Access S3 data with temporary credentials using AWS Cognito user and identity pools

This guide explains how to configure AWS Cognito to authenticate users for S3 buckets using OAuth2. You will need to set up a Cognito User Pool, an Identity Pool, and assign the necessary IAM roles and permissions for S3 access. Throughout the process, we will need to collect the following inputs required to create a connection between Alteryx and AWS S3:

AWS Account id;
Cognito domain URL;
OAuth redirect URL;
AWS Region;
User Pool ID
Identity Pool ID
Client ID
Client secret (optional for private applications)

Let’s start with finding your AWS account id. Click on your username in the top right corner of the screen as indicated on the below screenshot.

Screenshot 2024-10-09 at 22.22.19.png

Follow the steps below to complete the configuration.

Step 1: Create a Cognito User Pool

A User Pool in AWS Cognito is where user identities are created and managed. Let’s walk through creating and setting up a User Pool with OAuth.

1. Create a new User Pool
Navigate to the AWS Cognito console and create a new User Pool.

Screenshot 2024-10-08 at 13.48.40.png

2. Configure desired security requirements;

3. Set up the initial OAuth application
After creating the pool, configure the app integration:

Mark the application as public/private.
Optional: generate client secret
- Copy and securely save the client secret;

Screenshot 2024-10-09 at 22.29.10 (1).png 4. Click Next, review and create the user pool;

5. Once the user pool is created, select the pool;

Locate Token signing key URL and copy it’s value. Remove /.well-known/jwks.json from the url and store updated url value. This will be your User Pool Id value, e.g. https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_uTmIXw7vJ
Go to App Integration tab → click on it and locate Cognito Domain. This will be know as your Cognito Domain URL

6. Locate and click the App integration category on your newly-created user pool

Locate User pool Id and extract the AWS region from it. For example if your user pool id starts with eu-central-1, then your region is eu-central-1.
Save your AWS Region value - you will use it later in this guide;
Scroll down to App clients and analytics section

Screenshot 2024-10-10 at 14.22.06.png

Locate the client we created in step 3 and click on its name;
Copy and save the app client id

Scroll down to Hosted UI section of the page, click edit and set Allowed callback URLs to http://localhost:<port number>, e.g. http://localhost:5080

Screenshot 2024-10-10 at 14.27.12.png

This value is known as OAuth redirect URL;

7. Create user pool identity

Go to your user pool page and click Create user

Screenshot 2024-10-10 at 15.41.17.png

Provide desired configuration and create a user

Screenshot 2024-10-10 at 15.42.58.png

Step 2: Create an Identity Pool

Once the User Pool is created, we need to create an Identity Pool to link authenticated users with AWS resources such as S3.

Go to the Cognito home page, locate and click Identity Pools in the left tab;

Screenshot 2024-10-10 at 14.34.36.png

Create a new Identity Pool and Enable authenticated user access
In the Identity Pool settings, configure authenticated access for users and select User Pool as source of the identity;

Screenshot 2024-10-08 at 15.55.27.png

Configure roles
- Select the option to create a new role for authenticated users;
- Provide a name for this role and proceed to the next step;

Screenshot 2024-10-11 at 15.48.23.png

Assign User Pool and OAuth client to the identity pool
Choose the Cognito User Pool and OAuth client you created earlier;

Screenshot 2024-10-08 at 15.58.53.png

Collect the Identity Pool ID
After the setup, note down the Identity Pool ID, which will be used for integrating with other AWS services

Screenshot 2024-10-11 at 15.50.47.png

Step 3: Grant IAM Role Permissions for S3 Access

Now that your Identity Pool is configured, you need to assign the necessary IAM permissions to the role created in the previous step, allowing it to access S3.

1. Navigate to IAM and find your role

Go to the IAM console, click on Roles, and locate the role you created in the Identity Pool setup;

Screenshot 2024-10-11 at 15.53.13.png

2. Attach S3 permissions

Select the role and go to the Permissions tab.
Click on Add permission, then choose Attach Policies.
Search for the AmazonS3FullAccess policy or any other necessary permissions

Screenshot 2024-10-11 at 15.55.36.png

3. Apply the permissions
Once the correct permissions have been selected, attach them to the role.
Now, the role has permission to access your S3 account.

Step 4: Connect to S3 data from Alteryx Designer

Open Alteryx Designer and search for desired S3 tool (download/upload)
Drop the tool on canvas and click Setup a Connection;
Provide your S3 bucket details

Screenshot 2024-10-11 at 16.00.21.png

Click connect credentials;
Select AWS OAuth with Identity Pool for S3 as authentication method and create new credential;
Provide the required inputs we collected earlier

Screenshot 2024-10-11 at 16.31.27.png

Under AWS temporary access credentials, create new credential and specify the name;
Click save and connect;
Finally, select the file you want to read

Final Thoughts

You’ve now configured AWS Cognito-based authentication for S3 by setting up a Cognito User Pool, creating an Identity Pool, and assigning appropriate IAM permissions to access S3. You can now use these configurations to authenticate users and control access to your S3 bucket.

For more advanced setups, consider configuring multi-factor authentication (MFA) or custom OAuth scopes within Cognito to enhance security.

Datasets

Connectors

Database Connection

Accepted answers

All comments

There are no accepted answers yet

Quick Links

This months top contributors

SophiaF 432

AkimasaKajitani 390

mceleavey 388

mbarone 337

michael_weaver 335