and then get a STS token using e.g. MFA.
IAM Role
In reality, an IAM Role defines which actions allowed on which AWS resources for a STS token. It may not allow delete but create. So it depends on the IAM Role what a STS Token allows us to do.
However, the point to note is, there is a association between an IAM Role and a STS Token you get, and someone must define the association for you.
What Identity Pool gives you
It gives a STS Token, using which you can manipulate AWS resources in an AWS account.
Situation where Identity Pool is useful
Another problem of AWS for me is their documentation does not declare This is when you need Identity Pool, but instead keep repeating the word Federation which does not point to what Identity Pool does, allow you to manipulate AWS resources with a STS Token.
If you are in the situation where:
- I want to manipulate AWS resources in an AWS account, and
- I do not have an AWS IAM User (or I do not want to use it), but
- I have an account in Corporate AD, or in Google, or in Facebook, or in Auth0, or ..., or in Cognito User Pool.
Then you can use Identity Pool to get a STS token for the account e.g Google you logged in, and can manipulate the AWS resource.
For instance, if you have 1000+ users in your corporate AD and want to let them use AWS resources somehow. Would you create 1000+ AWS IAM users? Or find a way to map them to a few IAM roles such as "Administrator", "Accounting", "Finance", "IT"?
What Identity Pool does
Identity Pool maps an Identity Provider token (e.g. Google token) to an IAM Role in an AWS account, and gives a STS Token.
AWS calls this "mapping" as Federation, in my understanding.
I would recommend completely forgetting User Pool when discussing Identity Pool. User Pool is just another Identity Provider which you may not need at all.
Likewise, when discussing User Pool, I would recommend completely forgetting Identity Pool.
I do hope AWS will separate Identity Provider Service (User Pool) from Token Mapping service (Identity Pool) to stop causing confusions.