identitypool-roles

command

v0.0.0-...-36ac650 Latest Latest Go to latest Published: Aug 12, 2019 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dwtechnologies/custom-cf

Links

Open Source Insights

README ¶

identitypool-roles

Adds the ability to set Identity Pool Role mappings based on dynamic Identity Provider names.
Since this is not possible in the included Identity Pool Role Attachment of CloudFormation.

Which makes it impossible to do Role Attachment on UserPool Clients created in CloudFormation.

This function will mitigate that limitation.

Resource

The name for this custom resource is Custom::CognitoIdentityPoolRoles and supports all the parameters that you can make through the GUI and cli.

Structure

This is the YAML structure you use when using this Custom Resource.

Type: "Custom::CognitoIdentityPoolRoles"
Properties:
  Properties

See below for the supported Properties.

Properties

Property name	Type	Description	Required
Roles	Map of strings	Set the default roles ARNs. Currently supports keys authenticated and unauthenticated	No
RoleMappings	List of RoleMapping	The role mapping for a specific Identity Provider	No
ServiceToken	String	The ARN of the lambda function for this Custom Resource	Yes

For more details about the properties check the aws cli docs https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/set-identity-pool-roles.html.

RoleMapping Properties

When using UserPool the Identity Provider should be cognito-idp.${Region}.amazonaws.com/${UserPoolId}:${UserPoolClientId}.

Up to 25 rules can be specified per Identity Provider.

Property name	Type	Description	Required
IdentityProvider	String	The Identity Provider to use for the mapping	Yes
Type	String	Can be either Token or Rules. Where Token will use `cognito:roles` and `cognito:preferred_role` claims. Where `Rules` will match the claims from the token to a role	Yes
AmbiguousRoleResolution	String	Specify the action to be taken if there is no match if using type Rules or there is no preferred_role when using Token and multiple roles. Valid values are AuthenticatedRole or Deny	Yes
Rules	List of Rule	List of rules. This is required when choosing type Rules	No

Rule Properties

The rules for mapping roles if type is Rules.

Property name	Type	Description	Required
Claim	String	The Claim to match	Yes
MatchType	String	Either Equals, Contains, StarsWith or NotEqual	No
Value	String	The value to match against the claim	Yes
RoleArn	String	The ARN to the role to assign	Yes

Example

The following example will add an default authenticated role called AuthenticatedRole and map against a role called MappedRole if claim testGroup is testGroup.

AWSTemplateFormatVersion: "2010-09-09"
Description: "Cognito UserPool"

Parameters:
  Environment:
    Description: "What environment we deploy to"
    Type: "String"
    Default: "dev"

Resources:
  UserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      AliasAttributes:
        - "email"
      MfaConfiguration: "OFF"
      UserPoolName: "userpool"

  UserPoolClient:
    Type: "Custom::CognitoUserPoolClient"
    DependsOn:
      - "UserPool"
    Properties:
      ClientName: "testclient"
      SupportedIdentityProviders:
        - "COGNITO"
      ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cognito-userpool-client-${AWS::Region}-${Environment}"
      UserPoolId: !Ref "UserPool"

  IdentityPool:
    Type: "AWS::Cognito::IdentityPool"
    DependsOn:
      - "UserPoolClient"
    Properties:
      IdentityPoolName: !Sub "identitypool"
      AllowUnauthenticatedIdentities: false
      CognitoIdentityProviders:
        - ClientId: !GetAtt "UserPoolClient.ClientId"
          ProviderName: !GetAtt "UserPool.ProviderName"
          ServerSideTokenCheck: false

  IdentityPoolRoleMappings:
    Type: "Custom::CognitoIdentityPoolRoles"
    DependsOn:
      - "IdentityPool"
      - "AuthenticatedRole"
      - "MappedRole"
    Properties:
      IdentityPoolId: !Ref "IdentityPool"
      Roles:
        authenticated: !GetAtt "AuthenticatedRole.Arn"
      RoleMappings:
        - IdentityProvider: !Sub "cognito-idp.${AWS::Region}.amazonaws.com/${UserPool}:${UserPoolClient.ClientId}"
          Type: "Rules"
          AmbiguousRoleResolution: "Deny"
          RulesConfiguration:
            Rules:
              - Claim: "group"
                MatchType: "Equals"
                Value: "testGroup"
                RoleArn: !GetAtt "MappedRole.Arn"
      ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cognito-identitypool-roles-${AWS::Region}-${Environment}"

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL