[Feature Request]: Native support for authenticated cognito identity / amplify

[michal-simon]

Which web client version did you detect this bug with?

v1.25.0

What environment (build systems, module system, and framework) did you detect this bug with?

• TypeScript v5.8.3
• Webpack v5.99.6
• ECMAScript modules (ESM)
• React v19.1.1

Is your web application a single page application (SPA) or multi page application (MPA)?

SPA

Please provide your web client configuration

{
  allowCookies: true,
  endpoint: "https://dataplane.rum.eu-central-1.amazonaws.com",
  identityPoolId: "eu-central-1:00000000-0000-0000-0000-000000000000",
  sessionSampleRate: 1,
  telemetries: ['errors', 'performance', 'http']
}

Please describe the bug/issue

Context

My application requires login via the Cognito-managed login page. If the user is not authenticated, the application immediately redirects to the hosted UI. Therefore, there is no need to set up guestRoleArn in RUM configuration.

Issue

The following code helps me pass credentials from Amplify to the rum client (if there is a better way, I am open to suggestions):

import {fetchAuthSession} from 'aws-amplify/auth';
import {AwsRum} from 'aws-rum-web';

const session = await fetchAuthSession();
const rum = new AwsRum(...);
rum.setAwsCredentials(session.credentials);

The problem lies between the last 2 lines of the code example. When the identityPoolId is defined but the guestRoleArn is not, the constructor tries to apply several strategies to obtain credentials. I found in the library the ChainAnonymousCredentialsProvider that is being called once the constructor is called, even though no anonymous credentials will be needed. In my case, this causes 4 failed calls to https://cognito-identity.eu-central-1.amazonaws.com:

Workaround Experiment

I tried to set the enableRumClient configuration property to false, and after I call setAwsCredentials(), I tried to enable it again with rum.enable(). Unfortunately, the initDispatch() method (which calls the ChainAnonymousCredentialsProvider) is being called earlier in the constructor, and enable/disable has no effect on my issue.

Proposed Solution

I would like to be able to pass credentials directly in the constructor configuration and prevent the anonymous credentials from being used. Alternatively, I am looking for any way I can prevent the 4 failing HTTP requests made at every start of the application, then using the guest role.

[williazz]

After #740, the cognito logic for anonymous identity will only be triggered if signing and identityPoolId are configured. This will prevent the unhappy use case you have mentioned from triggering, and you will be able to call setAwsCredentials the usual way.

[williazz]

We should, however, keep this issue open to improve our native integration with amplify (e.g. fetchAuthSession as you have mentioned) and other non-anonymous scenarios.

[williazz]

We should also add a way to "pass credentials directly in the constructor configuration" as you have mentioned, since a lot can happen between initialization and when you call setAwsCredentials

[michal-simon]

Thank you for looking into it. Great to hear there is some progress. :)

[williazz]

Updated title, since the patch for unwanted cognito requests has been merged