Cannot set a property of cognito userpool client via cloudformation

前端 未结 5 1052
無奈伤痛
無奈伤痛 2021-02-06 12:31

I am trying to run congnito via cloudformation and everything works but there is section in cognito as follows:

As you see there is section \"Enable identity pr

相关标签:
5条回答
  • 2021-02-06 12:55

    As of October 2019 cognito resources are now support by cloudformation. Resources are created with the expected types of AWS::Cognito::UserPool, AWS::Cognito::UserPoolClient, AWS::Cognito::UserPoolDomain, etc.

    The documentation for cloudformation is available here.

    0 讨论(0)
  • 2021-02-06 13:04

    I ran into the same problem last month. This property is not supported in CFN yet. So I ended up using CFN custom resource to create the pool client. More here about CFN Custom Resource. Essentially, I have CFN call a Lambda function to create the user pool client (all properties are supported in SDK).

    0 讨论(0)
  • 2021-02-06 13:04

    As other answers stated, there is now a way to setup a UserPoolClient using CloudFormation however I arrived to this question looking for specific examples because I was struggle with some parameters. I want to put it here the example just in case someone is also looking for an example.

    In my example I've also included a federated logon with google to make it more complete. If you don't want to login with google just remove it from SupportedIdentityProviders.

    Template below:

    AWSTemplateFormatVersion: 2010-09-09
    Parameters: 
      envParameter: 
        Type: String
        Default: dev
        AllowedValues: [ dev, staging, prod ]
        Description: Suffix to be added for names.
    Resources:
      myUserPool:
        DependsOn: [ cognitoSMSRole ]
        Type: AWS::Cognito::UserPool
        Properties:
          AccountRecoverySetting:
            RecoveryMechanisms: 
              - Name: verified_email
                Priority: 1
              - Name: verified_phone_number
                Priority: 2
          AdminCreateUserConfig: 
              AllowAdminCreateUserOnly: False
          AutoVerifiedAttributes: 
            - phone_number
          EnabledMfas: 
            - SMS_MFA
          MfaConfiguration: OPTIONAL
          Policies: 
            PasswordPolicy: 
              MinimumLength: 8
              RequireLowercase: True
              RequireNumbers: True
              RequireSymbols: True
              RequireUppercase: True
              TemporaryPasswordValidityDays: 7
          Schema: 
            - AttributeDataType: String
              DeveloperOnlyAttribute: False
              Mutable: False
              Name: name
              Required: True
            - AttributeDataType: String
              DeveloperOnlyAttribute: False
              Mutable: False
              Name: last_name
              Required: False
          SmsConfiguration:
              ExternalId: !Sub cognito-sms-role-${envParameter}
              SnsCallerArn: !GetAtt cognitoSMSRole.Arn
          UsernameAttributes: 
            - phone_number
          UsernameConfiguration: 
            CaseSensitive: False
          UserPoolName: !Sub UserPool-${envParameter}
    
      cognitoSMSRole:
        Type: "AWS::IAM::Role"
        Properties:
          AssumeRolePolicyDocument: 
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Principal: 
                  Service: 
                    - "cognito-idp.amazonaws.com"
                Action: 
                  - "sts:AssumeRole"
          Policies:
            - PolicyName: "CognitoSNSPolicy"
              PolicyDocument: 
                Version: "2012-10-17"
                Statement: 
                  - Effect: "Allow"
                    Action: "sns:publish"
                    Resource: "*"
    
      cognitoClient:
        DependsOn: [ myUserPool, googleProvider ]
        Type: AWS::Cognito::UserPoolClient
        Properties: 
          AllowedOAuthFlows: 
            - code
            - implicit
          AllowedOAuthFlowsUserPoolClient: True
          AllowedOAuthScopes: 
            - email
            - openid
            - profile
          CallbackURLs: 
            - http://google.co.uk
          ClientName: !Sub cognito-appid-${envParameter}
          GenerateSecret: False
          LogoutURLs: 
            - http://google.co.uk
          PreventUserExistenceErrors: ENABLED 
          RefreshTokenValidity: 1
          SupportedIdentityProviders: 
            - COGNITO
            - Google
          UserPoolId: !Ref myUserPool
      googleProvider:
        DependsOn: [ myUserPool ]
        Type: AWS::Cognito::UserPoolIdentityProvider
        Properties: 
          AttributeMapping:
            name: emailAddress
            sub: Username
          ProviderDetails: 
            client_id: client_id.apps.googleusercontent.com
            client_secret: this_is_the_client_secret
            authorize_scopes: email openid profile
          ProviderName: Google
          ProviderType: Google
          UserPoolId: !Ref myUserPool
    
    
    Outputs:
     userPool:
        Description: "User pool ID"
        Value: !Ref myUserPool
     identityPool:
        Description: "Identity pool ID"
        Value: !Ref cognitoClient
    
    
    0 讨论(0)
  • 2021-02-06 13:14

    As ASR says, this doesn't seem to be supported in Cloudformation yet.

