Name:
interface
Value:
Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Page updated Nov 14, 2024

Use existing Cognito resources

Amplify Auth can be configured to use an existing Amazon Cognito user pool and identity pool. If you are in a team setting or part of a company that has previously created auth resources, you can configure the client library directly, or maintain references with AWS Cloud Development Kit (AWS CDK) in your Amplify backend.

Note: when using existing auth resources, it may be necessary to add additional policies or permissions for your authenticated and unauthenticated IAM roles. These changes must be performed manually.

Use auth resources without an Amplify backend

You can use existing resources without an Amplify backend by configuring the client library directly.

src/main.ts
import { Amplify } from "aws-amplify"
Amplify.configure({
Auth: {
Cognito: {
userPoolId: "<your-cognito-user-pool-id>",
userPoolClientId: "<your-cognito-user-pool-client-id>",
identityPoolId: "<your-cognito-identity-pool-id>",
loginWith: {
email: true,
},
signUpVerificationMethod: "code",
userAttributes: {
email: {
required: true,
},
},
allowGuestAccess: true,
passwordFormat: {
minLength: 8,
requireLowercase: true,
requireUppercase: true,
requireNumbers: true,
requireSpecialCharacters: true,
},
},
},
})

Use auth resources with an Amplify backend

If you have created Amazon Cognito resources outside of the context of your Amplify app such as creating resources through the AWS Console or consuming resources created by a separate team, you can use referenceAuth to reference the existing resources. It requires a user pool, a user pool client, identity pool, and an authenticated & unauthenticated IAM role configured on your identity pool.

amplify/auth/resource.ts
import { referenceAuth } from '@aws-amplify/backend';
export const auth = referenceAuth({
userPoolId: 'us-east-1_xxxx',
identityPoolId: 'us-east-1:b57b7c3b-9c95-43e4-9266-xxxx',
authRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthauthenticatedU-xxxx',
unauthRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthunauthenticate-xxxx',
userPoolClientId: 'xxxx',
});

The configuration of your referenced resources cannot be modified. IAM policies specific to your Amplify application will be appended to your authenticated and unauthenticated roles, and applications using the referenced resource will be able to create users in the Cognito user pool and identities in the Cognito identity pool.

You can also use the access property to grant permissions to your auth resource from other Amplify backend resources. For example, if you have a function that needs to retrieve details about a user:

amplify/auth/resource.ts
import { referenceAuth } from '@aws-amplify/backend';
import { getUser } from "../functions/get-user/resource";
export const auth = referenceAuth({
userPoolId: 'us-east-1_xxxx',
identityPoolId: 'us-east-1:b57b7c3b-9c95-43e4-9266-xxxx',
authRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthauthenticatedU-xxxx',
unauthRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthunauthenticate-xxxx',
userPoolClientId: 'xxxx',
access: (allow) => [
allow.resource(getUser).to(["getUser"]),
],
});

In a team setting you may want to reference a different set of auth resources depending on the deployment context. For instance if you have a staging branch that should reuse resources from a separate "staging" environment compared to a production branch that should reuse resources from the separate "production" environment. In this case we recommend using environment variables.

amplify/auth/resource.ts
import { referenceAuth } from '@aws-amplify/backend';
export const auth = referenceAuth({
userPoolId: process.env.MY_USER_POOL_ID,
identityPoolId: process.env.MY_IDENTITY_POOL_ID,
authRoleArn: process.env.MY_AUTH_ROLE_ARN,
unauthRoleArn: process.env.MY_UNAUTH_ROLE_ARN,
userPoolClientId: process.env.MY_USER_POOL_CLIENT_ID,
});

Environment variables must be configured separately on your machine for sandbox deployments and Amplify console for branch deployments.

Next steps