Table: aws_cognito_identity_pool - Query AWS Cognito Identity Pools using SQL

The AWS Cognito Identity Pool is a service that provides temporary AWS credentials for users who you authenticate (federated users), or for users who are authenticated by a public login provider. These identity pools define which user attributes and attribute mappings to use when users sign in. It allows you to create unique identities for your users and federate them with identity providers.

Table Usage Guide

The aws_cognito_identity_pool table in Steampipe provides you with information about identity pools within AWS Cognito. This table enables you, as a DevOps engineer, to query identity pool-specific details, including its ID, ARN, configuration, and associated roles. You can utilize this table to gather insights on identity pools, such as their authentication providers, supported logins, and whether unauthenticated logins are allowed. The schema outlines the various attributes of the identity pool for you, including the identity pool ID, ARN, creation date, last modified date, and associated tags.

Examples

Basic info

Explore which AWS Cognito identity pools are associated with your account and gain insights into their regional distribution. This information can help you manage your AWS resources effectively and understand your usage patterns across different regions.

select
  identity_pool_id,
  identity_pool_name,
  tags,
  region,
  account_id
from
  aws_cognito_identity_pool;

select
  identity_pool_id,
  identity_pool_name,
  tags,
  region,
  account_id
from
  aws_cognito_identity_pool;

List identity pools with classic flow enabled

Determine the areas in which classic flow is enabled within identity pools to assess potential security risks.

select
  identity_pool_id,
  identity_pool_name,
  allow_classic_flow
from
  aws_cognito_identity_pool
where
  allow_classic_flow;

select
  identity_pool_id,
  identity_pool_name,
  allow_classic_flow
from
  aws_cognito_identity_pool
where
  allow_classic_flow = 1;

List identity pools that allow unauthenticated identites

Determine the areas in which identity pools allow unauthenticated identities, helping to identify potential security risks.

select
  identity_pool_id,
  identity_pool_name,
  allow_classic_flow
from
  aws_cognito_identity_pool
where
  allow_unauthenticated_identities;

select
  identity_pool_id,
  identity_pool_name,
  allow_classic_flow
from
  aws_cognito_identity_pool
where
  allow_unauthenticated_identities = 1;

Get the identity provider details for a particular identity pool

Explore the specifics of a particular identity provider by examining its client and provider names, as well as its server-side token status. This is useful for assessing the configuration of your identity pool and ensuring it aligns with your security and usage requirements.

select
  identity_pool_id,
  identity_pool_name,
  allow_classic_flow,
  cognito_identity_providers ->> 'ClientId' as identity_provider_client_id,
  cognito_identity_providers ->> 'ProviderName' as identity_provider_name,
  cognito_identity_providers ->> 'ServerSideTokenCheck' as server_side_token_enabled
from
  aws_cognito_identity_pool
where
  identity_pool_id = 'eu-west-3:e96205bf-1ef2-4fe6-a748-65e948673960';

select
  identity_pool_id,
  identity_pool_name,
  allow_classic_flow,
  json_extract(cognito_identity_providers, '$.ClientId') as identity_provider_client_id,
  json_extract(cognito_identity_providers, '$.ProviderName') as identity_provider_name,
  json_extract(
    cognito_identity_providers,
    '$.ServerSideTokenCheck'
  ) as server_side_token_enabled
from
  aws_cognito_identity_pool
where
  identity_pool_id = 'eu-west-3:e96205bf-1ef2-4fe6-a748-65e948673960';

Schema for aws_cognito_identity_pool

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
allow_classic_flow	boolean		Enables or disables the Basic (Classic) authentication flow.
allow_unauthenticated_identities	boolean		TRUE if the identity pool supports unauthenticated logins.
cognito_identity_providers	jsonb		A list representing an Amazon Cognito user pool and its client ID.
developer_provider_name	text		The 'domain' by which Cognito will refer to your users.
identity_pool_id	text	=	An identity pool ID in the format REGION:GUID.
identity_pool_name	text		A string that you provide.
open_id_connect_provider_arns	jsonb		The ARNs of the OpenID Connect providers.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
region	text		The AWS Region in which the resource is located.
saml_provider_arns	jsonb		An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
supported_login_providers	jsonb		Optional key:value pairs mapping provider names to provider app IDs.
tags	jsonb		A map of tags for the resource.
title	text		Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_cognito_identity_pool