Skip to content

Guest OpenID credentials should work even without IAM role associated in Cognito Identity pool #14638

New issue
New issue
Open
Open
Guest OpenID credentials should work even without IAM role associated in Cognito Identity pool#14638
Labels
AuthRelated to Auth components/categoryfeature-requestRequest a new feature
@alnemo

Description

@alnemo
alnemo
opened on Nov 26, 2025

Is this related to a new or existing framework?

New framework

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

Currently AWS Amplify is unable to support the backend configuration where AWS Cognito Identity pool is created without IAM roles assigned to authenticated/unauthenticated identities and with classic flow allowed.

In retrieving guest identity Amplify immediately tries to retrieve AWS credentials, which fails when no IAM role is assigned.
https://github.com/aws-amplify/amplify-js/blob/7d61814ceb87bb2c230f278f6ad692803a3b2ad5/packages/auth/src/providers/cognito/credentialsProvider/credentialsProvider.ts#L131C25-L131C50

Call to GetCredentialsForIdentity returns an exception, because an identity like this has no IAM credentials at all.

However in classic flow https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html#authentication-flow-basic calling GetId/ GetOpenIdToken APIs doesn't require to involve any IAM credentials/roles.

This approach allows one to give anonymous identities access to some APIs with this OpenId token - having some credential restricting access instead of being completely open, but mostly just for keeping track of their unique sessions across multiple stateless API calls as IdentityId remains unchanged even when tokens refresh.

Assigning an IAM role to such identities creates a potential opening for hacking - if other roles in AWS account defined their trust policy loosely(for example just by verifying account id) they can be assumed and escalate the privileges. It also allows exploiting AWS resources where IAM permissions were set to only check the principal for account rather than specific roles.

IAM misconfigurations are possibly the most common exploit of AWS ecosystem, so preventing public from having access to any IAM roles is generally a good idea.

Describe the solution you'd like

It should be possible to get OpenId token for identity in Amplify even if there's no AWS credential for this identity, if classic flow is enabled.

Describe alternatives you've considered

Alternative is calling AWS Cognito Identity GetId/ GetOpenIdToken APIs directly instead of through Amplify, since they're public.

Additional context

No response

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

Metadata

Metadata

Assignees

No one assigned

    Labels

    AuthRelated to Auth components/categoryfeature-requestRequest a new feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions