{"id":2779,"date":"2026-02-13T20:17:29","date_gmt":"2026-02-13T14:47:29","guid":{"rendered":"https:\/\/vihaaniotgateway.in\/?p=2779"},"modified":"2026-02-13T20:18:38","modified_gmt":"2026-02-13T14:48:38","slug":"amazon-cognito-user-pools-vs-identity-pools-explained-with-aws-iot-example","status":"publish","type":"post","link":"https:\/\/vihaaniotgateway.in\/index.php\/2026\/02\/13\/amazon-cognito-user-pools-vs-identity-pools-explained-with-aws-iot-example\/","title":{"rendered":"Amazon Cognito User Pools vs Identity Pools Explained"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">What is Amazon Cognito?<\/h2>\n\n\n\n<p>Amazon Cognito serves as a robust identity platform for web and mobile applications, functioning as a user directory, authentication server, and OAuth 2.0 authorization service for access tokens and AWS credentials.<\/p>\n\n\n\n<p>It enables seamless authentication and authorization from built-in directories, enterprise systems, or consumer providers like Google and Facebook.<\/p>\n\n\n\n<p>Cognito provides two powerful components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User Pools<\/li>\n\n\n\n<li>Identity Pools<\/li>\n<\/ul>\n\n\n\n<p>Although they sound similar, they solve two completely different problems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Cognito Identity Pools<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"AWS Cognito Identity Explained  Secure Way to Access AWS from Mobile Apps\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/2iE4NkB1Gy8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><strong>Amazon Cognito Identity<\/strong> provides temporary AWS credentials to mobile or web applications. These credentials automatically expire and are restricted using IAM policies, allowing apps to securely access services such as AWS IoT Core, S3, and DynamoDB without exposing long-term secrets.<\/p>\n\n\n\n<p>Identity Pools support:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authenticated users<\/li>\n\n\n\n<li>Unauthenticated (guest) users<\/li>\n<\/ul>\n\n\n\n<p><strong>In simple words:<\/strong><br>Identity Pools answer the question \u2014 <em>\u201cWhat can you do in AWS?\u201d<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Create an Amazon Cognito Identity Pool (Federated Identity)<\/h2>\n\n\n\n<p>I have recorded a detailed step-by-step tutorial explaining how to create an Identity Pool in Amazon Cognito.<br>You can watch the full walkthrough here:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"How to Create an AWS Cognito Identity Pool Guest Access  Android App + AWS IoT Core Demo\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/l9dMkZP1izE?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">User Pools<\/h2>\n\n\n\n<p><strong>Amazon Cognito User Pool<\/strong> is a managed user directory that handles <strong>authentication<\/strong> for your application.<\/p>\n\n\n\n<p>It allows you to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Register (Sign Up) users<\/li>\n\n\n\n<li>Authenticate (Sign In) users<\/li>\n\n\n\n<li>Manage passwords<\/li>\n\n\n\n<li>Store user attributes (email, phone, etc.)<\/li>\n<\/ul>\n\n\n\n<p>After successful authentication, a User Pool issues <strong>JWT tokens<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ID Token (contains user identity information)<\/li>\n\n\n\n<li>Access Token (used to authorize API access)<\/li>\n\n\n\n<li>Refresh Token (used to obtain new tokens)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Supported Login Methods<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username &amp; Password<\/li>\n\n\n\n<li>Social providers (Google, Facebook, etc.)<\/li>\n\n\n\n<li>SAML \/ OIDC identity providers<\/li>\n<\/ul>\n\n\n\n<p><strong>In simple words:<\/strong><br>User Pools answer the question \u2014 <em>\u201cWho are you?\u201d<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Differences<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>User Pools<\/th><th>Identity Pools<\/th><\/tr><\/thead><tbody><tr><td>Main Purpose<\/td><td>Authentication<\/td><td>Authorization<\/td><\/tr><tr><td>Output<\/td><td>JWT Tokens<\/td><td>Temporary AWS Credentials<\/td><\/tr><tr><td>Manages Users?<\/td><td>Yes<\/td><td>No<\/td><\/tr><tr><td>Grants AWS Access?<\/td><td>No<\/td><td>Yes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How They Work Together (Temporary Credentials Flow)<\/h2>\n\n\n\n<p>This pattern is very common in mobile and IoT applications.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: User Logs In<\/h3>\n\n\n\n<p>User authenticates via User Pool and receives JWT tokens.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Get Identity ID<\/h3>\n\n\n\n<p>The app sends the token to the Identity Pool (<code>GetId<\/code> API) and receives a Cognito Identity ID.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Exchange for Temporary Credentials<\/h3>\n\n\n\n<p>The app calls <code>GetCredentialsForIdentity<\/code> to obtain temporary AWS credentials.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Access AWS Services<\/h3>\n\n\n\n<p>The app uses those credentials to securely access services like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Amazon S3<\/li>\n\n\n\n<li>Amazon DynamoDB<\/li>\n\n\n\n<li>AWS IoT Core<\/li>\n<\/ul>\n\n\n\n<p>All without embedding long-term AWS access keys in the application.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IoT Use Case Example<\/h2>\n\n\n\n<p>In IoT applications:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A mobile app authenticates the user via User Pool.<\/li>\n\n\n\n<li>Identity Pool provides temporary AWS credentials.<\/li>\n\n\n\n<li>Those credentials are used to securely connect to AWS IoT Core over WebSocket (MQTT over WSS) using SigV4 authentication.<\/li>\n\n\n\n<li>AWS IoT policies control which devices (\u201cThings\u201d) the user can publish or subscribe to.<\/li>\n<\/ul>\n\n\n\n<p>This allows secure, scalable, fine-grained device access control.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Summary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User Pools = Authentication (Who are you?)<\/li>\n\n\n\n<li>Identity Pools = Authorization (What can you do?)<\/li>\n\n\n\n<li>Together, they provide secure and scalable access control for mobile, web, and IoT applications.<\/li>\n<\/ul>\n\n\n\n<p>If you&#8217;re building IoT systems, mobile apps, or serverless architectures on AWS, understanding this difference is essential.<\/p>\n\n\n\n<p><strong>References<\/strong>:<\/p>\n\n\n\n<p>Amazon Cognito Developer Guide \u2013 Official AWS Documentation<\/p>\n\n\n\n<p>https:\/\/docs.aws.amazon.com\/cognito\/latest\/developerguide\/what-is-amazon-cognito.html<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is Amazon Cognito? Amazon Cognito serves as a robust identity platform for web and mobile applications, functioning as a user directory, authentication server, and OAuth 2.0 authorization service for access tokens and AWS credentials. It enables seamless authentication and authorization from built-in directories, enterprise systems, or consumer providers like Google and Facebook. Cognito provides [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2779","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/posts\/2779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/comments?post=2779"}],"version-history":[{"count":2,"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/posts\/2779\/revisions"}],"predecessor-version":[{"id":3035,"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/posts\/2779\/revisions\/3035"}],"wp:attachment":[{"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/media?parent=2779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/categories?post=2779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vihaaniotgateway.in\/index.php\/wp-json\/wp\/v2\/tags?post=2779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}