CognitoIdentity *************** Client ====== class CognitoIdentity.Client A low-level client representing Amazon Cognito Identity Amazon Cognito Federated Identities is a web service that delivers scoped temporary credentials to mobile devices and other untrusted environments. It uniquely identifies a device and supplies the user with a consistent identity over the lifetime of an application. Using Amazon Cognito Federated Identities, you can enable authentication with one or more third-party identity providers (Facebook, Google, or Login with Amazon) or an Amazon Cognito user pool, and you can also choose to support unauthenticated access from your app. Cognito delivers a unique identifier for each user and acts as an OpenID token provider trusted by Security Token Service (STS) to access temporary, limited-privilege Amazon Web Services credentials. For a description of the authentication flow from the Amazon Cognito Developer Guide see Authentication Flow. For more information see Amazon Cognito Federated Identities. import boto3 client = boto3.client('cognito-identity') These are the available methods: * can_paginate * close * create_identity_pool * delete_identities * delete_identity_pool * describe_identity * describe_identity_pool * get_credentials_for_identity * get_id * get_identity_pool_roles * get_open_id_token * get_open_id_token_for_developer_identity * get_paginator * get_principal_tag_attribute_map * get_waiter * list_identities * list_identity_pools * list_tags_for_resource * lookup_developer_identity * merge_developer_identities * set_identity_pool_roles * set_principal_tag_attribute_map * tag_resource * unlink_developer_identity * unlink_identity * untag_resource * update_identity_pool Paginators ========== Paginators are available on a client instance via the "get_paginator" method. For more detailed instructions and examples on the usage of paginators, see the paginators user guide. The available paginators are: * ListIdentityPools CognitoIdentity / Paginator / ListIdentityPools ListIdentityPools ***************** class CognitoIdentity.Paginator.ListIdentityPools paginator = client.get_paginator('list_identity_pools') paginate(**kwargs) Creates an iterator that will paginate through responses from "CognitoIdentity.Client.list_identity_pools()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'IdentityPools': [ { 'IdentityPoolId': 'string', 'IdentityPoolName': 'string' }, ], } **Response Structure** * *(dict) --* The result of a successful ListIdentityPools action. * **IdentityPools** *(list) --* The identity pools returned by the ListIdentityPools action. * *(dict) --* A description of the identity pool. * **IdentityPoolId** *(string) --* An identity pool ID in the format REGION:GUID. * **IdentityPoolName** *(string) --* A string that you provide. CognitoIdentity / Client / delete_identity_pool delete_identity_pool ******************** CognitoIdentity.Client.delete_identity_pool(**kwargs) Deletes an identity pool. Once a pool is deleted, users will not be able to authenticate with the pool. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.delete_identity_pool( IdentityPoolId='string' ) Parameters: **IdentityPoolId** (*string*) -- **[REQUIRED]** An identity pool ID in the format REGION:GUID. Returns: None **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / get_paginator get_paginator ************* CognitoIdentity.Client.get_paginator(operation_name) Create a paginator for an operation. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Raises: **OperationNotPageableError** -- Raised if the operation is not pageable. You can use the "client.can_paginate" method to check if an operation is pageable. Return type: "botocore.paginate.Paginator" Returns: A paginator object. CognitoIdentity / Client / set_identity_pool_roles set_identity_pool_roles *********************** CognitoIdentity.Client.set_identity_pool_roles(**kwargs) Sets the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.set_identity_pool_roles( IdentityPoolId='string', Roles={ 'string': 'string' }, RoleMappings={ 'string': { 'Type': 'Token'|'Rules', 'AmbiguousRoleResolution': 'AuthenticatedRole'|'Deny', 'RulesConfiguration': { 'Rules': [ { 'Claim': 'string', 'MatchType': 'Equals'|'Contains'|'StartsWith'|'NotEqual', 'Value': 'string', 'RoleARN': 'string' }, ] } } } ) Parameters: * **IdentityPoolId** (*string*) -- **[REQUIRED]** An identity pool ID in the format REGION:GUID. * **Roles** (*dict*) -- **[REQUIRED]** The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN. * *(string) --* * *(string) --* * **RoleMappings** (*dict*) -- How users for a specific identity provider are to mapped to roles. This is a string to RoleMapping object map. The string identifies the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com /us-east-1_abcdefghi:app_client_id". Up to 25 rules can be specified per identity provider. * *(string) --* * *(dict) --* A role mapping. * **Type** *(string) --* **[REQUIRED]** The role mapping type. Token will use "cognito:roles" and "cognito:preferred_role" claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role. * **AmbiguousRoleResolution** *(string) --* If you specify Token or Rules as the "Type", "AmbiguousRoleResolution" is required. Specifies the action to be taken if either no rules match the claim value for the "Rules" type, or there is no "cognito:preferred_role" claim and there are multiple "cognito:roles" matches for the "Token" type. * **RulesConfiguration** *(dict) --* The rules to be used for mapping users to roles. If you specify Rules as the role mapping type, "RulesConfiguration" is required. * **Rules** *(list) --* **[REQUIRED]** An array of rules. You can specify up to 25 rules per identity provider. Rules are evaluated in order. The first one to match specifies the role. * *(dict) --* A rule that maps a claim name, a claim value, and a match type to a role ARN. * **Claim** *(string) --* **[REQUIRED]** The claim name that must be present in the token, for example, "isAdmin" or "paid". * **MatchType** *(string) --* **[REQUIRED]** The match condition that specifies how closely the claim value in the IdP token must match "Value". * **Value** *(string) --* **[REQUIRED]** A brief string that the claim must match, for example, "paid" or "yes". * **RoleARN** *(string) --* **[REQUIRED]** The role ARN. Returns: None **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.ResourceConflictException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" * "CognitoIdentity.Client.exceptions.ConcurrentModificationExcepti on" CognitoIdentity / Client / get_principal_tag_attribute_map get_principal_tag_attribute_map ******************************* CognitoIdentity.Client.get_principal_tag_attribute_map(**kwargs) Use "GetPrincipalTagAttributeMap" to list all mappings between "PrincipalTags" and user attributes. See also: AWS API Documentation **Request Syntax** response = client.get_principal_tag_attribute_map( IdentityPoolId='string', IdentityProviderName='string' ) Parameters: * **IdentityPoolId** (*string*) -- **[REQUIRED]** You can use this operation to get the ID of the Identity Pool you setup attribute mappings for. * **IdentityProviderName** (*string*) -- **[REQUIRED]** You can use this operation to get the provider name. Return type: dict Returns: **Response Syntax** { 'IdentityPoolId': 'string', 'IdentityProviderName': 'string', 'UseDefaults': True|False, 'PrincipalTags': { 'string': 'string' } } **Response Structure** * *(dict) --* * **IdentityPoolId** *(string) --* You can use this operation to get the ID of the Identity Pool you setup attribute mappings for. * **IdentityProviderName** *(string) --* You can use this operation to get the provider name. * **UseDefaults** *(boolean) --* You can use this operation to list * **PrincipalTags** *(dict) --* You can use this operation to add principal tags. The >>``<.amazonaws.com/", for example, "cognito-idp.us-east-1.amazonaws.com/us- east-1_123456789". * Google: "accounts.google.com" * Amazon: "www.amazon.com" * Twitter: "api.twitter.com" * Digits: "www.digits.com" * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** { 'IdentityId': 'string' } **Response Structure** * *(dict) --* Returned in response to a GetId request. * **IdentityId** *(string) --* A unique identifier in the format REGION:GUID. **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.ResourceConflictException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" * "CognitoIdentity.Client.exceptions.LimitExceededException" * "CognitoIdentity.Client.exceptions.ExternalServiceException" CognitoIdentity / Client / delete_identities delete_identities ***************** CognitoIdentity.Client.delete_identities(**kwargs) Deletes identities from an identity pool. You can specify a list of 1-60 identities that you want to delete. