In an android app, I receive a JWT access_token from http://<domain>.auth.<region>.amazoncognito.com/login once the user is done authenticating to a Cognito User Pool. That User Pool is linked to a Cognito Identity Pool.

What API should I call with that access_token to get an AWSCredentials object.

The closest one I found would be AssumeRoleWithWebIdentity, but that is an STS API, and some of what I’ve read on the web seems to recommend developers not use STS directly but rely on Cognito.

Moreover, I do not expect the API I need to require specifying a role name. Cognito Identity Pools are already configured to give authenticated users a specific role. And AssumeRoleWithWebIdentity takes a role name as input to the API. Hence that does not look like right.

I’ve looked at Cognito Identity Pool API Reference, and can’t find an API that takes access_token and return AWS credentials.

UPDATE:
The following answer which uses GetCredentialsForIdentity throws ResourceNotFoundException saying it cannot find the specified IdentityId.

After much investigation, I found the answer.

1- One needs an id_token not an access_token to authenticate to Cognito, as misleading as this might sound. AWS’s documentation which says you ask for id_token when you need to have user attributes like name / email etc… and ask for an access_token when you don’t need that information and just want to authenticate is wrong, or at the very least misleading.

2- And here’s how you use an id-token to get AWS Credentials:

Note that you do not need AssumeRoleWithIdentity, or GetCredentialsWithIdentity, you do not even need a AmazonCognitoIdentityClient.