Login with Cognito

User Pool

Create user pool with type as "Traditional web application". Configure sign-in options and required fields for signup. Add return url like this https://velocity-page-6308.scratch.my.site.com/portal/auth/cognito . Make sure you change base url pointing to actual site url.

DynamoDb Table

Create dynamodb table with any name and replace it in below policy json. In current case it is CognitoUserData .

Policy

Navigate to IAM -> Policies -> Create Policy. Use following custom json to setup necessary permissions for policy. Make sure you replace full arn of DynamoDb table.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"dynamodb:GetItem",
				"dynamodb:PutItem",
				"dynamodb:UpdateItem",
				"dynamodb:DeleteItem",
				"dynamodb:Query"
			],
			"Resource": [
				"arn:aws:dynamodb:us-west-2:842485730943:table/CognitoUserData",
				"arn:aws:dynamodb:us-west-2:842485730943:table/CognitoUserData/index/*"
			]
		}
	]
}

Identity Pool Role

Navigate to IAM -> Roles -> Create Role. Use following custom trust policy to create role. On permissions step, select recently created policy.

Identity Pool

Navigate to Cognito -> Identity pools -> Create identity Pool. Select authentication field as Authenticated Access. For Authenticated identity sources field, select Amazon Cognito user pool and any other identity resources you need. For role field select existing role created on previous step. Under user pool details, select user pool created in previous step. Please also select client id created in selected user pool. Once you have configured everything enter, identity pool name and click on create.

Note: Replace cognito-identity.amazonaws.com:aud value with identity pool id in role trust policy.

Once you have created user pool and identity pool, configure iris_auth backend plugin with following configuration. If plugin is already configured, make sure you just copy and replace cognito object inside the json.