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.delete_identities( IdentityIdsToDelete=[ 'string', ] ) Parameters: **IdentityIdsToDelete** (*list*) -- **[REQUIRED]** A list of 1-60 identities that you want to delete. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedIdentityIds': [ { 'IdentityId': 'string', 'ErrorCode': 'AccessDenied'|'InternalServerError' }, ] } **Response Structure** * *(dict) --* Returned in response to a successful "DeleteIdentities" operation. * **UnprocessedIdentityIds** *(list) --* An array of UnprocessedIdentityId objects, each of which contains an ErrorCode and IdentityId. * *(dict) --* An array of UnprocessedIdentityId objects, each of which contains an ErrorCode and IdentityId. * **IdentityId** *(string) --* A unique identifier in the format REGION:GUID. * **ErrorCode** *(string) --* The error code indicating the type of error that occurred. **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / unlink_identity unlink_identity *************** CognitoIdentity.Client.unlink_identity(**kwargs) Unlinks a federated identity from an existing account. Unlinked logins will be considered new identities next time they are seen. Removing the last linked login will make this identity inaccessible. This is a public API. You do not need any credentials to call this API. See also: AWS API Documentation **Request Syntax** response = client.unlink_identity( IdentityId='string', Logins={ 'string': 'string' }, LoginsToRemove=[ 'string', ] ) Parameters: * **IdentityId** (*string*) -- **[REQUIRED]** A unique identifier in the format REGION:GUID. * **Logins** (*dict*) -- **[REQUIRED]** A set of optional name-value pairs that map provider names to provider tokens. * *(string) --* * *(string) --* * **LoginsToRemove** (*list*) -- **[REQUIRED]** Provider names to unlink from this identity. * *(string) --* Returns: None **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.ResourceConflictException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" * "CognitoIdentity.Client.exceptions.ExternalServiceException" CognitoIdentity / Client / list_identity_pools list_identity_pools ******************* CognitoIdentity.Client.list_identity_pools(**kwargs) Lists all of the Cognito identity pools registered for your account. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.list_identity_pools( MaxResults=123, NextToken='string' ) Parameters: * **MaxResults** (*integer*) -- **[REQUIRED]** The maximum number of identities to return. * **NextToken** (*string*) -- A pagination token. Return type: dict Returns: **Response Syntax** { 'IdentityPools': [ { 'IdentityPoolId': 'string', 'IdentityPoolName': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* The result of a successful ListIdentityPools action. * **IdentityPools** *(list) --* The identity pools returned by the ListIdentityPools action. * *(dict) --* A description of the identity pool. * **IdentityPoolId** *(string) --* An identity pool ID in the format REGION:GUID. * **IdentityPoolName** *(string) --* A string that you provide. * **NextToken** *(string) --* A pagination token. **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / create_identity_pool create_identity_pool ******************** CognitoIdentity.Client.create_identity_pool(**kwargs) Creates a new identity pool. The identity pool is a store of user identity information that is specific to your Amazon Web Services account. The keys for "SupportedLoginProviders" are as follows: * Facebook: "graph.facebook.com" * Google: "accounts.google.com" * Sign in With Apple: "appleid.apple.com" * Amazon: "www.amazon.com" * Twitter: "api.twitter.com" * Digits: "www.digits.com" Warning: If you don't provide a value for a parameter, Amazon Cognito sets it to its default value. