User pool vs identity pool Cognito

AwsComparisonBeginner · 4 min read

User Pool vs Identity Pool in AWS Cognito: Key Differences and Usage

In AWS Cognito, a User Pool manages user sign-up and sign-in directly, handling authentication. An Identity Pool provides temporary AWS credentials to users, enabling access to AWS services after authentication.

⚖️

Quick Comparison

This table summarizes the main differences between AWS Cognito User Pools and Identity Pools.

Feature	User Pool	Identity Pool
Purpose	User authentication and user directory	Federated identity and AWS credentials management
Authentication	Handles sign-up, sign-in, and user profiles	Does not authenticate users directly
Supported Identities	Users registered in the pool	Users authenticated via User Pools, social providers, or SAML
AWS Credentials	No AWS credentials provided	Provides temporary AWS credentials for AWS resource access
Use Case	Manage users and authentication flows	Authorize access to AWS resources after authentication
Integration	Can be used alone or with Identity Pool	Requires authentication from User Pool or external providers

⚖️

Key Differences

User Pools are focused on managing user identities and authentication. They provide sign-up, sign-in, password recovery, and multi-factor authentication features. User Pools store user profiles and handle tokens like ID and access tokens for your app.

Identity Pools, on the other hand, do not authenticate users themselves. Instead, they accept authenticated identities from User Pools or external providers like Google or Facebook. Identity Pools then provide temporary AWS credentials so users can securely access AWS services such as S3 or DynamoDB.

In short, User Pools answer the question "Who is the user?" while Identity Pools answer "What AWS resources can the user access?". They often work together: users authenticate with a User Pool, then Identity Pool grants AWS permissions based on that authentication.

💻

User Pool Code Example

This example shows how to sign up and sign in a user using AWS Cognito User Pool with AWS SDK for JavaScript v3.

javascript

import { CognitoIdentityProviderClient, SignUpCommand, InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider";

const client = new CognitoIdentityProviderClient({ region: "us-east-1" });
const userPoolClientId = "YOUR_USER_POOL_CLIENT_ID";

// Sign up a new user
async function signUp(username, password) {
  const command = new SignUpCommand({
    ClientId: userPoolClientId,
    Username: username,
    Password: password
  });
  const response = await client.send(command);
  return response;
}

// Sign in an existing user
async function signIn(username, password) {
  const command = new InitiateAuthCommand({
    AuthFlow: "USER_PASSWORD_AUTH",
    ClientId: userPoolClientId,
    AuthParameters: {
      USERNAME: username,
      PASSWORD: password
    }
  });
  const response = await client.send(command);
  return response.AuthenticationResult; // contains tokens
}

// Usage example
(async () => {
  await signUp("alice@example.com", "ExamplePass123!");
  const authResult = await signIn("alice@example.com", "ExamplePass123!");
  console.log(authResult.IdToken); // JWT token for user
})();

Output

JWT token string printed to console representing authenticated user

↔️

Identity Pool Equivalent

This example shows how to get AWS credentials from an Identity Pool after authenticating with a User Pool using AWS SDK for JavaScript v3.

javascript

import { CognitoIdentityClient, GetIdCommand, GetCredentialsForIdentityCommand } from "@aws-sdk/client-cognito-identity";

const identityClient = new CognitoIdentityClient({ region: "us-east-1" });
const identityPoolId = "YOUR_IDENTITY_POOL_ID";
const userPoolId = "YOUR_USER_POOL_ID";
const userPoolProvider = `cognito-idp.us-east-1.amazonaws.com/${userPoolId}`;

// Assume user is authenticated and has an IdToken
const idToken = "USER_POOL_ID_TOKEN_FROM_AUTH";

async function getAWSCredentials() {
  // Get the identity ID
  const getIdCommand = new GetIdCommand({
    IdentityPoolId: identityPoolId,
    Logins: {
      [userPoolProvider]: idToken
    }
  });
  const idResponse = await identityClient.send(getIdCommand);

  // Get AWS credentials for the identity
  const getCredsCommand = new GetCredentialsForIdentityCommand({
    IdentityId: idResponse.IdentityId,
    Logins: {
      [userPoolProvider]: idToken
    }
  });
  const credsResponse = await identityClient.send(getCredsCommand);
  return credsResponse.Credentials;
}

// Usage example
(async () => {
  const credentials = await getAWSCredentials();
  console.log(credentials.AccessKeyId); // Temporary AWS access key
})();

Output

Temporary AWS credentials printed to console for accessing AWS resources

🎯

When to Use Which

Choose User Pools when you need to manage user registration, authentication, and user profiles directly within your application. They are ideal for apps that require user sign-up, sign-in, and user management features.

Choose Identity Pools when your application needs to grant users access to AWS resources like S3 buckets or DynamoDB tables after they authenticate. Identity Pools work best when you want to provide temporary AWS credentials based on user identity from User Pools or external providers.

Often, use both together: authenticate users with a User Pool, then use an Identity Pool to authorize AWS resource access securely.

✅

Key Takeaways

User Pools handle user sign-up, sign-in, and authentication management.

Identity Pools provide temporary AWS credentials for authorized access to AWS services.

User Pools answer 'Who is the user?', Identity Pools answer 'What AWS resources can the user access?'.

Use User Pools alone for authentication; combine with Identity Pools for AWS resource access.

Identity Pools support multiple identity providers including User Pools and social logins.