我正在尝试编写一个 CloudFormation 模板来创建一个新的 Cognito 身份池,使用 Google 身份验证并使用预先存在的角色。
此代码使用 google 身份验证创建一个新的身份池 -
Resources:
cognitoid:
Type: "AWS::Cognito::IdentityPool"
Properties:
"AllowUnauthenticatedIdentities": false
"SupportedLoginProviders": { "accounts.google.com": "<Google client id>" }
对于该角色,AWS::Cognito::IdentityPool 在附加角色的属性中没有任何内容。
【问题讨论】:
标签: amazon-web-services amazon-cloudformation
终于可以让它工作了-
AWSTemplateFormatVersion: 2010-09-09
Description: Stack to create a new Cognito identity pool with CloudFormation permissions to authenticate using a Google+ API
Resources:
CognitoId:
Type: "AWS::Cognito::IdentityPool"
Properties:
"AllowUnauthenticatedIdentities": false
"SupportedLoginProviders": { "accounts.google.com": "253488098773-olaksun66kcniitls6q7dne2asn23sdm.apps.googleusercontent.com" }
IamRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition: { "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated" }, "StringEquals": {"cognito-identity.amazonaws.com:aud": !Ref CognitoId}}
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Path: "/"
"Policies":
-
PolicyName: main
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "cloudformation:CreateStack"
- "cloudformation:UpdateStack"
- "cloudformation:DeleteStack"
- "cloudformation:CreateUploadBucket"
- "cloudformation:DescribeStacks"
- "cloudformation:DescribeStackEvents"
- "cloudformation:GetTemplateSummary"
- "cloudformation:ListStacks"
- "cloudformation:ListStackResources"
- "s3:CreateBucket"
- "s3:GetObject"
- "s3:PutObject"
- "mobileanalytics:PutEvent"
- "cognito-sync:*"
- "cognito-identity:*"
Resource: "*"
IdentityPoolRoleAttachment:
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Ref CognitoId
Roles: {"authenticated": !GetAtt IamRole.Arn}
【讨论】: