How to Create an IAM Role for Your .NET Application to Access Amazon Cognito User Pools

65 0

AWS Identity and Access Management (IAM) enables you to create and manage AWS users and groups, and define the permissions to access AWS resources. In this tutorial, we’ll show you how to create an IAM role that can be used by your .NET application to access AWS resources. We’ll assume you have basic knowledge of AWS IAM and .NET development.

Step 1: Create an IAM Role

  1. Open the IAM console and navigate to the Roles page.
  2. Click the Create Role button.
  3. Choose the Another AWS Account option and enter the account ID of your .NET application’s AWS account.
  4. Select the Allow programmatic access and AWS Management Console access options.
  5. Attach the AmazonCognitoPowerUser policy to the role. This policy provides permissions to perform administrative actions on Amazon Cognito user pools.
  6. Review the settings and click the Create Role button.

Step 2: Assume the IAM Role and Get Temporary Credentials

In your .NET application, use the AWS SDK for .NET to assume the IAM role and get temporary credentials.

Step 3: Configure the AWS SDK for .NET to Use the Temporary Credentials

Configure the AWS SDK for .NET to use the temporary credentials.

The full code on 1) and 2)

using Amazon.CognitoIdentityProvider;
using Amazon.CognitoIdentityProvider.Model;
using Amazon.Runtime;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;
using System.Net;

namespace demoAppIAMRoleECS.Controllers
    public class ClientController : Controller
        // The ARN of the IAM role that has permission to create App clients
        private const string ROLE_ARN = "arn:aws:iam::123456789012:role/YourRoleName";;

        // The name of the AWS region where your Cognito User Pool is located
        private const string REGION_NAME = "us-east-1";

        // The name of your Cognito User Pool
        private const string USER_POOL_ID = "us-east-1_HSIU0NS";//USER POOL

        // The name of the App client you want to create
       // private const string APP_CLIENT_NAME = "YourAppClientName";

        public async Task<ActionResult> CreateAppClient(string? appClientName)
            // Get temporary credentials using the IAM role
            var stsClient = new AmazonSecurityTokenServiceClient();
            var assumeRoleRequest = new AssumeRoleRequest
                RoleArn = ROLE_ARN,
                RoleSessionName = "MySessionName"
            var assumeRoleResponse = await stsClient.AssumeRoleAsync(assumeRoleRequest);
            var sessionCredentials = assumeRoleResponse.Credentials;

            var tempCredentials = new SessionAWSCredentials(
            // Create a CognitoIdentityProviderClient using the temporary credentials
            var cognitoClient = new AmazonCognitoIdentityProviderClient(

            //// Create the App client
            var createAppClientRequest = new CreateUserPoolClientRequest
                ClientName = appClientName,//APP_CLIENT_NAME,
                UserPoolId = USER_POOL_ID,
                GenerateSecret = true,
                RefreshTokenValidity = 30,
                //ReadAttributes = new[] { "email" },
                //WriteAttributes = new[] { "email" },
                PreventUserExistenceErrors = "ENABLED"
            var createAppClientResponse = await cognitoClient.CreateUserPoolClientAsync(createAppClientRequest);

            //// Get the client ID and secret from the response
            var clientId = createAppClientResponse.UserPoolClient.ClientId;
            var clientSecret = createAppClientResponse.UserPoolClient.ClientSecret;

            // Display the client ID and secret in the view
            ViewBag.ClientId = clientId;
            ViewBag.ClientSecret = clientSecret;

            return View();

Related Post

Leave a comment