Resource: awsCognitoIdentityPoolRolesAttachment
Provides an AWS Cognito Identity Pool Roles Attachment.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCognitoIdentityPoolMain =
new aws.cognitoIdentityPool.CognitoIdentityPool(this, "main", {
allowUnauthenticatedIdentities: false,
identityPoolName: "identity pool",
supportedLoginProviders: {
"graph.facebook.com": "7346241598935555",
},
});
const dataAwsIamPolicyDocumentAuthenticated =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"authenticated",
{
statement: [
{
actions: ["sts:AssumeRoleWithWebIdentity"],
condition: [
{
test: "StringEquals",
values: [awsCognitoIdentityPoolMain.id],
variable: "cognito-identity.amazonaws.com:aud",
},
{
test: "ForAnyValue:StringLike",
values: ["authenticated"],
variable: "cognito-identity.amazonaws.com:amr",
},
],
effect: "Allow",
principals: [
{
identifiers: ["cognito-identity.amazonaws.com"],
type: "Federated",
},
],
},
],
}
);
const dataAwsIamPolicyDocumentAuthenticatedRolePolicy =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"authenticated_role_policy",
{
actions: [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*",
],
effect: "Allow",
resources: ["*"],
}
);
const awsIamRoleAuthenticated = new aws.iamRole.IamRole(
this,
"authenticated_3",
{
assumeRolePolicy: dataAwsIamPolicyDocumentAuthenticated.json,
name: "cognito_authenticated",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleAuthenticated.overrideLogicalId("authenticated");
const awsIamRolePolicyAuthenticated = new aws.iamRolePolicy.IamRolePolicy(
this,
"authenticated_4",
{
name: "authenticated_policy",
policy: dataAwsIamPolicyDocumentAuthenticatedRolePolicy.json,
role: awsIamRoleAuthenticated.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAuthenticated.overrideLogicalId("authenticated");
const awsCognitoIdentityPoolRolesAttachmentMain =
new aws.cognitoIdentityPoolRolesAttachment.CognitoIdentityPoolRolesAttachment(
this,
"main_5",
{
identityPoolId: awsCognitoIdentityPoolMain.id,
roleMapping: [
{
ambiguousRoleResolution: "AuthenticatedRole",
identityProvider: "graph.facebook.com",
mappingRule: [
{
claim: "isAdmin",
matchType: "Equals",
roleArn: awsIamRoleAuthenticated.arn,
value: "paid",
},
],
type: "Rules",
},
],
roles: {
authenticated: awsIamRoleAuthenticated.arn,
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCognitoIdentityPoolRolesAttachmentMain.overrideLogicalId("main");
Argument Reference
The Cognito Identity Pool Roles Attachment argument layout is a structure composed of several sub-resources - these resources are laid out below.
identityPoolId
(Required) - An identity pool ID in the formatREGION_GUID
.roleMapping
(Optional) - A List of Role Mapping.roles
(Required) - The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN.
Role Mappings
identityProvider
(Required) - A string identifying the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id". Depends oncognitoIdentityProviders
set onawsCognitoIdentityPool
resource or aawsCognitoIdentityProvider
resource.ambiguousRoleResolution
(Optional) - Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type.required
if you specify Token or Rules as the Type.mappingRule
(Optional) - The Rules Configuration to be used for mapping users to roles. You can specify up to 25 rules per identity provider. Rules are evaluated in order. The first one to match specifies the role.type
(Required) - The role mapping type.
Rules Configuration
claim
(Required) - The claim name that must be present in the token, for example, "isAdmin" or "paid".matchType
(Required) - The match condition that specifies how closely the claim value in the IdP token must match Value.roleArn
(Required) - The role ARN.value
(Required) - A brief string that the claim must match, for example, "paid" or "yes".
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- The identity pool ID.
Import
Cognito Identity Pool Roles Attachment can be imported using the Identity Pool ID, e.g.,