Front-End Web & Mobile

Adding Web Identity Federation with Facebook to Android Projects

Last month we announced web identity federation, which lets developers utilize services from Facebook, Google, and Amazon to retrieve temporary AWS credentials. This tutorial will show you how to add web identity federation with Facebook to an existing Android project that uses an AWS service.

Creating a Facebook App ID

  1. Sign up for the Facebook developer program here.
  2. Go to the Apps tab and click Create New App.
  3. After naming your app, take note of the App ID, which you will use later:
  4. Under Select how your app integrates with Facebook, select Native Android App:
  5. Enter your app’s Package Name, Class Name, and Key Hashes. For Class Name, enter [your app's package name].FacebookLogin. Make sure Facebook Login is enabled:
  6. More information about key hashes can be found in Section 5 of Facebook’s Getting Started Guide.

Creating an AWS IAM Role

  1. Login to the AWS Management Console and create a new role:
  2. Enter a name for the role, click Continue, and then select Role for Web Identity Provider Access.
  3. Select Facebook as the Identity Provider and provide the app ID you generated with Facebook:
  4. Click Continue until asked to set permissions. Use the policy generator to create a policy based on what services and actions users are allowed to access. For example, if your app uses Amazon S3 and allows users to create buckets, put objects, and get objects, it may look like this:
  5. Click Continue, and once you are done creating the role, select the role and switch to the Summary tab. Take note of the Role ARN; you’ll use it in configuring your app:

Modifying your existing project

This sample login view is just one example of how to add Facebook login to your app. You could also choose to use Fragments instead of Activities if they fit your app’s workflow better.

  1. Download the following files, which you will add to your project. Open your project in Eclipse or a similar IDE and Import the .java files into your project. Verify that the newly added files have the appropriate package declarations and change them if necessary.
  2. Import the login.xml file and copy it into your project’s layout folder
  3. We’ve included a version of the Facebook SDK that is known to be compatible with the AWS SDK for Android (version 1.6.0). Using newer versions of the Facebook SDK may require some further modification. Find the Facebook SDK located in the samples directory of the AWS SDK for Android and import the Facebook SDK as a library project into your workspace:

    Note: you may have to configure the build path of the FacebookSDK project to locate the “android-support-v4.jar,” which is located in your android-sdks directory.
  4. Open your app’s project properties and add a reference to the newly imported FacebookSDK project under the Android tab:
  5. Add the following to your project’s Android manifest file:

    <activity android:name=".FacebookLogin" android:theme="@android:style/Theme.NoDisplay">
    <activity android:name=".Login"></activity>
    <activity android:name="com.facebook.LoginActivity"></activity>
    <meta-data android:name="FBRoleARN" android:value="@string/fb_role_arn">
    <meta-data android:name="com.facebook.sdk.ApplicationId" android:value="@string/fb_app_id">
  6. If your project does not have Internet permissions, add the following line to the Android manifest file:

    <uses-permission android:name="android.permission.INTERNET">   
  7. Add the following (replacing the values with your Role ARN and Facebook App ID) to your project’s strings.xml file:

    <string name="fb_role_arn">Your Role ARN</string>
    <string name="fb_app_id">Facebook App ID</string>
  8. Change the workflow of your app so that the Login activity is opened when the app is launched.
  9. Open In the call method of the SessionStatusCallback class, find the comment line and change the next line to open the Activity the user sees after logging in.
  10. Open Add import statements for the client for each AWS service your app uses. For example, if your project were using S3:

  11. In the same file, create class variables for each AWS client you use and set these to null. For example:

    private AmazonS3Client s3 = null;
  12. Again in, add public methods to return each of the class variables you created. For example:

    public AmazonS3Client s3() {
    		return s3;
  13. In the Login method, initialize each of the clients you created with the wif parameter. For example:

    s3 = new AmazonS3Client( wif );
  14. In the isLoggedIn and clearCredentials methods, change the variables to the ones you created:

    public boolean isLoggedIn() {
    	return ( s3 != null ); //Change to appropriate variable
    public void clearCredentials() {
            synchronized (this) {
                    s3 = null; //Change to appropriate variable
  15. Finally, in your existing code, replace any existing client creations with method calls to theAmazonClientManager in the Login class. For example:

    private AmazonS3Client s3Client = Login.clientManager.s3();
    private AmazonS3Client s3Client = new AmazonS3Client(new BasicAWSCredentials(Constants.ACCESS_KEY_ID, Constants.SECRET_KEY));


This tutorial adds a barebones version of Facebook web identity federation that allows users to login through a browser. For features such as allowing users to logout or login through the native Facebook app, refer to Facebook’s tutorial.

Adding Web Identity Federation with Facebook for iOS

Please let us know if you have any questions about this tutorial or using web identity federation.