AWS CloudFormation
User Guide (Version )

AWS::Cognito::IdentityPoolRoleAttachment

The AWS::Cognito::IdentityPoolRoleAttachment resource manages the role configuration for an Amazon Cognito identity pool.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Cognito::IdentityPoolRoleAttachment", "Properties" : { "IdentityPoolId" : String, "RoleMappings" : Json, "Roles" : Json } }

YAML

Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: String RoleMappings: Json Roles: Json

Properties

IdentityPoolId

An identity pool ID in the format REGION:GUID.

Required: Yes

Type: String

Update requires: Replacement

RoleMappings

How users for a specific identity provider are mapped to roles. This is a string to the RoleMapping object map. The string identifies the identity provider. For example: "graph.facebook.com" or "cognito-idp-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".

If the IdentityProvider field isn't provided in this object, the string is used as the identity provider name.

Required: No

Type: Json

Update requires: No interruption

Roles

The map of the roles associated with this pool. For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN.

Required: No

Type: Json

Update requires: No interruption

Return Values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID, such as IdentityPoolRoleAttachment-EXAMPLEwnOR3n.

For more information about using the Ref function, see Ref.

Examples

Setting the roles for an identity pool

The following example sets roles for an identity pool. It sets “authenticated” and “unauthenticated” roles and maps two identity providers to them. The first identity provider is “graph.facebook.com”. The second is using a reference to set the identity provider name.

JSON

{ "IdentityPoolRoleAttachment": { "Type": "AWS::Cognito::IdentityPoolRoleAttachment", "Properties": { "IdentityPoolId": { "Ref" : "IdentityPool" }, "Roles": { "authenticated": { "Fn::GetAtt" : [ "AuthenticatedRole", "Arn" ] }, "unauthenticated": { "Fn::GetAtt" : [ "UnAuthenticatedRole", "Arn" ] } }, "RoleMappings": { "graph.facebook.com": { "IdentityProvider": "graph.facebook.com", "AmbiguousRoleResolution": "Deny", "Type": "Rules", "RulesConfiguration": { "Rules": [ { "Claim": "sub", "MatchType": "Equals", "RoleARN": { "Fn::GetAtt" : [ "AuthenticatedRole", "Arn" ] }, "Value": "goodvalue" } ] } }, "userpool1": { "IdentityProvider": { "Ref" : "CognitoUserPool" }, "AmbiguousRoleResolution": "Deny", "Type": "Rules", "RulesConfiguration": { "Rules": [ { "Claim": "sub", "MatchType": "Equals", "RoleARN": { "Fn::GetAtt" : [ "AuthenticatedRole", "Arn" ] }, "Value": "goodvalue" } ] } } } } } }

YAML

IdentityPoolRoleAttachment: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref IdentityPool Roles: "authenticated": !GetAtt AuthenticatedRole.Arn "unauthenticated": !GetAtt UnAuthenticatedRole.Arn RoleMappings: "graph.facebook.com": IdentityProvider: "graph.facebook.com" AmbiguousRoleResolution: Deny Type: Rules RulesConfiguration: Rules: - Claim: "sub" MatchType: "Equals" RoleARN: !GetAtt AuthenticatedRole.Arn Value: "goodvalue" "userpool1": IdentityProvider: !Ref CognitoUserPool AmbiguousRoleResolution: Deny Type: Rules RulesConfiguration: Rules: - Claim: "sub" MatchType: "Equals" RoleARN: !GetAtt AuthenticatedRole.Arn Value: "goodvalue"