如何将 Cognito 用户池设置导出到 CloudFormation 模板？答案

【问题标题】：How to export Cognito User Pool settings to CloudFormation template?如何将 Cognito 用户池设置导出到 CloudFormation 模板？
【发布时间】：2017-11-14 04:29:48
【问题描述】：

我已经通过 AWS 控制台创建了 Cognito 用户池，但我想通过 CloudFormation 自动创建新的 Cognito 用户池。我可以将当前的用户池配置导出到 CloudFormation 模板吗？

【问题讨论】：

标签： amazon-web-services aws-cognito amazon-cloudformation

【解决方案1】：

无法导出。您需要以下 6 个资源来自动化该过程。

Cognito 身份验证角色
Cognito 未经身份验证的角色
用户池
用户池客户端
身份池
身份池角色附件

您需要 3 个输出，您可能需要在代码中使用它们。下面是创建这些的代码

AWSTemplateFormatVersion: 2010-09-09
Parameters: 
  envParameter: 
    Type: String
    Default: dev
    AllowedValues: [ dev, test, qa, prod ]
    Description: Suffix to be added for names.
Resources:
  myApiUserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub myApiUserPool${envParameter}
  myApiUserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
        ClientName: !Sub myApiUserPoolClient${envParameter},
        GenerateSecret: False
        RefreshTokenValidity: 30
        UserPoolId: !Ref myApiUserPool
  myApiIdentityPool:
    Type: "AWS::Cognito::IdentityPool"
    Properties:
      IdentityPoolName: !Sub myApiIdentityPool${envParameter}
      AllowUnauthenticatedIdentities: False
      CognitoIdentityProviders:
        - ClientId: !Ref myApiUserPoolClient
          ProviderName: !GetAtt myApiUserPool.ProviderName
  cognitoUnauthRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Unauth_Role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: [ 'sts:AssumeRole' ]
      Policies:
        - PolicyName: cognitounauth
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - mobileanalytics:PutEvents
                - cognito-sync:*
                Resource:
                - "*"
  cognitoAuthRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Auth_Role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: [ 'sts:AssumeRole' ]
      Policies:
        - PolicyName: cognitoauth
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - mobileanalytics:PutEvents
                - cognito-sync:*
                - execute-api:*
                Resource:
                - "*"
  myApiIdentityPoolRoleAttachment:
    DependsOn: [ myApiIdentityPool, cognitoUnauthRole, cognitoAuthRole ]
    Type: "AWS::Cognito::IdentityPoolRoleAttachment"
    Properties:
      IdentityPoolId: !Ref myApiIdentityPool
      Roles: 
        authenticated: !GetAtt cognitoAuthRole.Arn
        unauthenticated: !GetAtt cognitoUnauthRole.Arn
Outputs:
 userPool:
    Description: "User pool ID"
    Value: !Ref myApiUserPool
 identityPool:
    Description: "Identity pool ID"
    Value: !Ref myApiIdentityPool
 ClientId: 
    Description: "Client id for the user pool appclient"
    Value: !Ref myApiUserPoolClient

【讨论】：

aws cognito-idp describe-user-pool --user-pool-id XXXXXX aws cognito-idp describe-user-pool-client --user-pool-id XXXXX --client-id YYYYY

【解决方案2】：

目前无法从 Cognito 导出现有用户池。但是，您可以在 AWS CloudFormation 中创建新的用户池，然后使用 AWS::Cognito::UserPool 资源类型从 CloudFormation 本身管理这些池。

【讨论】：