我正在尝试编写CloudFormation模板,以使用Google身份验证和使用预先存在的角色创建新的Cognito身份池。
此代码使用Google身份验证创建新的身份池 -
Resources:
cognitoid:
Type: "AWS::Cognito::IdentityPool"
Properties:
"AllowUnauthenticatedIdentities": false
"SupportedLoginProviders": { "accounts.google.com": "<Google client id>" }
对于角色,AWS::Cognito::IdentityPool在附加角色的属性中没有任何内容。
答案 0 :(得分:6)
终于能够让它发挥作用 -
AWSTemplateFormatVersion: 2010-09-09
Description: Stack to create a new Cognito identity pool with CloudFormation permissions to authenticate using a Google+ API
Resources:
CognitoId:
Type: "AWS::Cognito::IdentityPool"
Properties:
"AllowUnauthenticatedIdentities": false
"SupportedLoginProviders": { "accounts.google.com": "253488098773-olaksun66kcniitls6q7dne2asn23sdm.apps.googleusercontent.com" }
IamRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition: { "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated" }, "StringEquals": {"cognito-identity.amazonaws.com:aud": !Ref CognitoId}}
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Path: "/"
"Policies":
-
PolicyName: main
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "cloudformation:CreateStack"
- "cloudformation:UpdateStack"
- "cloudformation:DeleteStack"
- "cloudformation:CreateUploadBucket"
- "cloudformation:DescribeStacks"
- "cloudformation:DescribeStackEvents"
- "cloudformation:GetTemplateSummary"
- "cloudformation:ListStacks"
- "cloudformation:ListStackResources"
- "s3:CreateBucket"
- "s3:GetObject"
- "s3:PutObject"
- "mobileanalytics:PutEvent"
- "cognito-sync:*"
- "cognito-identity:*"
Resource: "*"
IdentityPoolRoleAttachment:
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Ref CognitoId
Roles: {"authenticated": !GetAtt IamRole.Arn}