:doc:`CognitoIdentity <../../cognito-identity>` / Client / get_credentials_for_identity

****************************
get_credentials_for_identity
****************************



.. py:method:: CognitoIdentity.Client.get_credentials_for_identity(**kwargs)

  

  Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers. If the token is for ``cognito-identity.amazonaws.com``, it will be passed through to Security Token Service with the appropriate role for the token.

   

  This is a public API. You do not need any credentials to call this API.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/cognito-identity-2014-06-30/GetCredentialsForIdentity>`_  


  **Request Syntax**
  ::

    response = client.get_credentials_for_identity(
        IdentityId='string',
        Logins={
            'string': 'string'
        },
        CustomRoleArn='string'
    )
    
  :type IdentityId: string
  :param IdentityId: **[REQUIRED]** 

    A unique identifier in the format REGION:GUID.

    

  
  :type Logins: dict
  :param Logins: 

    A set of optional name-value pairs that map provider names to provider tokens. The name-value pair will follow the syntax "provider_name": "provider_user_identifier".

     

    Logins should not be specified when trying to get credentials for an unauthenticated identity.

     

    The Logins parameter is required when using identities associated with external identity providers such as Facebook. For examples of ``Logins`` maps, see the code examples in the `External Identity Providers <https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html>`__ section of the Amazon Cognito Developer Guide.

    

  
    - *(string) --* 

    
      - *(string) --* 

      


  :type CustomRoleArn: string
  :param CustomRoleArn: 

    The Amazon Resource Name (ARN) of the role to be assumed when multiple roles were received in the token from the identity provider. For example, a SAML-based identity provider. This parameter is optional for identity providers that do not support role customization.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'IdentityId': 'string',
          'Credentials': {
              'AccessKeyId': 'string',
              'SecretKey': 'string',
              'SessionToken': 'string',
              'Expiration': datetime(2015, 1, 1)
          }
      }
      
    **Response Structure**

    

    - *(dict) --* 

      Returned in response to a successful ``GetCredentialsForIdentity`` operation.

      
      

      - **IdentityId** *(string) --* 

        A unique identifier in the format REGION:GUID.

        
      

      - **Credentials** *(dict) --* 

        Credentials for the provided identity ID.

        
        

        - **AccessKeyId** *(string) --* 

          The Access Key portion of the credentials.

          
        

        - **SecretKey** *(string) --* 

          The Secret Access Key portion of the credentials

          
        

        - **SessionToken** *(string) --* 

          The Session Token portion of the credentials

          
        

        - **Expiration** *(datetime) --* 

          The date at which these credentials will expire.

          
    
  
  **Exceptions**
  
  *   :py:class:`CognitoIdentity.Client.exceptions.InvalidParameterException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.NotAuthorizedException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.ResourceConflictException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.TooManyRequestsException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.InvalidIdentityPoolConfigurationException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.InternalErrorException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.ExternalServiceException`

  