-
-
Save kaugm/10d68c681d20788ce43ad1ba23f7ae69 to your computer and use it in GitHub Desktop.
Create a Cognito Authentication Backend via CloudFormation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: '2010-09-09' | |
Description: Cognito Stack | |
Parameters: | |
AuthName: | |
Type: String | |
Description: Unique Auth Name for Cognito Resources | |
Resources: | |
# Creates a user pool in cognito for your app to auth against | |
# This example requires MFA and validates the phone number to use as MFA | |
# Other fields can be added to the schema | |
UserPool: | |
Type: "AWS::Cognito::UserPool" | |
Properties: | |
UserPoolName: !Sub ${AuthName}-user-pool | |
Schema: | |
- Name: name | |
AttributeDataType: String | |
Mutable: true | |
Required: true | |
# Creates a User Pool Client to be used by the identity pool | |
UserPoolClient: | |
Type: "AWS::Cognito::UserPoolClient" | |
Properties: | |
ClientName: !Sub ${AuthName}-client | |
GenerateSecret: false | |
UserPoolId: !Ref UserPool | |
# Creates a federeated Identity pool | |
IdentityPool: | |
Type: "AWS::Cognito::IdentityPool" | |
Properties: | |
IdentityPoolName: !Sub ${AuthName}Identity | |
AllowUnauthenticatedIdentities: true | |
CognitoIdentityProviders: | |
- ClientId: !Ref UserPoolClient | |
ProviderName: !GetAtt UserPool.ProviderName | |
# Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool | |
CognitoUnAuthorizedRole: | |
Type: "AWS::IAM::Role" | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: "Allow" | |
Principal: | |
Federated: "cognito-identity.amazonaws.com" | |
Action: | |
- "sts:AssumeRoleWithWebIdentity" | |
Condition: | |
StringEquals: | |
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool | |
"ForAnyValue:StringLike": | |
"cognito-identity.amazonaws.com:amr": unauthenticated | |
Policies: | |
- PolicyName: "CognitoUnauthorizedPolicy" | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: "Allow" | |
Action: | |
- "mobileanalytics:PutEvents" | |
- "cognito-sync:*" | |
Resource: "*" | |
# Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows readonly access to S3 | |
# Only allows users in the previously created Identity Pool | |
CognitoAuthorizedRole: | |
Type: "AWS::IAM::Role" | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: "Allow" | |
Principal: | |
Federated: "cognito-identity.amazonaws.com" | |
Action: | |
- "sts:AssumeRoleWithWebIdentity" | |
Condition: | |
StringEquals: | |
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool | |
"ForAnyValue:StringLike": | |
"cognito-identity.amazonaws.com:amr": authenticated | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess | |
# Assigns the roles to the Identity Pool | |
IdentityPoolRoleMapping: | |
Type: "AWS::Cognito::IdentityPoolRoleAttachment" | |
Properties: | |
IdentityPoolId: !Ref IdentityPool | |
Roles: | |
authenticated: !GetAtt CognitoAuthorizedRole.Arn | |
unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn | |
Outputs: | |
UserPoolId: | |
Value: !Ref UserPool | |
Export: | |
Name: "UserPool::Id" | |
UserPoolClientId: | |
Value: !Ref UserPoolClient | |
Export: | |
Name: "UserPoolClient::Id" | |
IdentityPoolId: | |
Value: !Ref IdentityPool | |
Export: | |
Name: "IdentityPool::Id" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment