Register mobile / Android endpoint with Amazon SNS mobile push service

Question

I want to use Amazon SNS Mobile Push Notifications in combination with GCM to push notifications to Android devices.

I have GCM on my app up and running, it receives a registration id from Google and can receive notification if I

• send notification to device via https://android.googleapis.com/gcm/send
• manually add the device's registration id to the mobile endpoints in my AWS / SNS project.

The next step would be for the device registering itself as an endpoint with the SNS service. For this, the documentation suggests:

To register tokens from devices that will install your apps in the future

You can use one of the following two options:

Use the Amazon Cognito service : Your mobile app will need credentials to create endpoints associated with your Amazon SNS platform application. We recommend that you use temporary credentials that expire after a period of time. For most scenarios, we recommend that you use Amazon Cognito to create temporary security credentials. For more information, see Creating Temporary Security Credentials for Mobile Apps Using Identity Providers. If you would like to be notified when an app registers with Amazon SNS, you can register to receive an Amazon SNS event that will provide the new endpoint ARN. You can also use the ListEndpointByPlatformApplication API to obtain the full list of endpoints registered with Amazon SNS.

Use a proxy server : If your application infrastructure is already set up for your mobile apps to call in and register on each installation, you can continue to use this setup. Your server will act as a proxy and pass the device token to Amazon SNS mobile push notifications, along with any user data you would like to store. For this purpose, the proxy server will connect to Amazon SNS using your AWS credentials and use the CreatePlatformEndpoint API call to upload the token information. The newly created endpoint Amazon Resource Name (ARN) will be returned, which your server can store for making subsequent publish calls to Amazon SNS.

Given I don't want to use a proxy server, but let the device register directly with SNS to create a mobile endpoint ( About Web Identity Federation ), is the following hypothesis correct?

I would either have to store the credentials for access to this AWS account directly in the app (not an option of course) or the user would have to identify themselves via some OpenID account (which I also don't want to do because user's won't identify themselves just to receive push messages).

Answer 1

Ascorbin - Yes, you'll want to use Cognito Federated Identity . Cognito Identity allows you to create temporary limited AWS credentials, enabling app users to create an SNS platform endpoint or subscribe to an SNS Topic without ever logging in. You first create a Cognito Identity Pool and Cognito will assign two roles (Auth & UnAuth) to your application end users.

Within the Unauthenticated IAM Role, you could give permissions to sns:CreatePlatformEndpoint or sns:Subscribe depending on your use case. Once you create an Identity Pool in the AWS Console, you'll see "Sample code" for Android to implement the Amazon Cognito credentials provider in your Android app. Note: When creating your Identity Pool, don't forget to select "Enable access to unauthenticated identities" so that an Unauthenticated IAM Role is created and all your app users can have limited access to your AWS resources without logging in.

If you want to see a working sample Android app, checkout AWS Mobile Hub and create a project and download/run the Android Sample App that accesses your AWS resources using Cognito Identity.