首先Cognito沒有提供登錄至AWS控制臺的功能，然而您可以通過Cognito Identity Pool獲取到IAM role的credentials [1]，再另外通過代碼自行將IAM role credentials拼湊成AWS控制臺登錄的URL [2]。

最后，由于Cognito的使用除了User Pool以及Identity Pool的創建以及配置以外，在登錄及認證的流程中都必須依賴API(通過AWS CLI或代碼)，因此您可以先參考文檔資源 [6] 熟悉這項服務。

Q2. cognito底層是否是OIDC協議?AWS自己的協議還是Oauth?

A2. Cognito支持OAuth 2.0及OIDC [7]，沒有另外自己開發協議。

1. 調用 initiate-auth [2] 手動向User Pool發起登錄，獲取token。
   命令：
   aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=,PASSWORD= --client-id --region
   輸出：
   {
   “ChallengeParameters”: {},
   “AuthenticationResult”: {
   “AccessToken”: “”,
   “ExpiresIn”: 3600,
   “TokenType”: “Bearer”,
   “RefreshToken”: “”,
   “IdToken”: “”
   }
   }

2. 參考文檔 [3] 的「增強型流程(Enhanced flow)」調用 get-id [4] 以及 get-credentials-for-identity [5] 獲取IAM role的AccessKeyId、SecretKey、以及SessionToken。
   命令：
   aws cognito-identity get-id --identity-pool-id <identity_pool_id> --logins cognito-idp..amazonaws.com/<user_pool_id>=<步驟1獲取的IdToken>
   輸出：
   {
   “IdentityId”: “”
   }

命令：
aws cognito-identity get-credentials-for-identity --identity-id --logins cognito-idp..amazonaws.com/<user_pool_id>=<步驟1獲取的IdToken>
輸出：
{
“IdentityId”: “”,
“Credentials”: {
“AccessKeyId”: “”,
“SecretKey”: “”,
“SessionToken”: “”,
“Expiration”: “”
}
}

3. 如同一般的IAM role credentials，在credentials到期前配置并使用AccessKeyId、SecretKey、以及SessionToken [6]。

也提供文檔說明 [7] 供您參考。

希望以上信息能對您有所幫助，歡迎您再度聯系亞馬遜技術支持。

參考文檔：
[1] Common Amazon Cognito scenarios - Access AWS services with a user pool and an identity pool - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html#scenario-aws-and-user-pool
[2] https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/initiate-auth.html
[3] 如何使用 Amazon Cognito 身份池授予用戶訪問 AWS 服務的權限？ - https://repost.aws/zh-Hans/knowledge-center/cognito-identity-pool-grant-user-access
[4] https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-id.html
[5] https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-credentials-for-identity.html
[6] Configuration and credential file settings in the AWS CLI - https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-files.html
[7] Accessing AWS services using an identity pool after sign-in - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html

AssumeRoleWithWebIdentity 與Identity Pool的搭配適用于當您在Identity Pool選擇了Basic authflow的時候 [1]。您可以參考文檔 [1] 或是 [2] 的Basic authflow(基本流程)，當您使用了Basic authflow的時候，在調用了 get-id 后，您便會需要依序調用 get-open-id-token [3] 以及 assume-role-with-web-identity [4] 來去獲取到IAM role的credentials，而不是使用 get-credentials-for-identity。

命令：
aws cognito-identity get-open-id-token --identity-id “” --logins cognito-idp..amazonaws.com/<user_pool_id>=<步驟1獲取的IdToken>

輸出：
{
“IdentityId”: “”,
“Token”: “”
}

命令：
aws sts assume-role-with-web-identity --role-arn “<指定事先配置好的IAM role>” --web-identity-token “” --role-session-name “<自定義session名>”

輸出：
{
“Credentials”: {
AccessKeyId": “”,
SecretAccessKey": “”,
SessionToken": “”,
Expiration": “”
},
“SubjectFromWebIdentityToken”: “”,
“AssumedRoleUser”: {
“AssumedRoleId”: “”,
“Arn”: “”
},
“Provider”: “cognito-identity.amazonaws.com”,
“Audience”: “”
}

參考文檔：
[1] Identity pools authentication flow - https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
[2] 如何使用 Amazon Cognito 身份池授予用戶訪問 AWS 服務的權限？ - https://repost.aws/zh-Hans/knowledge-center/cognito-identity-pool-grant-user-access
[3] https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-open-id-token.html
[4] https://docs.aws.amazon.com/de_de/cli/latest/reference/sts/assume-role-with-web-identity.html

簡單來說，通過Enhanced authflow您拿到的IAM role是由送交給Identity Pool的token內容決定，IAM role的對應也是在Identity Pool里面配置。而Basic authflow拿到的IAM role則是在調用 AssumeRoleWithWebIdentity 的時候由發起人決定。例如在Enhanced authflow您可以設置只要登錄成功調用get-credentials-for-identity就返回IAM role A，沒有登錄就返回IAM role B。在Basic authflow由于沒有mapping的功能，就必須另外配置IAM role，然后再通過 IAM 的 AssumeRoleWithWebIdentity 獲取IAM role。

詳細的說明以及流程圖請您直接參考文檔 [1]，為了您的方便，也為您節錄文檔說明如下，由于文檔的中文為機器翻譯，為了避免機器翻譯的翻譯問題，以下將為您節錄原文。

「The basic workflow gives you more granular control over the credentials that you distribute to your users. The GetCredentialsForIdentity request of the enhanced authflow requests a role based on the contents of an access token. The AssumeRoleWithWebIdentity request in the classic workflow grants your app a greater ability to request credentials for any AWS Identity and Access Management role that you have configured with a sufficient trust policy. You can also request a custom role session duration.

You can sign in with the Basic authflow in user pools that don’t have role mappings. This type of identity pool doesn’t have a default authenticated or unauthenticated role, and doesn’t have role-based or attribute-based access control configured. When you attempt GetOpenIdToken in an identity pool with role mappings, you receive the following error.

Basic (classic) flow is not supported with RoleMappings, please use enhanced flow.」

參考文檔：
[1] Identity pools authentication flow - https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html