我正在尝试使用无服务器框架将Cognito实施到我的nodejs应用中,以进行用户管理。 我被困在配置IdentityPoolRoleAttachment。我扮演的角色是cognito / fb / google提供的身份,这是我想出的:
CognitoIdentityPoolRoleAttachment:
DependsOn: UserPoolAuthenticatedRole
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
RoleMappings:
"cognito-identity.amazonaws.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- UserPoolAuthenticatedRole
- UserPoolUnauthenticatedRole
"graph.facebook.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- FacecookAuthenticatedRole
- FacecookUnauthenticatedRole
"accounts.google.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- GoogleAuthenticatedRole
- GoogleUnauthenticatedRole
在Google中搜索和搜索文档仅显示了如何仅使用Cognito用户池配置附件,如何添加FB / Google的角色?如果我尝试部署它,它将失败:
ServerlessError: An error occurred: CognitoIdentityPoolRoleAttachment - Internal Failure.
没有什么帮助。任何输入将不胜感激。
这里是完整的配置,以防万一:
CognitoUserPoolStandardUserPool:
Type: AWS::Cognito::UserPool
Properties:
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: true
Schema:
#- Name: name
# AttributeDataType: String
# Mutable: true
# Required: true
- Name: email
AttributeDataType: String
Mutable: false
Required: true
AutoVerifiedAttributes:
- email
CognitoUserPoolClientStandardUserPoolClient:
DependsOn: CognitoUserPoolStandardUserPool
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: Standard_Users
UserPoolId:
Ref: CognitoUserPoolStandardUserPool
RefreshTokenValidity: 1
GenerateSecret: false
CognitoIdentityPoolStandardUserIdentityPool:
DependsOn: CognitoUserPoolClientStandardUserPoolClient
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: false
SupportedLoginProviders:
"graph.facebook.com": ${self:provider.config.FB_APP_ID}
"accounts.google.com": ${self:provider.config.GOOGL_WEB_ID}
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClientStandardUserPoolClient
ProviderName:
Fn::GetAtt:
- CognitoUserPoolStandardUserPool
- ProviderName
ServerSideTokenCheck: true
# Authentiacted users can call API Gateway
UserPoolAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: UserPoolAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPoolStandardUserIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: UserPoolAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
FacebookAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: FacebookAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "graph.facebook.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"graph.facebook.com:app_id": ${self:provider.config.FB_APP_ID}
Policies:
- PolicyName: FacebookAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
GoogleAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: GoogleAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "accounts.google.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"accounts.google.com:aud": ${self:provider.config.GOOGL_WEB_ID}
Policies:
- PolicyName: GoogleAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
# Unauthenticated users can only authenticate
UserPoolUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPoolStandardUserIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: UserPoolUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
FacecookUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "graph.facebook.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": ${self:provider.config.FB_APP_ID}
Policies:
- PolicyName: FacebookUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
GoogleUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "accounts.google.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": ${self:provider.config.GOOGL_WEB_ID}
Policies:
- PolicyName: GoogleUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
CognitoIdentityPoolRoleAttachment:
DependsOn: UserPoolAuthenticatedRole
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
RoleMappings:
"cognito-identity.amazonaws.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- UserPoolAuthenticatedRole
- UserPoolUnauthenticatedRole
"graph.facebook.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- FacecookAuthenticatedRole
- FacecookUnauthenticatedRole
"accounts.google.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- GoogleAuthenticatedRole
- GoogleUnauthenticatedRole