我正在使用Serverless Framework处理CloudFormation的内容。我正在使用具有自己角色的组构建用户池。我想构建我的身份池,以便将Authenticated role selection的Cognito提供程序设置设置为Choose role from token,并且Role resolultion为DENY。
这是与我有关的CloudFormation-忽略${self:custom....}的内容:
IdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: ${self:custom.identityPoolName}
AllowUnauthenticatedIdentities: false
CognitoIdentityProviders:
- ClientId:
Ref: UserPoolClient
ProviderName:
Fn::GetAtt: ["UserPool", "ProviderName"]
IdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: IdentityPool
RoleMappings:
CognitoProvider:
IdentityProvider:
Fn::Join:
- ""
- - "cognito-idp."
- Ref: AWS::Region
- ".amazonaws.com/"
- Ref: UserPool
- ":"
- Ref: UserPoolClient
Type: Token
AmbiguousRoleResolution: Deny
这不起作用,因为IdentityPoolRoleAttachment需要Roles部分。但是我不希望对身份池使用经过身份验证和未经身份验证的角色。我希望身份池Cognito提供程序仅检查传入的令牌。
这是我得到的错误:
ServerlessError: An error occurred: IdentityPoolRoleAttachment - 1 validation error detected: Value null at 'roles' failed to satisfy constraint: Member must not be null (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: ValidationException; Request ID: 80026230-eaa9-4045-86d8-6fe4c07cce9d).
我该怎么做?我是否需要创建一个空角色并将其分配给IdentityPoolRoleAttachment?
如果没有控制台中的身份池角色,我就能做到这一点。