[英]Add a role to an AWS Cognito Identity Pool via Cloudformation
I am trying to write a CloudFormation template to create a new Cognito identity pool with Google authentication and using a pre-existing role. 我正在尝试编写CloudFormation模板,以使用Google身份验证和使用预先存在的角色创建新的Cognito身份池。
This code creates a new identity pool with google authentication - 此代码使用Google身份验证创建新的标识池 -
Resources:
cognitoid:
Type: "AWS::Cognito::IdentityPool"
Properties:
"AllowUnauthenticatedIdentities": false
"SupportedLoginProviders": { "accounts.google.com": "<Google client id>" }
For the role, AWS::Cognito::IdentityPool
doesnt have anything in properties for attaching a role. 对于角色, AWS::Cognito::IdentityPool
在附加角色的属性中没有任何内容。
was finally able to make it work - 终于能够使它工作 -
AWSTemplateFormatVersion: 2010-09-09
Description: Stack to create a new Cognito identity pool with CloudFormation permissions to authenticate using a Google+ API
Resources:
CognitoId:
Type: "AWS::Cognito::IdentityPool"
Properties:
"AllowUnauthenticatedIdentities": false
"SupportedLoginProviders": { "accounts.google.com": "253488098773-olaksun66kcniitls6q7dne2asn23sdm.apps.googleusercontent.com" }
IamRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition: { "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated" }, "StringEquals": {"cognito-identity.amazonaws.com:aud": !Ref CognitoId}}
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Path: "/"
"Policies":
-
PolicyName: main
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "cloudformation:CreateStack"
- "cloudformation:UpdateStack"
- "cloudformation:DeleteStack"
- "cloudformation:CreateUploadBucket"
- "cloudformation:DescribeStacks"
- "cloudformation:DescribeStackEvents"
- "cloudformation:GetTemplateSummary"
- "cloudformation:ListStacks"
- "cloudformation:ListStackResources"
- "s3:CreateBucket"
- "s3:GetObject"
- "s3:PutObject"
- "mobileanalytics:PutEvent"
- "cognito-sync:*"
- "cognito-identity:*"
Resource: "*"
IdentityPoolRoleAttachment:
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Ref CognitoId
Roles: {"authenticated": !GetAtt IamRole.Arn}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.