docs(cognito_identity_credentials): Explain limitation of CognitoIden…

lib/credentials/cognito_identity_credentials.js

@@ -23,6 +23,15 @@ var STS = require('../../clients/sts');
  * identity providers. See {constructor} for an example on creating a credentials
  * object with proper property values.
  *
+ * DISCLAIMER: This convinience method leverages the Enhanced (simplified) Authflow. The underlying
+ * implementation calls Cognito's `getId()` and `GetCredentialsForIdentity()`.
+ * In this flow there is no way to explicitly set a session policy, resulting in
+ * STS attaching the default policy and limiting the permissions of the federated role.
+ * To be able to explicitly set a session policy, do not use this convinience method.
+ * Instead, you can use the Cognito client to call `getId()`, `GetOpenIdToken()` and then use
+ * that token with your desired session policy to call STS's `AssumeRoleWithWebIdentity()`
+ * For further reading refer to: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
+ *
  * ## Refreshing Credentials from Identity Service
  *
  * In addition to AWS credentials expiring after a given amount of time, the