My backend app server (ejabberd, hosted on AWS EC2) has its own user authentication process. My iOS client connects with it directly for user login but the client also needs to access S3 buckets separately - for which I'm trying to leverage AWS Cognito.
I could have the app upload / download data to / from S3 buckets if I incorporate the below recommended iOS SDK code in my app. Documentation here ...
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
initWithRegionType:AWSRegionUSEast1 identityPoolId:@"IDENTITY_POOL_ID"];
AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc]
initWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider];
AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;
However, my question is - where / how are the credentials being refreshed every one hour? The above code does not seem to be sufficient to me - the identity pool is actually hard-coded in the app and can be retrieved by someone decompiling it. Am probably missing out something basic here...
Appreciate your help...
The identity pool id is normally embedded in the app, you're not missing a step on that front. The risk can be alleviated by using your auth and unauth roles to tightly define what each user and type of user is allowed to do.
The credentials provider automatically manages credentials for you. When they're expired, it will get new ones and use those. All you have to do is pass it on to whatever AWS client your app needs at the time.