AWS::Cognito::UserPoolIdentityProvider - AWS CloudFormation

AWS::Cognito::UserPoolIdentityProvider

The AWS::Cognito::UserPoolIdentityProvider resource creates an identity provider for a user pool.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Cognito::UserPoolIdentityProvider", "Properties" : { "AttributeMapping" : Json, "IdpIdentifiers" : [ String, ... ], "ProviderDetails" : Json, "ProviderName" : String, "ProviderType" : String, "UserPoolId" : String } }

YAML

Type: AWS::Cognito::UserPoolIdentityProvider Properties: AttributeMapping: Json IdpIdentifiers: - String ProviderDetails: Json ProviderName: String ProviderType: String UserPoolId: String

Properties

AttributeMapping

A mapping of IdP attributes to standard and custom user pool attributes.

Required: No

Type: Json

Update requires: No interruption

IdpIdentifiers

A list of IdP identifiers.

Required: No

Type: List of String

Maximum: 50

Update requires: No interruption

ProviderDetails

The IdP details. The following list describes the provider detail keys for each IdP type.

  • For Google and Login with Amazon:

    • client_id

    • client_secret

    • authorize_scopes

  • For Facebook:

    • client_id

    • client_secret

    • authorize_scopes

    • api_version

  • For Sign in with Apple:

    • client_id

    • team_id

    • key_id

    • private_key

    • authorize_scopes

  • For OpenID Connect (OIDC) providers:

    • client_id

    • client_secret

    • attributes_request_method

    • oidc_issuer

    • authorize_scopes

    • The following keys are only present if Amazon Cognito didn't discover them at the oidc_issuer URL.

      • authorize_url

      • token_url

      • attributes_url

      • jwks_uri

    • Amazon Cognito sets the value of the following keys automatically. They are read-only.

      • attributes_url_add_attributes

  • For SAML providers:

    • MetadataFile or MetadataURL

    • IDPSignout optional

Required: No

Type: Json

Update requires: No interruption

ProviderName

The IdP name.

Required: Yes

Type: String

Minimum: 1

Maximum: 32

Pattern: [^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+

Update requires: Replacement

ProviderType

The IdP type.

Required: Yes

Type: String

Allowed values: Facebook | Google | LoginWithAmazon | OIDC | SAML | SignInWithApple

Update requires: Replacement

UserPoolId

The user pool ID.

Required: Yes

Type: String

Minimum: 1

Maximum: 55

Pattern: [\w-]+_[0-9a-zA-Z]+

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns physicalResourceId, which is “ProviderName". For example:

{ "Ref": "testProvider" }

For the Amazon Cognito identity provider testProvider, Ref returns the name of the identity provider.

For more information about using the Ref function, see Ref.

Examples

Creating a new Login with Amazon identity provider

The following example creates a Login with Amazon identity provider in the referenced user pool.

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "LoginWithAmazon", "ProviderDetails": { "client_id": "YourLoginWithAmazonAppId", "client_secret": "YourLoginWithAmazonAppSecret", "authorize_scopes": "profile postal_code" }, "ProviderType": "LoginWithAmazon", "AttributeMapping": { "email": "email" } } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "LoginWithAmazon" ProviderDetails: client_id: "YourLoginWithAmazonAppId" client_secret: "YourLoginWithAmazonAppSecret" authorize_scopes: "profile postal_code" ProviderType: "LoginWithAmazon" AttributeMapping: email: "email"

Creating a new Google identity provider

The following example creates a Google identity provider in the referenced user pool.

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "Google", "ProviderDetails": { "client_id": "YourGoogleAppId", "client_secret": "YourGoogleAppSecret", "authorize_scopes": "profile email openid" }, "ProviderType": "Google", "AttributeMapping": { "email": "email" } } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "Google" ProviderDetails: client_id: "YourGoogleAppId" client_secret: "YourGoogleAppSecret" authorize_scopes: "profile email openid" ProviderType: "Google" AttributeMapping: email: "email"

Creating a new Facebook identity provider

The following example creates a Facebook identity provider in the referenced user pool.

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "Facebook", "ProviderDetails": { "client_id": "YourFacebookAppId", "client_secret": "YourFacebookAppSecret", "authorize_scopes": "public_profile,email" }, "ProviderType": "Facebook", "AttributeMapping": { "email": "email" } } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "Facebook" ProviderDetails: client_id: "YourFacebookAppId" client_secret: "YourFacebookAppSecret" authorize_scopes: "public_profile,email" ProviderType: "Facebook" AttributeMapping: email: "email"

Creating a new Sign in with Apple identity provider

The following example creates a Sign in with Apple identity provider in the referenced user pool.

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "SignInWithApple", "ProviderDetails": { "client_id": "YourAppleServicesId", "team_id": "YourAppleTeamId", "key_id": "YourApplePrivateKeyID", "private_key": "YourApplePrivateKey", "authorize_scopes": "public_profile,email" }, "ProviderType": "SignInWithApple", "AttributeMapping": { "email": "email" } } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "SignInWithApple" ProviderDetails: client_id: "YourSign" team_id: "YourAppleTeamId" key_id: "YourApplePrivateKeyID" private_key: "YourApplePrivateKey" authorize_scopes: "public_profile,email" ProviderType: "SignInWithApple" AttributeMapping: email: "email"

Creating a new OIDC identity provider

The following example creates the OIDC identity provider "YourOIDCProviderName" in the referenced user pool.

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "YourOIDCProviderName", "ProviderDetails": { "client_id": "YourOIDCClientId", "client_secret": "YourOIDCClientSecret", "attributes_request_method": "GET", "oidc_issuer": "YourOIDCIssuerURL", "authorize_scopes": "email profile openid" }, "ProviderType": "OIDC", "AttributeMapping": { "email": "email" }, "IdpIdentifiers": [ "IdpIdentifier" ] } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "YourOIDCProviderName" ProviderDetails: client_id: "YourOIDCClientId" client_secret: "YourOIDCClientSecret" attributes_request_method: "GET" oidc_issuer: "YourOIDCIssuerURL" authorize_scopes: "email profile openid" ProviderType: "OIDC" AttributeMapping: email: "email" IdpIdentifiers: - "IdpIdentifier"

Creating a new SAML identity provider

The following example creates a SAML identity provider "YourProviderName" in the referenced user pool.

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": {"Ref": "UserPool"}, "ProviderName": "YourProviderName", "ProviderDetails": { "MetadataURL": "YourMetadataURL" }, "ProviderType": "SAML", "AttributeMapping": { "email": "Attribute" }, "IdpIdentifiers": [ "IdpIdentifier" ] } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "YourProviderName" ProviderDetails: MetadataURL: "YourMetadataURL" ProviderType: "SAML" AttributeMapping: email: "Attribute" IdpIdentifiers: - "IdpIdentifier"