Add an Amazon Cognito service account to a CDF group
Follow the steps below to create a service account in Amazon Cognito and add it as a member to the Cognite Data Fusion (CDF) group.
Prerequisites
Make sure that you have already registered the Cognite API and the Cognite Data Fusion application in Amazon Cognito.
Create a service account in Amazon Cognito
-
Sign in to the Amazon Cognito console as an admin. If prompted, enter your AWS credentials.
-
Select User Pools.
-
Select an existing user pool from the list, or create a user pool.
-
Select the App integration tab.
-
Under App client list, select Create app client.
-
Under App type, select Confidential client.
-
Enter an App client name.
Copy and make a note of the App client name. You'll use this name to add the service account as a member to a CDF group.
-
Under Client secret, select Generate a client secret.
-
Under Authentication flow, select ALLOW_REFRESH_TOKEN_AUTH and ALLOW_REFRESH_TOKEN_AUTH.
Keep the default settings for the remaining fields under Authentication flows.
-
Under Hosted UI settings, set Allowed callback URLs to https://auth.cognite.com/oauth2/external/callback.
-
In Identity providers, select Cognito user pool.
-
In OAuth 2.0 grant types, select Client credentials.
-
In Custom scopes, select https://cognitedata.com/user_impersonation and https://{{cluster}}.cognitedata.com.
-
At the bottom of the page, select Create app client.
Add a service account to a new CDF group
To add an Amazon Cognito service account to a new group in Cognite Data Fusion:
-
Sign in to Cognite Data Fusion as an admin.
-
Select the Admin workspace, and then select Groups > Create group.
-
Enter a Unique name for the group and Add capabilities.
-
Under Members, select Externally managed.
-
In the Source ID field, enter the App client name you copied from Amazon Cognito in step 7 above.
-
Select Create.