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.create_identity_pool( IdentityPoolName='string', AllowUnauthenticatedIdentities=True|False, AllowClassicFlow=True|False, SupportedLoginProviders={ 'string': 'string' }, DeveloperProviderName='string', OpenIdConnectProviderARNs=[ 'string', ], CognitoIdentityProviders=[ { 'ProviderName': 'string', 'ClientId': 'string', 'ServerSideTokenCheck': True|False }, ], SamlProviderARNs=[ 'string', ], IdentityPoolTags={ 'string': 'string' } ) Parameters: * **IdentityPoolName** (*string*) -- **[REQUIRED]** A string that you provide. * **AllowUnauthenticatedIdentities** (*boolean*) -- **[REQUIRED]** TRUE if the identity pool supports unauthenticated logins. * **AllowClassicFlow** (*boolean*) -- Enables or disables the Basic (Classic) authentication flow. For more information, see Identity Pools (Federated Identities) Authentication Flow in the *Amazon Cognito Developer Guide*. * **SupportedLoginProviders** (*dict*) -- Optional key:value pairs mapping provider names to provider app IDs. * *(string) --* * *(string) --* * **DeveloperProviderName** (*string*) -- The "domain" by which Cognito will refer to your users. This name acts as a placeholder that allows your backend and the Cognito service to communicate about the developer provider. For the "DeveloperProviderName", you can use letters as well as period ( "."), underscore ( "_"), and dash ( "-"). Once you have set a developer provider name, you cannot change it. Please take care in setting this parameter. * **OpenIdConnectProviderARNs** (*list*) -- The Amazon Resource Names (ARN) of the OpenID Connect providers. * *(string) --* * **CognitoIdentityProviders** (*list*) -- An array of Amazon Cognito user pools and their client IDs. * *(dict) --* A provider representing an Amazon Cognito user pool and its client ID. * **ProviderName** *(string) --* The provider name for an Amazon Cognito user pool. For example, "cognito-idp.us-east-1.amazonaws.com/us- east-1_123456789". * **ClientId** *(string) --* The client ID for the Amazon Cognito user pool. * **ServerSideTokenCheck** *(boolean) --* TRUE if server-side token validation is enabled for the identity provider’s token. Once you set "ServerSideTokenCheck" to TRUE for an identity pool, that identity pool will check with the integrated user pools to make sure that the user has not been globally signed out or deleted before the identity pool provides an OIDC token or Amazon Web Services credentials for the user. If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error. * **SamlProviderARNs** (*list*) -- An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool. * *(string) --* * **IdentityPoolTags** (*dict*) -- Tags to assign to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** { 'IdentityPoolId': 'string', 'IdentityPoolName': 'string', 'AllowUnauthenticatedIdentities': True|False, 'AllowClassicFlow': True|False, 'SupportedLoginProviders': { 'string': 'string' }, 'DeveloperProviderName': 'string', 'OpenIdConnectProviderARNs': [ 'string', ], 'CognitoIdentityProviders': [ { 'ProviderName': 'string', 'ClientId': 'string', 'ServerSideTokenCheck': True|False }, ], 'SamlProviderARNs': [ 'string', ], 'IdentityPoolTags': { 'string': 'string' } } **Response Structure** * *(dict) --* An object representing an Amazon Cognito identity pool. * **IdentityPoolId** *(string) --* An identity pool ID in the format REGION:GUID. * **IdentityPoolName** *(string) --* A string that you provide. * **AllowUnauthenticatedIdentities** *(boolean) --* TRUE if the identity pool supports unauthenticated logins. * **AllowClassicFlow** *(boolean) --* Enables or disables the Basic (Classic) authentication flow. For more information, see Identity Pools (Federated Identities) Authentication Flow in the *Amazon Cognito Developer Guide*. * **SupportedLoginProviders** *(dict) --* Optional key:value pairs mapping provider names to provider app IDs. * *(string) --* * *(string) --* * **DeveloperProviderName** *(string) --* The "domain" by which Cognito will refer to your users. * **OpenIdConnectProviderARNs** *(list) --* The ARNs of the OpenID Connect providers. * *(string) --* * **CognitoIdentityProviders** *(list) --* A list representing an Amazon Cognito user pool and its client ID. * *(dict) --* A provider representing an Amazon Cognito user pool and its client ID. * **ProviderName** *(string) --* The provider name for an Amazon Cognito user pool. For example, "cognito-idp.us-east-1.amazonaws.com/us- east-1_123456789". * **ClientId** *(string) --* The client ID for the Amazon Cognito user pool. * **ServerSideTokenCheck** *(boolean) --* TRUE if server-side token validation is enabled for the identity provider’s token. Once you set "ServerSideTokenCheck" to TRUE for an identity pool, that identity pool will check with the integrated user