AWS::Cognito::IdentityPoolRoleAttachment
The AWS::Cognito::IdentityPoolRoleAttachment
resource manages the role
configuration for an Amazon Cognito identity pool.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Cognito::IdentityPoolRoleAttachment", "Properties" : { "IdentityPoolId" :
String
, "RoleMappings" :RoleMapping
, "Roles" :String
} }
YAML
Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId:
String
RoleMappings:RoleMapping
Roles:String
Properties
IdentityPoolId
-
An identity pool ID in the format
REGION:GUID
.Required: Yes
Type: String
Update requires: Replacement
RoleMappings
-
How users for a specific identity provider are mapped to roles. This is a string to the
RoleMapping
object map. The string identifies the identity provider. For example:graph.facebook.com
orcognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id
.If the
IdentityProvider
field isn't provided in this object, the string is used as the identity provider name.For more information, see the RoleMapping property.
Required: No
Type: RoleMapping
Update requires: No interruption
Roles
-
The map of the roles associated with this pool. For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN.
Required: No
Type: String
Pattern:
^.+$
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the IdentityPoolId
, such as
us-east-2:0d01f4d7-1305-4408-b437-12345EXAMPLE
.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt
.
Id
-
The resource ID.
Examples
Setting the roles for an identity pool
The following example sets roles for an identity pool. It sets “authenticated” and “unauthenticated” roles and maps two identity providers to them. The first identity provider is “graph.facebook.com”. The second is using a reference to set the identity provider name.
JSON
{ "IdentityPoolRoleAttachment":{ "Type":"AWS::Cognito::IdentityPoolRoleAttachment", "Properties":{ "IdentityPoolId":{ "Ref":"IdentityPool" }, "Roles":{ "authenticated":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "unauthenticated":{ "Fn::GetAtt":[ "UnAuthenticatedRole", "Arn" ] } }, "RoleMappings":{ "graph.facebook.com":{ "IdentityProvider":"graph.facebook.com", "AmbiguousRoleResolution":"Deny", "Type":"Rules", "RulesConfiguration":{ "Rules":[ { "Claim":"sub", "MatchType":"Equals", "RoleARN":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "Value":"goodvalue" } ] } }, "userpool1":{ "IdentityProvider":{ "Ref":"CognitoUserPool" }, "AmbiguousRoleResolution":"Deny", "Type":"Rules", "RulesConfiguration":{ "Rules":[ { "Claim":"sub", "MatchType":"Equals", "RoleARN":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "Value":"goodvalue" } ] } } } } } }
YAML
IdentityPoolRoleAttachment: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref IdentityPool Roles: "authenticated": !GetAtt AuthenticatedRole.Arn "unauthenticated": !GetAtt UnAuthenticatedRole.Arn RoleMappings: "graph.facebook.com": IdentityProvider: "graph.facebook.com" AmbiguousRoleResolution: Deny Type: Rules RulesConfiguration: Rules: - Claim: "sub" MatchType: "Equals" RoleARN: !GetAtt AuthenticatedRole.Arn Value: "goodvalue" "userpool1": IdentityProvider: !Ref CognitoUserPool AmbiguousRoleResolution: Deny Type: Rules RulesConfiguration: Rules: - Claim: "sub" MatchType: "Equals" RoleARN: !GetAtt AuthenticatedRole.Arn Value: "goodvalue"