    We ended up trying out Terraform - which does support it e.g.

    resource "aws_cognito_user_pool_client" "my_client" {
      ...
      supported_identity_providers = ["COGNITO"]
    }
    

    We've now switched everything to using terraform as it's orders of magnitude easier to understand, read, and write than Cloudformation.

    I know that's probably not the answer you want but I hope it helps.

    0 讨论(0)
  • 2021-02-06 13:16

    As other answer suggest, this can't be done in CloudFormation natively as of yet. However, as ASR answer advises it is possible to do so through CloudFormation custom resource.

    My employer has open sourced its collection of custom resources, including CognitoUserPool and CognitoDomainName (which is also not supported in CloudFormation). Custom resources source code can be found on github

    Below are manual directions on setting this up - you can always automate things further by placing Custom Resource backing Lambda in CloudFormation as well.

    All commands below are for Mac. You may need to modify base64 flags for other platforms

    1. Create IAM Role For Lambda

    aws iam create-role --role-name LambdaRoleCognito --assume-role-policy-document '{
          "Version": "2012-10-17",
          "Statement": [
          {
              "Effect": "Allow",
              "Principal": {
                  "Service": "lambda.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
          }
      ]
      }'
    aws iam attach-role-policy --role-name LambdaRoleCognito \
      --policy-arn  arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
    
    aws iam attach-role-policy --role-name LambdaRoleCognito \
      --policy-arn  arn:aws:iam::aws:policy/AmazonCognitoPowerUser
    

    2. Download lambda source code, upload to your local bucket, and create lambda

    wget https://github.com/base2Services/cloudformation-custom-resources-nodejs/releases/download/1.0.0/ccr-nodejs-1.0.0.zip
    account_id=$(aws sts get-caller-identity --query Account --output text)
    aws s3 mb s3://${account_id}.cfncustomres.source
    aws s3 cp ccr-nodejs-1.0.0.zip s3://${account_id}.cfncustomres.source/ccr-nodejs-1.0.0.zip
    
    aws lambda create-function --function-name CfnCrCognitUPC --runtime nodejs6.10 \
        --role arn:aws:iam::${account_id}:role/LambdaRoleCognito  \
        --timeout 30 \
        --memory-size 512 \
        --code S3Bucket=${account_id}.cfncustomres.source,S3Key=ccr-nodejs-1.0.0.zip \
        --handler cognito-user-pool-client/index.handler
    

    3. Optional Test lambda by invoking with test payload

    aws lambda invoke --function-name CfnCrCognitUPC --payload '{
      "StackId": "arn:aws:cloudformation:us-west-2:EXAMPLE/stack-name/guid",
      "ResponseURL": "http://pre-signed-S3-url-for-response",
      "ResourceProperties": {
        "ClientName": "MyCCRCreatedUP",
        "SupportedIdentityProviders": [
          "COGNITO"
        ],
        "UserPoolId":"!! REPLACE WITH YOUR USER POOL ID !!"
      },
      "RequestType": "Create",
      "ResourceType": "Custom::TestResource",
      "RequestId": "unique id for this create request",
      "LogicalResourceId": "MyTestResource"
    }' --log-type Tail --invocation-type RequestResponse output.txt --query LogResult --output text | base64 -D
    

    4. Create custom resource in CloudFormation template

    For list of all supported properties checkout custom resource JSON schema

    Resources:
      MyPoolApplication:
        Type: Custom::CognitoUserPool
        Properties:
          ServiceToken: arn:aws:lambda:<<REPLACE_WITH_YOUR_REGION>>:<<REPLACE_WITH_YOUR_ACCOUNT_ID>>:function:CfnCrCognitUPC
          ClientName: ApplicationClientNameHere
          UserPoolId: 
            Ref: UserPool
          SupportedIdentityProviders:
            - COGNITO
          .... other support properties .... 
    
    0 讨论(0)
提交回复
热议问题