pools to make sure that the user has not been globally signed out or deleted before the identity pool provides an OIDC token or Amazon Web Services credentials for the user. If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error. * **SamlProviderARNs** *(list) --* An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool. * *(string) --* * **IdentityPoolTags** *(dict) --* The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria. * *(string) --* * *(string) --* **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.ResourceConflictException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" * "CognitoIdentity.Client.exceptions.LimitExceededException" CognitoIdentity / Client / close close ***** CognitoIdentity.Client.close() Closes underlying endpoint connections. CognitoIdentity / Client / list_identities list_identities *************** CognitoIdentity.Client.list_identities(**kwargs) Lists the identities in an identity pool. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.list_identities( IdentityPoolId='string', MaxResults=123, NextToken='string', HideDisabled=True|False ) Parameters: * **IdentityPoolId** (*string*) -- **[REQUIRED]** An identity pool ID in the format REGION:GUID. * **MaxResults** (*integer*) -- **[REQUIRED]** The maximum number of identities to return. * **NextToken** (*string*) -- A pagination token. * **HideDisabled** (*boolean*) -- An optional boolean parameter that allows you to hide disabled identities. If omitted, the ListIdentities API will include disabled identities in the response. Return type: dict Returns: **Response Syntax** { 'IdentityPoolId': 'string', 'Identities': [ { 'IdentityId': 'string', 'Logins': [ 'string', ], 'CreationDate': datetime(2015, 1, 1), 'LastModifiedDate': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* The response to a ListIdentities request. * **IdentityPoolId** *(string) --* An identity pool ID in the format REGION:GUID. * **Identities** *(list) --* An object containing a set of identities and associated mappings. * *(dict) --* A description of the identity. * **IdentityId** *(string) --* A unique identifier in the format REGION:GUID. * **Logins** *(list) --* The provider names. * *(string) --* * **CreationDate** *(datetime) --* Date on which the identity was created. * **LastModifiedDate** *(datetime) --* Date on which the identity was last modified. * **NextToken** *(string) --* A pagination token. **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / lookup_developer_identity lookup_developer_identity ************************* CognitoIdentity.Client.lookup_developer_identity(**kwargs) Retrieves the "IdentityID" associated with a "DeveloperUserIdentifier" or the list of "DeveloperUserIdentifier" values associated with an "IdentityId" for an existing identity. Either "IdentityID" or "DeveloperUserIdentifier" must not be null. If you supply only one of these values, the other value will be searched in the database and returned as a part of the response. If you supply both, "DeveloperUserIdentifier" will be matched against "IdentityID". If the values are verified against the database, the response returns both values and is the same as the request. Otherwise, a "ResourceConflictException" is thrown. "LookupDeveloperIdentity" is intended for low-throughput control plane operations: for example, to enable customer service to locate an identity ID by username. If you are using it for higher-volume operations such as user authentication, your requests are likely to be throttled. GetOpenIdTokenForDeveloperIdentity is a better option for higher-volume operations for user authentication. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.lookup_developer_identity( IdentityPoolId='string', IdentityId='string', DeveloperUserIdentifier='string', MaxResults=123, NextToken='string' ) Parameters: * **IdentityPoolId** (*string*) -- **[REQUIRED]** An identity pool ID in the format REGION:GUID. * **IdentityId** (*string*) -- A unique identifier in the format REGION:GUID. * **DeveloperUserIdentifier** (*string*) -- A unique ID used by your backend authentication process to identify a user. Typically, a developer identity provider would issue many developer user identifiers, in keeping with the number of users. * **MaxResults** (*integer*) -- The maximum number of identities to return. * **NextToken** (*string*) -- A