Front-End Web & Mobile

Adding Web Identity Federation with Facebook to iOS Projects

Version 2 of the AWS Mobile SDK

  • This article and sample apply to Version 1 of the AWS Mobile SDK. If you are building new apps, we recommend you use Version 2. For details, please visit the AWS Mobile SDK page.
  • This content is being maintained for historical reference.

Last month we announced web identity federation, which lets developers utilize services from Facebook, Google, and Amazon to retrieve temporary AWS credentials. This tutorial shows you how to add web identity federation with Facebook to an existing iOS project that uses an AWS service.

Creating a Facebook App ID

  1. Sign up for the Facebook developer program here.
  2. Go to the Apps tab and click Create New App.
  3. After naming your app, take note of the App ID, which you will use later:
  4. Under Select how your app integrates with Facebook, select Native iOS App:
  5. Enter your app’s Bundle ID and make sure Facebook Login is enabled:

Creating an AWS IAM Role

  1. Login to the AWS Management Console and create a new role:
  2. Enter a name for the role, click Continue, and then select Role for Web Identity Provider Access.
  3. Select Facebook as the Identity Provider and provide the app ID you generated with Facebook:
  4. Click Continue until asked to set permissions. Use the policy generator to create a policy based on what services and actions users are allowed to access. For example, if your app uses Amazon S3 and allows users to create buckets, put objects, and get objects, it may look like this:
  5. Click Continue, and once you are done creating the role, select the role and switch to the Summary tab. Take note of the Role ARN; you’ll use it in configuring your app:

Modifying your existing project

This tutorial shows you how to add a LoginViewController with a Facebook login button. Once the user successfully logs into Facebook and retrieves AWS credentials, the LoginViewController is dismissed and your app’s original view is presented.

  1. Download the following files, which you will add to your project. Drag and drop the header and implementation files for AmazonClientManager, AmazonKeychainWrapper, and LoginViewController into your project in Xcode, as well as the NIB file for LoginViewController.
  2. Add the AWSRuntime, AWSSecurityTokenService, and other specific AWS service frameworks to your project if you do not already have them.
  3. We’ve included a version of the Facebook SDK that is known to be compatible with the AWS SDK for iOS (version 1.6.0). Using newer versions of the Facebook SDK may require some further modification. Add the FacebookSDK framework (located in the samples/S3_WIF_PersonalFileStore directory) to your project.
  4. Under your project’s Build Phases, make sure the newly added files are in Compile Sources. Under Link Binary with Libraries, add the Accounts, AdSupport, Security, Social, and SystemConfiguration frameworks as well as libsqlite3.dylib. Once you are finished, it should look similar to this:
  5. Under your project’s Info tab, click on URL Types and add a new type with Facebook URL Handler as the Identifier and fb[Your Facebook App ID] as the URL Scheme
  6. In your project’s -Info.plist, add a new string with FacebookAppID as the key and [Your Facebook App ID] as the value
  7. Open your app delegate implementation file and make sure to add the login view controller to your app at an appropriate place in your app workflow.Then, add or update the following method:
    - (BOOL)application:(UIApplication *)application
                openURL:(NSURL *)url
      sourceApplication:(NSString *)sourceApplication
             annotation:(id)annotation {
        // attempt to extract a FB token from the url
        if ([[AmazonClientManager sharedInstance].session handleOpenURL:url]) {
            return YES;
        return NO;
  8. In LoginViewController.m, add code inside the FBlogin method to present your app’s original root view controller.Note: LoginViewController can be substituted for any existing ViewController as long as the ViewController’s viewDidLoad, viewWIllAppear, and viewWillDisappear contain the same calls to AmazonClientManager. The ViewController should also contain a login button and corresponding selector that calls:
    [[AmazonClientManager sharedInstance] FBLogin];
    if ([[AmazonClientManager sharedInstance] isLoggedIn])
        *   Code that presents your original root view controller
  9. Open AmazonClientManager.h change the following definition to the Role ARN mentioned above:
    #define FB_ROLE_ARN @"Your Facebook IAM Role ARN"
  10. In AmazonClientManager.h, import the appropriate header files for each AWS service that your project uses. For each service, add a static method header that returns a client for that service. For example if your project uses S3, add:
    +(AmazonS3Client *)s3;
  11. Now Open AmazonClientManager.m and implement each of the static methods you added. As with the previous example:
    +(AmazonS3Client *)s3
        return s3;
  12. In the same file, add a static instance of each service client at the top of the file (before the @implementation marker):
    static AmazonS3Client *s3 = nil;
  13. In the initClients and wipeAllCredentials methods, change the following code in the if statement to match the service clients you are using:
    [s3 release];
    s3  = [[AmazonS3Client alloc] initWithCredentialsProvider:wif];
  14. Finally, in your existing code, replace any existing client creations with calls to AmazonClientManager‘s static methods that you added. For example:
    self.s3Client = [AmazonClientManager s3];
    self.s3Client = [[[AmazonS3Client alloc] initWithAccessKey:ACCESS_KEY_ID withSecretKey:SECRET_KEY] autorelease];


This tutorial adds a barebones version of Facebook web identity federation that allows users to login through a browser. For features such as allowing users to logout or login through the native Facebook app, refer to Facebook’s tutorial.

Adding Web Identity Federation with Facebook for Android

Please let us know if you have any questions about this tutorial or using web identity federation.