AWS::Cognito::IdentityPoolRoleAttachment - AWS CloudFormation

AWS::Cognito::IdentityPoolRoleAttachment

The AWS::Cognito::IdentityPoolRoleAttachment resource manages the role configuration for an Amazon Cognito identity pool.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Cognito::IdentityPoolRoleAttachment", "Properties" : { "IdentityPoolId" : String, "RoleMappings" : RoleMapping, "Roles" : String } }

YAML

Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: String RoleMappings: RoleMapping Roles: String

Properties

IdentityPoolId

An identity pool ID in the format REGION:GUID.

Required: Yes

Type: String

Update requires: Replacement

RoleMappings

How users for a specific identity provider are mapped to roles. This is a string to the RoleMapping object map. The string identifies the identity provider. For example: graph.facebook.com or cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id.

If the IdentityProvider field isn't provided in this object, the string is used as the identity provider name.

For more information, see the RoleMapping property.

Required: No

Type: RoleMapping

Update requires: No interruption

Roles

The map of the roles associated with this pool. For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN.

Required: No

Type: String

Pattern: ^.+$

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the IdentityPoolId, such as us-east-2:0d01f4d7-1305-4408-b437-12345EXAMPLE.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Id

The resource ID.

Examples

Setting the roles for an identity pool

The following example sets roles for an identity pool. It sets “authenticated” and “unauthenticated” roles and maps two identity providers to them. The first identity provider is “graph.facebook.com”. The second is using a reference to set the identity provider name.

JSON

{ "IdentityPoolRoleAttachment":{ "Type":"AWS::Cognito::IdentityPoolRoleAttachment", "Properties":{ "IdentityPoolId":{ "Ref":"IdentityPool" }, "Roles":{ "authenticated":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "unauthenticated":{ "Fn::GetAtt":[ "UnAuthenticatedRole", "Arn" ] } }, "RoleMappings":{ "graph.facebook.com":{ "IdentityProvider":"graph.facebook.com", "AmbiguousRoleResolution":"Deny", "Type":"Rules", "RulesConfiguration":{ "Rules":[ { "Claim":"sub", "MatchType":"Equals", "RoleARN":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "Value":"goodvalue" } ] } }, "userpool1":{ "IdentityProvider":{ "Ref":"CognitoUserPool" }, "AmbiguousRoleResolution":"Deny", "Type":"Rules", "RulesConfiguration":{ "Rules":[ { "Claim":"sub", "MatchType":"Equals", "RoleARN":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "Value":"goodvalue" } ] } } } } } }

YAML

IdentityPoolRoleAttachment: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref IdentityPool Roles: "authenticated": !GetAtt AuthenticatedRole.Arn "unauthenticated": !GetAtt UnAuthenticatedRole.Arn RoleMappings: "graph.facebook.com": IdentityProvider: "graph.facebook.com" AmbiguousRoleResolution: Deny Type: Rules RulesConfiguration: Rules: - Claim: "sub" MatchType: "Equals" RoleARN: !GetAtt AuthenticatedRole.Arn Value: "goodvalue" "userpool1": IdentityProvider: !Ref CognitoUserPool AmbiguousRoleResolution: Deny Type: Rules RulesConfiguration: Rules: - Claim: "sub" MatchType: "Equals" RoleARN: !GetAtt AuthenticatedRole.Arn Value: "goodvalue"