AWS::Cognito::UserPoolIdentityProvider
The AWS::Cognito::UserPoolIdentityProvider resource creates an identity
provider for a user pool.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Cognito::UserPoolIdentityProvider", "Properties" : { "AttributeMapping" :Json, "IdpIdentifiers" :[ String, ... ], "ProviderDetails" :Json, "ProviderName" :String, "ProviderType" :String, "UserPoolId" :String} }
YAML
Type: AWS::Cognito::UserPoolIdentityProvider Properties: AttributeMapping:JsonIdpIdentifiers:- StringProviderDetails:JsonProviderName:StringProviderType:StringUserPoolId:String
Properties
AttributeMapping-
A mapping of IdP attributes to standard and custom user pool attributes.
Required: No
Type: Json
Update requires: No interruption
IdpIdentifiers-
A list of IdP identifiers.
Required: No
Type: List of String
Maximum:
50Update requires: No interruption
ProviderDetails-
The IdP details. The following list describes the provider detail keys for each IdP type.
-
For Google and Login with Amazon:
-
client_id
-
client_secret
-
authorize_scopes
-
-
For Facebook:
-
client_id
-
client_secret
-
authorize_scopes
-
api_version
-
-
For Sign in with Apple:
-
client_id
-
team_id
-
key_id
-
private_key
-
authorize_scopes
-
-
For OpenID Connect (OIDC) providers:
-
client_id
-
client_secret
-
attributes_request_method
-
oidc_issuer
-
authorize_scopes
-
The following keys are only present if Amazon Cognito didn't discover them at the
oidc_issuerURL.-
authorize_url
-
token_url
-
attributes_url
-
jwks_uri
-
-
Amazon Cognito sets the value of the following keys automatically. They are read-only.
-
attributes_url_add_attributes
-
-
-
For SAML providers:
-
MetadataFile or MetadataURL
-
IDPSignout optional
-
Required: No
Type: Json
Update requires: No interruption
-
ProviderName-
The IdP name.
Required: Yes
Type: String
Minimum:
1Maximum:
32Pattern:
[^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+Update requires: Replacement
ProviderType-
The IdP type.
Required: Yes
Type: String
Allowed values:
Facebook | Google | LoginWithAmazon | OIDC | SAML | SignInWithAppleUpdate requires: Replacement
UserPoolId-
The user pool ID.
Required: Yes
Type: String
Minimum:
1Maximum:
55Pattern:
[\w-]+_[0-9a-zA-Z]+Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns physicalResourceId, which is “ProviderName". For
example:
{ "Ref": "testProvider" }
For the Amazon Cognito identity provider testProvider, Ref returns the name
of the identity provider.
For more information about using the Ref function, see Ref.
Examples
Creating a new Login with Amazon identity provider
The following example creates a Login with Amazon identity provider in the referenced user pool.
JSON
{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "LoginWithAmazon", "ProviderDetails": { "client_id": "YourLoginWithAmazonAppId", "client_secret": "YourLoginWithAmazonAppSecret", "authorize_scopes": "profile postal_code" }, "ProviderType": "LoginWithAmazon", "AttributeMapping": { "email": "email" } } } }
YAML
UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "LoginWithAmazon" ProviderDetails: client_id: "YourLoginWithAmazonAppId" client_secret: "YourLoginWithAmazonAppSecret" authorize_scopes: "profile postal_code" ProviderType: "LoginWithAmazon" AttributeMapping: email: "email"
Creating a new Google identity provider
The following example creates a Google identity provider in the referenced user pool.
JSON
{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "Google", "ProviderDetails": { "client_id": "YourGoogleAppId", "client_secret": "YourGoogleAppSecret", "authorize_scopes": "profile email openid" }, "ProviderType": "Google", "AttributeMapping": { "email": "email" } } } }
YAML
UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "Google" ProviderDetails: client_id: "YourGoogleAppId" client_secret: "YourGoogleAppSecret" authorize_scopes: "profile email openid" ProviderType: "Google" AttributeMapping: email: "email"
Creating a new Facebook identity provider
The following example creates a Facebook identity provider in the referenced user pool.
JSON
{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "Facebook", "ProviderDetails": { "client_id": "YourFacebookAppId", "client_secret": "YourFacebookAppSecret", "authorize_scopes": "public_profile,email" }, "ProviderType": "Facebook", "AttributeMapping": { "email": "email" } } } }
YAML
UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "Facebook" ProviderDetails: client_id: "YourFacebookAppId" client_secret: "YourFacebookAppSecret" authorize_scopes: "public_profile,email" ProviderType: "Facebook" AttributeMapping: email: "email"
Creating a new Sign in with Apple identity provider
The following example creates a Sign in with Apple identity provider in the referenced user pool.
JSON
{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "SignInWithApple", "ProviderDetails": { "client_id": "YourAppleServicesId", "team_id": "YourAppleTeamId", "key_id": "YourApplePrivateKeyID", "private_key": "YourApplePrivateKey", "authorize_scopes": "public_profile,email" }, "ProviderType": "SignInWithApple", "AttributeMapping": { "email": "email" } } } }
YAML
UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "SignInWithApple" ProviderDetails: client_id: "YourSign" team_id: "YourAppleTeamId" key_id: "YourApplePrivateKeyID" private_key: "YourApplePrivateKey" authorize_scopes: "public_profile,email" ProviderType: "SignInWithApple" AttributeMapping: email: "email"
Creating a new OIDC identity provider
The following example creates the OIDC identity provider "YourOIDCProviderName" in the referenced user pool.
JSON
{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "YourOIDCProviderName", "ProviderDetails": { "client_id": "YourOIDCClientId", "client_secret": "YourOIDCClientSecret", "attributes_request_method": "GET", "oidc_issuer": "YourOIDCIssuerURL", "authorize_scopes": "email profile openid" }, "ProviderType": "OIDC", "AttributeMapping": { "email": "email" }, "IdpIdentifiers": [ "IdpIdentifier" ] } } }
YAML
UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "YourOIDCProviderName" ProviderDetails: client_id: "YourOIDCClientId" client_secret: "YourOIDCClientSecret" attributes_request_method: "GET" oidc_issuer: "YourOIDCIssuerURL" authorize_scopes: "email profile openid" ProviderType: "OIDC" AttributeMapping: email: "email" IdpIdentifiers: - "IdpIdentifier"
Creating a new SAML identity provider
The following example creates a SAML identity provider "YourProviderName" in the referenced user pool.
JSON
{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": {"Ref": "UserPool"}, "ProviderName": "YourProviderName", "ProviderDetails": { "MetadataURL": "YourMetadataURL" }, "ProviderType": "SAML", "AttributeMapping": { "email": "Attribute" }, "IdpIdentifiers": [ "IdpIdentifier" ] } } }
YAML
UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "YourProviderName" ProviderDetails: MetadataURL: "YourMetadataURL" ProviderType: "SAML" AttributeMapping: email: "Attribute" IdpIdentifiers: - "IdpIdentifier"
