Skip to content

Instantly share code, notes, and snippets.

@chris
Created May 21, 2021 17:31
Show Gist options
  • Save chris/e169df7de049726fd9343da7115d672e to your computer and use it in GitHub Desktop.
Save chris/e169df7de049726fd9343da7115d672e to your computer and use it in GitHub Desktop.
Cognito user pool setup for Serverless (as CloudFormation resource)
#
# Cognito user pool/auth setup
#
Resources:
MyAppUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: myapp_user_pool
UsernameAttributes: # use email as username/login
- 'email'
AutoVerifiedAttributes:
- 'email'
UsernameConfiguration:
CaseSensitive: false
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: true
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_email
Priority: 1
VerificationMessageTemplate:
DefaultEmailOption: CONFIRM_WITH_CODE
EmailMessage: 'Thanks for signing up with MyApp! Your verification code is {####}'
EmailSubject: 'Your MyApp verification code'
UserPoolTags:
MyApp: 'true'
MyAppCognitoClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: myapp_app_user_pool_client
UserPoolId:
Ref: MyAppUserPool
AccessTokenValidity: 24 # hours
IdTokenValidity: 24 # hours
RefreshTokenValidity: 1825 # days - 5 years
MyAppIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: myapp_identity_pool
AllowUnauthenticatedIdentities: false
CognitoIdentityProviders:
- ClientId:
Ref: MyAppCognitoClient
ProviderName:
Fn::GetAtt: [MyAppUserPool, ProviderName]
MyAppIdentityPoolRoles:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: MyAppIdentityPool
Roles:
authenticated:
Fn::GetAtt: [MyAppUserAuthRole, Arn]
unauthenticated:
Fn::GetAtt: [MyAppUserUnauthRole, Arn]
MyAppUserAuthRole:
Type: AWS::IAM::Role
Properties:
RoleName: MyAppUserAuthRole
Path: /
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Federated: 'cognito-identity.amazonaws.com'
Action:
- 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com:aud':
Ref: MyAppIdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com:amr': authenticated
Policies:
- PolicyName: 'MyAppUserAuthorizedPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- 'mobileanalytics:PutEvents'
- 'cognito-sync:*'
- 'cognito-identity:*'
Resource: '*'
- Effect: 'Allow'
Action:
- 'execute-api:Invoke'
Resource: '*'
MyAppUserUnauthRole:
Type: AWS::IAM::Role
Properties:
RoleName: MyAppUserUnauthRole
Path: /
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Federated: 'cognito-identity.amazonaws.com'
Action:
- 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com:aud':
Ref: MyAppIdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com:amr': unauthenticated
Policies:
- PolicyName: 'MyAppUserUnauthorizedPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- 'mobileanalytics:PutEvents'
- 'cognito-sync:*'
- 'cognito-identity:*'
Resource: '*'
# This is a Cognito User Pool authorizer that allows API calls to MyApp
# API endpoints are auth'ed via the Authorization header, without needing to
# do AWS v4 signing. See:
# https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
# To set it to be used with a given lambda/API, add an "authorizer" section to
# the lambda such as:
# authorizer:
# type: COGNITO_USER_POOLS
# authorizerId:
# Ref: MyAppAPIAuthorizer
MyAppAPIAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
AuthorizerResultTtlInSeconds: 300
AuthType: String
IdentitySource: method.request.header.Authorization
Name: MyAppAPIAuthorizer
ProviderARNs:
- Fn::GetAtt: [MyAppUserPool, Arn]
RestApiId:
Ref: ApiGatewayRestApi
Type: COGNITO_USER_POOLS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment