Use existing Cognito resources
Amplify Auth can be configured to use an existing Amazon Cognito user pool and identity pool. If you are in a team setting or part of a company that has previously created auth resources, you can configure the client library directly, or maintain references with AWS Cloud Development Kit (AWS CDK) in your Amplify backend.
Use auth resources without an Amplify backend
Configuring the mobile client libraries directly is not supported, however you can manually create amplify_outputs.json with the following schema:
{ "version": "1", "auth": { "aws_region": "<your-cognito-aws-region>", "user_pool_id": "<your-cognito-user-pool-id>", "user_pool_client_id": "<your-cognito-user-pool-client-id>", "identity_pool_id": "<your-cognito-identity-pool-id>", "username_attributes": ["email"], "standard_required_attributes": ["email"], "user_verification_types": ["email"], "unauthenticated_identities_enabled": true, "password_policy": { "min_length": 8, "require_lowercase": true, "require_uppercase": true, "require_numbers": true, "require_symbols": true } }}Use auth resources with an Amplify backend
If you have created Amazon Cognito resources outside of the context of your Amplify app such as creating resources through the AWS Console or consuming resources created by a separate team, you can use referenceAuth to reference the existing resources. It requires a user pool, a user pool client, identity pool, and an authenticated & unauthenticated IAM role configured on your identity pool.
import { referenceAuth } from '@aws-amplify/backend';
export const auth = referenceAuth({ userPoolId: 'us-east-1_xxxx', identityPoolId: 'us-east-1:b57b7c3b-9c95-43e4-9266-xxxx', authRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthauthenticatedU-xxxx', unauthRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthunauthenticate-xxxx', userPoolClientId: 'xxxx',});You can also use the access property to grant permissions to your auth resource from other Amplify backend resources. For example, if you have a function that needs to retrieve details about a user:
import { referenceAuth } from '@aws-amplify/backend';import { getUser } from "../functions/get-user/resource";
export const auth = referenceAuth({ userPoolId: 'us-east-1_xxxx', identityPoolId: 'us-east-1:b57b7c3b-9c95-43e4-9266-xxxx', authRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthauthenticatedU-xxxx', unauthRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthunauthenticate-xxxx', userPoolClientId: 'xxxx', access: (allow) => [ allow.resource(getUser).to(["getUser"]), ],});In a team setting you may want to reference a different set of auth resources depending on the deployment context. For instance if you have a staging branch that should reuse resources from a separate "staging" environment compared to a production branch that should reuse resources from the separate "production" environment. In this case we recommend using environment variables.
import { referenceAuth } from '@aws-amplify/backend';
export const auth = referenceAuth({ userPoolId: process.env.MY_USER_POOL_ID, identityPoolId: process.env.MY_IDENTITY_POOL_ID, authRoleArn: process.env.MY_AUTH_ROLE_ARN, unauthRoleArn: process.env.MY_UNAUTH_ROLE_ARN, userPoolClientId: process.env.MY_USER_POOL_CLIENT_ID,});Environment variables must be configured separately on your machine for sandbox deployments and Amplify console for branch deployments.