pagination token. The first call you make will have "NextToken" set to null. After that the service will return "NextToken" values as needed. For example, let's say you make a request with "MaxResults" set to 10, and there are 20 matches in the database. The service will return a pagination token as a part of the response. This token can be used to call the API again and get results starting from the 11th match. Return type: dict Returns: **Response Syntax** { 'IdentityId': 'string', 'DeveloperUserIdentifierList': [ 'string', ], 'NextToken': 'string' } **Response Structure** * *(dict) --* Returned in response to a successful "LookupDeveloperIdentity" action. * **IdentityId** *(string) --* A unique identifier in the format REGION:GUID. * **DeveloperUserIdentifierList** *(list) --* This is the list of developer user identifiers associated with an identity ID. Cognito supports the association of multiple developer user identifiers with an identity ID. * *(string) --* * **NextToken** *(string) --* A pagination token. The first call you make will have "NextToken" set to null. After that the service will return "NextToken" values as needed. For example, let's say you make a request with "MaxResults" set to 10, and there are 20 matches in the database. The service will return a pagination token as a part of the response. This token can be used to call the API again and get results starting from the 11th match. **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.ResourceConflictException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / describe_identity describe_identity ***************** CognitoIdentity.Client.describe_identity(**kwargs) Returns metadata related to the given identity, including when the identity was created and any associated linked logins. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.describe_identity( IdentityId='string' ) Parameters: **IdentityId** (*string*) -- **[REQUIRED]** A unique identifier in the format REGION:GUID. Return type: dict Returns: **Response Syntax** { 'IdentityId': 'string', 'Logins': [ 'string', ], 'CreationDate': datetime(2015, 1, 1), 'LastModifiedDate': datetime(2015, 1, 1) } **Response Structure** * *(dict) --* A description of the identity. * **IdentityId** *(string) --* A unique identifier in the format REGION:GUID. * **Logins** *(list) --* The provider names. * *(string) --* * **CreationDate** *(datetime) --* Date on which the identity was created. * **LastModifiedDate** *(datetime) --* Date on which the identity was last modified. **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / unlink_developer_identity unlink_developer_identity ************************* CognitoIdentity.Client.unlink_developer_identity(**kwargs) Unlinks a "DeveloperUserIdentifier" from an existing identity. Unlinked developer users will be considered new identities next time they are seen. If, for a given Cognito identity, you remove all federated identities as well as the developer user identifier, the Cognito identity becomes inaccessible. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.unlink_developer_identity( IdentityId='string', IdentityPoolId='string', DeveloperProviderName='string', DeveloperUserIdentifier='string' ) Parameters: * **IdentityId** (*string*) -- **[REQUIRED]** A unique identifier in the format REGION:GUID. * **IdentityPoolId** (*string*) -- **[REQUIRED]** An identity pool ID in the format REGION:GUID. * **DeveloperProviderName** (*string*) -- **[REQUIRED]** The "domain" by which Cognito will refer to your users. * **DeveloperUserIdentifier** (*string*) -- **[REQUIRED]** A unique ID used by your backend authentication process to identify a user. Returns: None **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.ResourceConflictException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / tag_resource tag_resource ************ CognitoIdentity.Client.tag_resource(**kwargs) Assigns a set of tags to the specified Amazon Cognito identity pool. A tag is a label that you can use to categorize and manage identity pools in different ways, such as by purpose, owner, environment, or other criteria. Each tag consists of a key and value, both of which you define. A key is a general category for more specific values. For example, if you have two versions of an identity pool, one for testing and another for production, you