Version 2021

Amazon S3 User OAuth Connectivity Using AWS Cognito

Cloud Object Connector supports User OAuth authentication with AWS Cognito. Learn to configure OAuth connectivity with Cognito user pool and Cognito identity pool.

Configure Cognito User Pool

  1. In the AWS Admin Console, go to Cognito Service > Manage User Pool.

  2. Click Create a user pool.

Configure the user pool and set up users based on your use case with the following settings:

App Client

App client is necessary for a user pool. You must create an app client and its corresponding secret.

Setting 1

  1. Go to General Settings > App Clients.

  2. In Auth Flows Configuration, select the Enable refresh token based authentication checkbox.

    Select the Generate client secret to generate a secret when the app client is created.

  3. Setting 2

    1. Go to App Integration > App Client Settings.

    2. Configure the following settings:

      Enable Identity Providers

      • Select the Cognito User Pool checkbox.

      Sign in and out of URLs

      • In the Callback URL(s) field, enter your MicroStrategy Web URL. Replace hostname with the IP of your MicroStrategy Web host, as shown in the following example.:


      OAuth 2.0

      • Under Allowed OAuth Flows, select the Authorization code grant checkbox.

      • Under Allowed OAuth Scopes, select the openid checkbox.

    Setting 3

    1. Go to App Integration > Domain name.

    2. Set Domain prefix for your app client.

Configure Cognito Identity Pool

  1. In the AWS Admin Console, go to Cognito Service > Manage Identity Pool.

  2. Click Create new identity pool.

Configure the identity pool based on your use case. To use the Cloud Object Connector, configure the following settings:

Setting 1: Authenticated Role

  1. When creating your identity pool, choose to either create a new Authenticated role or select an existing one.

    A new role comes properly configured.

  2. Upon setting the role, go to AWS IAM Services > Access Management > Roles.
  3. Choose Authenticated role.
  4. Go to the Permissions tab and attach the AmazonS3ReadOnlyAccess policy to the role.

    This permission is required to access Amazon S3 content.

Setting 2: Authentication Providers

  1. Go to the Cognito tab.

  2. Complete the User Pool ID and App Client ID fields as described in the Configure Cognito User Pool section.

    This ensures that the identity pool relies on the user pool for login authentication.

Get Parameters to Use in the Cloud Object

The following parameters are required to create a connection to AWS S3 using the User Account in Cloud Object Connetor.

Parameter Name


How to Find it

AWS Region

The preferred geographical region.

AWS Console Page

Identity Pool ID

The ID of your identity pool.

Congito Service > Manage Identity Pool, select your configured identity pool and click Edit identity pool

User Pool ID

The ID of your user pool.

Congito Service > Manage User Pool, select your configured user pool

User Pool Domain Name

The domain name of the app client.

User Pool > App Integration, locate the Domain parameter. For this parameter, you need the substring after "https://". For example, if the URL is "", you need "".

Client ID

The app client ID created in user pool.

User Pool > General settings > App clients

Client Secret

The app client secret created in user pool.

User Pool > General settings > App clients, click Show details

Callback URL

The URL is generated automatically in MicroStrategy Web and MicroStrategy Workstation. You do not need to manually input this field.

Ensure that this callback URL is added to your app client. Go to User Pool > App Integration > App client settings, add the callback URL to the Callback URL(s) field.