mtinra/cognito.yaml

## cognito.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito Stack
Parameters:
  AuthName:
    Type: String
    Description: Unique Auth Name for Cognito Resources
  API_ID:
    Type: String
    Despription: API Gateway ID

Resources:
  # Creates a user pool in cognito for your app to auth against
  # This example requires MFA and validates the phone number to use as MFA
  # Other fields can be added to the schema
  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Sub ${AuthName}_user_pool
      UsernameAttributes: [email] #https://forums.aws.amazon.com/thread.jspa?threadID=259349
      AutoVerifiedAttributes: [email]
      EmailVerificationMessage: this is the link {####}
      EmailVerificationSubject: Please Confirm your email...
      MfaConfiguration: 'OFF'
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: false
          RequireUppercase: true

  # Creates a User Pool Client to be used by the identity pool
  UserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
      ClientName: !Sub ${AuthName}_client_name
      ExplicitAuthFlows:
        - ADMIN_NO_SRP_AUTH
      GenerateSecret: false
      UserPoolId: !Ref UserPool

  # Creates a federeated Identity pool
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: !Sub ${AuthName}_identity_pool
      AllowUnauthenticatedIdentities: true
      CognitoIdentityProviders:
        - ClientId: !Ref UserPoolClient
          ProviderName: !GetAtt UserPool.ProviderName

  # Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
  CognitoUnAuthorizedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals:
                cognito-identity.amazonaws.com:aud: !Ref IdentityPool
              ForAnyValue:StringLike:
                cognito-identity.amazonaws.com:amr: unauthenticated
      Policies:
        - PolicyName: CognitoUnauthorizedPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - mobileanalytics:PutEvents
                  - cognito-sync:*
                Resource: "*"

  # Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation
  # Only allows users in the previously created Identity Pool
  CognitoAuthorizedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals:
                cognito-identity.amazonaws.com:aud: !Ref IdentityPool
              ForAnyValue:StringLike:
                cognito-identity.amazonaws.com:amr: authenticated

      Policies:
        - PolicyName: CognitoAuthorizedPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - cognito-identity:*
                  - mobileanalytics:PutEvents
                  - cognito-sync:*
                Resource: "*"

              - Effect: Allow
                Action: execute-api:Invoke
                Resource: arn:aws:execute-api:ap-southeast-1:*:${API_ID}/*/*/*

  # Assigns the roles to the Identity Pool
  IdentityPoolRoleMapping:
    Type: "AWS::Cognito::IdentityPoolRoleAttachment"
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles:
        authenticated: !GetAtt CognitoAuthorizedRole.Arn
        unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn

Outputs:
  UserPoolId:
    Value: !Ref UserPool
    Export:
      Name: "UserPool::Id"
  UserPoolClientId:
    Value: !Ref UserPoolClient
    Export:
      Name: "UserPoolClient::Id"
  IdentityPoolId:
    Value: !Ref IdentityPool
    Export:
      Name: "IdentityPool::Id"

## description.md

      
    Raw
  

              description.md
            
          
    This creates a starting point for a simple Authentication backend using AWS Cognito. With this you can create everything you need for the backend to register, login, and access AWS Lambda and other services.
To get started builing a client...
Identity: https://github.com/aws/amazon-cognito-identity-js
Serverless: https://blog.rackspace.com/part-1-building-server-less-architecture-aws
	AWSTemplateFormatVersion: '2010-09-09'
	Description: Cognito Stack
	Parameters:
	AuthName:
	Type: String
	Description: Unique Auth Name for Cognito Resources
	API_ID:
	Type: String
	Despription: API Gateway ID

	Resources:
	# Creates a user pool in cognito for your app to auth against
	# This example requires MFA and validates the phone number to use as MFA
	# Other fields can be added to the schema
	UserPool:
	Type: AWS::Cognito::UserPool
	Properties:
	UserPoolName: !Sub ${AuthName}_user_pool
	UsernameAttributes: [email] #https://forums.aws.amazon.com/thread.jspa?threadID=259349
	AutoVerifiedAttributes: [email]
	EmailVerificationMessage: this is the link {####}
	EmailVerificationSubject: Please Confirm your email...
	MfaConfiguration: 'OFF'
	Policies:
	PasswordPolicy:
	MinimumLength: 8
	RequireLowercase: true
	RequireNumbers: true
	RequireSymbols: false
	RequireUppercase: true

	# Creates a User Pool Client to be used by the identity pool
	UserPoolClient:
	Type: "AWS::Cognito::UserPoolClient"
	Properties:
	ClientName: !Sub ${AuthName}_client_name
	ExplicitAuthFlows:
	- ADMIN_NO_SRP_AUTH
	GenerateSecret: false
	UserPoolId: !Ref UserPool

	# Creates a federeated Identity pool
	IdentityPool:
	Type: AWS::Cognito::IdentityPool
	Properties:
	IdentityPoolName: !Sub ${AuthName}_identity_pool
	AllowUnauthenticatedIdentities: true
	CognitoIdentityProviders:
	- ClientId: !Ref UserPoolClient
	ProviderName: !GetAtt UserPool.ProviderName

	# Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
	CognitoUnAuthorizedRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Federated: cognito-identity.amazonaws.com
	Action: sts:AssumeRoleWithWebIdentity
	Condition:
	StringEquals:
	cognito-identity.amazonaws.com:aud: !Ref IdentityPool
	ForAnyValue:StringLike:
	cognito-identity.amazonaws.com:amr: unauthenticated
	Policies:
	- PolicyName: CognitoUnauthorizedPolicy
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Action:
	- mobileanalytics:PutEvents
	- cognito-sync:*
	Resource: "*"

	# Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation
	# Only allows users in the previously created Identity Pool
	CognitoAuthorizedRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Federated: cognito-identity.amazonaws.com
	Action: sts:AssumeRoleWithWebIdentity
	Condition:
	StringEquals:
	cognito-identity.amazonaws.com:aud: !Ref IdentityPool
	ForAnyValue:StringLike:
	cognito-identity.amazonaws.com:amr: authenticated

	Policies:
	- PolicyName: CognitoAuthorizedPolicy
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Action:
	- cognito-identity:*
	- mobileanalytics:PutEvents
	- cognito-sync:*
	Resource: "*"

	- Effect: Allow
	Action: execute-api:Invoke
	Resource: arn:aws:execute-api:ap-southeast-1::${API_ID}///

	# Assigns the roles to the Identity Pool
	IdentityPoolRoleMapping:
	Type: "AWS::Cognito::IdentityPoolRoleAttachment"
	Properties:
	IdentityPoolId: !Ref IdentityPool
	Roles:
	authenticated: !GetAtt CognitoAuthorizedRole.Arn
	unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn

	Outputs:
	UserPoolId:
	Value: !Ref UserPool
	Export:
	Name: "UserPool::Id"
	UserPoolClientId:
	Value: !Ref UserPoolClient
	Export:
	Name: "UserPoolClient::Id"
	IdentityPoolId:
	Value: !Ref IdentityPool
	Export:
	Name: "IdentityPool::Id"