Using multiple Cognito Identity Pools to sign GraphQL requests

[markfraserr]

Hello team,

I am developing an iOS application using amplify-swift (version 2.46.0) with GraphQL APIs. My project is currently configured with a single Cognito Identity Pool via Amplify’s Auth configuration.

We are now attempting to introduce a second Cognito Identity Pool, and need the ability to dynamically authenticate and sign API requests with temporary AWS credentials from either of the two identity pools, depending on context.

I've attempted to import AWSCore directly to leverage the AWSCognitoCredentialsProvider class, however that has proven to be incompatible with our current version of amplify-swift.

Could you please advise what is the recommended approach for dynamically using multiple Cognito Identity Pools to obtain temporary credentials (accessKeyId, secretAccessKey, sessionToken) in a Swift-based Amplify app?

Thank you.

[tylerjroach]

Hi @markfraserr As you have experience, Amplify Swift is only compatible with configuring 1 identity pool at a time. In order to support multiple identity pools, you would need to use the AWS Swift SDK directly or write your own service to vend AWS Temporary Credentials.

[markfraserr]

Hi @tylerjroach, thanks for you prompt response.

the AWS Swift SDK would certainly be the preferred solution. However, when I try to import the package I am met with the following message:

It seems to be conflicting with the existing import for amplify-swift v2.46.0. I've tried several different version of the AWS Swift SDK to no avail. Is there a recommended way around this?

[gevartosky]

Hi @tylerjroach, I'm part of Mark's team. Thank you for the response :)

Essentially what we are trying to do is sign one specific request from our app with a different poolID/region. Is there a way to just do that without the need to create new credentials?

Also, from what I understand, aws-sdk-ios cannot coexist with amplify-swift, but aws-sdk-swift can.
Are we able to use the underlying types from aws-sdk-swift for this specific situation while still keeping Amplify for everything else?
And if so, what type from aws-sdk-swift would be analogous to aws-sdk-ios AWSCognitoCredentialsProvider?

[tylerjroach]

Lets take a quick step back to better understand your use case. What GraphQL APIs are you using? Are you using Amplify API or AppSync directly? I may be able to provide better guidance based on this understanding.

Correct that aws-sdk-swift can be used, but not aws-sdk-ios.

And if so, what type from aws-sdk-swift would be analogous to aws-sdk-ios AWSCognitoCredentialsProvider?

AWS SDK Swift contains the direct lower level APIs for Cognito, so I don't believe you will find a direct replacement for AWSCognitoCredentialsProvider. You would have to write your own implementation for this.

[gevartosky]

Thank you @tylerjroach

We are mainly using Amplify.API.query, Amplify.API.mutate and Amplify.API.subscribe.

You would have to write your own implementation for this

Would there be any documentation/tutorial about writing custom implementations? Or any place we could get a head start.

[tylerjroach]

Are you using AWS_IAM as the authorization type? If not, let me know if its AMAZON_COGNITO_USER_POOLS, API_kEY, etc.

[gevartosky]

For the specific service we are trying to sign w are using AWS_IAM, with AMAZON_COGNITO_USER_POOLS being in the roadmap too