might assign an "Environment" tag key to both identity pools. The value of this key might be "Test" for one identity pool and "Production" for the other. Tags are useful for cost tracking and access control. You can activate your tags so that they appear on the Billing and Cost Management console, where you can track the costs associated with your identity pools. In an IAM policy, you can constrain permissions for identity pools based on specific tags or tag values. You can use this action up to 5 times per second, per account. An identity pool can have as many as 50 tags. See also: AWS API Documentation **Request Syntax** response = client.tag_resource( ResourceArn='string', Tags={ 'string': 'string' } ) Parameters: * **ResourceArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) of the identity pool. * **Tags** (*dict*) -- **[REQUIRED]** The tags to assign to the identity pool. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / get_credentials_for_identity get_credentials_for_identity **************************** CognitoIdentity.Client.get_credentials_for_identity(**kwargs) Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers. If the token is for "cognito-identity.amazonaws.com", it will be passed through to Security Token Service with the appropriate role for the token. This is a public API. You do not need any credentials to call this API. See also: AWS API Documentation **Request Syntax** response = client.get_credentials_for_identity( IdentityId='string', Logins={ 'string': 'string' }, CustomRoleArn='string' ) Parameters: * **IdentityId** (*string*) -- **[REQUIRED]** A unique identifier in the format REGION:GUID. * **Logins** (*dict*) -- A set of optional name-value pairs that map provider names to provider tokens. The name-value pair will follow the syntax "provider_name": "provider_user_identifier". Logins should not be specified when trying to get credentials for an unauthenticated identity. The Logins parameter is required when using identities associated with external identity providers such as Facebook. For examples of "Logins" maps, see the code examples in the External Identity Providers section of the Amazon Cognito Developer Guide. * *(string) --* * *(string) --* * **CustomRoleArn** (*string*) -- The Amazon Resource Name (ARN) of the role to be assumed when multiple roles were received in the token from the identity provider. For example, a SAML- based identity provider. This parameter is optional for identity providers that do not support role customization. Return type: dict Returns: **Response Syntax** { 'IdentityId': 'string', 'Credentials': { 'AccessKeyId': 'string', 'SecretKey': 'string', 'SessionToken': 'string', 'Expiration': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* Returned in response to a successful "GetCredentialsForIdentity" operation. * **IdentityId** *(string) --* A unique identifier in the format REGION:GUID. * **Credentials** *(dict) --* Credentials for the provided identity ID. * **AccessKeyId** *(string) --* The Access Key portion of the credentials. * **SecretKey** *(string) --* The Secret Access Key portion of the credentials * **SessionToken** *(string) --* The Session Token portion of the credentials * **Expiration** *(datetime) --* The date at which these credentials will expire. **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.ResourceConflictException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InvalidIdentityPoolConfigurat ionException" * "CognitoIdentity.Client.exceptions.InternalErrorException" * "CognitoIdentity.Client.exceptions.ExternalServiceException" CognitoIdentity / Client / describe_identity_pool describe_identity_pool ********************** CognitoIdentity.Client.describe_identity_pool(**kwargs) Gets details about a particular identity pool, including the pool name, ID description, creation date, and current number of users. You must use Amazon Web Services developer credentials to call this operation. See also: AWS API Documentation **Request Syntax** response = client.describe_identity_pool( IdentityPoolId='string' ) Parameters: **IdentityPoolId** (*string*) -- **[REQUIRED]** An identity pool ID in the format REGION:GUID. Return type: dict Returns: **Response Syntax** { 'IdentityPoolId': 'string', 'IdentityPoolName': 'string', 'AllowUnauthenticatedIdentities': True|False, 'AllowClassicFlow': True|False, 'SupportedLoginProviders': { 'string': 'string' }, 'DeveloperProviderName': 'string', 'OpenIdConnectProviderARNs': [ 'string', ], 'CognitoIdentityProviders': [ { 'ProviderName': 'string', 'ClientId': 'string', 'ServerSideTokenCheck': True|False }, ], 'SamlProviderARNs': [ 'string', ], 'IdentityPoolTags': { 'string': 'string' } } **Response Structure** * *(dict) --* An object representing an Amazon Cognito identity pool. * **IdentityPoolId** *(string) --* An identity pool ID in the format REGION:GUID. * **IdentityPoolName** *(string) --* A string that you provide. * **AllowUnauthenticatedIdentities** *(boolean) --* TRUE if the identity pool supports unauthenticated logins. * **AllowClassicFlow** *(boolean) --* Enables or disables the Basic (Classic) authentication flow. For more information, see Identity Pools (Federated Identities) Authentication Flow in the *Amazon Cognito Developer Guide*. * **SupportedLoginProviders** *(dict) --* Optional key:value pairs mapping provider names to provider app IDs. * *(string) --* * *(string) --* * **DeveloperProviderName** *(string) --* The "domain" by which Cognito will refer to your users. * **OpenIdConnectProviderARNs** *(list) --* The ARNs of the OpenID Connect providers. * *(string) --* * **CognitoIdentityProviders** *(list) --* A list representing an Amazon Cognito user pool and its client ID. * *(dict) --* A provider representing an Amazon Cognito user pool and its client ID. * **ProviderName** *(string) --* The provider name for an Amazon Cognito user pool. For example, "cognito-idp.us-east-1.amazonaws.com/us- east-1_123456789". * **ClientId** *(string) --* The client ID for the Amazon Cognito user pool. * **ServerSideTokenCheck** *(boolean) --* TRUE if server-side token validation is enabled for the identity provider’s token. Once you set "ServerSideTokenCheck" to TRUE for an identity pool, that identity pool will check with the integrated user pools to make sure that the user has not been globally signed out or deleted before the identity pool provides an OIDC token or Amazon Web Services credentials for the user. If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error. * **SamlProviderARNs** *(list) --* An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool. * *(string) --* * **IdentityPoolTags** *(dict) --* The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria. * *(string) --* * *(string) --* **Exceptions** * "CognitoIdentity.Client.exceptions.InvalidParameterException" * "CognitoIdentity.Client.exceptions.ResourceNotFoundException" * "CognitoIdentity.Client.exceptions.NotAuthorizedException" * "CognitoIdentity.Client.exceptions.TooManyRequestsException" * "CognitoIdentity.Client.exceptions.InternalErrorException" CognitoIdentity / Client / set_principal_tag_attribute_map set_principal_tag_attribute_map ******************************* CognitoIdentity.Client.set_principal_tag_attribute_map(**kwargs) You can use this operation to use default (username and clientID) attribute or custom attribute mappings. See also: AWS API Documentation **Request Syntax** response = client.set_principal_tag_attribute_map( IdentityPoolId='string', IdentityProviderName='string', UseDefaults=True|False, PrincipalTags={ 'string': 'string' } ) Parameters: * **IdentityPoolId** (*string*) -- **[REQUIRED]** The ID of the Identity Pool you want to set attribute mappings for. * **IdentityProviderName** (*string*) -- **[REQUIRED]** The provider name you want to use for attribute mappings. * **UseDefaults** (*boolean*) -- You can use this operation to use default (username and clientID) attribute mappings. * **PrincipalTags** (*dict*) -- You can use this operation to add principal tags. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** { 'IdentityPoolId': 'string', 'IdentityProviderName': 'string', 'UseDefaults': True|False, 'PrincipalTags': { 'string': 'string' } } **Response Structure** * *(dict) --* * **IdentityPoolId** *(string) --* The ID of the Identity Pool you want to set attribute mappings for. * **IdentityProviderName** *(string) --* The provider name you want to use for attribute mappings. * **UseDefaults** *(boolean) --* You can use this operation to select default (username and clientID) attribute mappings. * **PrincipalTags** *(dict) --* You can use this operation to add principal tags. The >>``<