|
AWSTemplateFormatVersion: '2010-09-09' |
|
Description: Cognito Stack |
|
Parameters: |
|
AuthName: |
|
Type: String |
|
Description: Unique Auth Name for Cognito Resources |
|
API_ID: |
|
Type: String |
|
Despription: API Gateway ID |
|
|
|
Resources: |
|
# Creates a user pool in cognito for your app to auth against |
|
# This example requires MFA and validates the phone number to use as MFA |
|
# Other fields can be added to the schema |
|
UserPool: |
|
Type: AWS::Cognito::UserPool |
|
Properties: |
|
UserPoolName: !Sub ${AuthName}_user_pool |
|
UsernameAttributes: [email] #https://forums.aws.amazon.com/thread.jspa?threadID=259349 |
|
AutoVerifiedAttributes: [email] |
|
EmailVerificationMessage: this is the link {####} |
|
EmailVerificationSubject: Please Confirm your email... |
|
MfaConfiguration: 'OFF' |
|
Policies: |
|
PasswordPolicy: |
|
MinimumLength: 8 |
|
RequireLowercase: true |
|
RequireNumbers: true |
|
RequireSymbols: false |
|
RequireUppercase: true |
|
|
|
# Creates a User Pool Client to be used by the identity pool |
|
UserPoolClient: |
|
Type: "AWS::Cognito::UserPoolClient" |
|
Properties: |
|
ClientName: !Sub ${AuthName}_client_name |
|
ExplicitAuthFlows: |
|
- ADMIN_NO_SRP_AUTH |
|
GenerateSecret: false |
|
UserPoolId: !Ref UserPool |
|
|
|
# Creates a federeated Identity pool |
|
IdentityPool: |
|
Type: AWS::Cognito::IdentityPool |
|
Properties: |
|
IdentityPoolName: !Sub ${AuthName}_identity_pool |
|
AllowUnauthenticatedIdentities: true |
|
CognitoIdentityProviders: |
|
- ClientId: !Ref UserPoolClient |
|
ProviderName: !GetAtt UserPool.ProviderName |
|
|
|
# Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool |
|
CognitoUnAuthorizedRole: |
|
Type: AWS::IAM::Role |
|
Properties: |
|
AssumeRolePolicyDocument: |
|
Version: 2012-10-17 |
|
Statement: |
|
- Effect: Allow |
|
Principal: |
|
Federated: cognito-identity.amazonaws.com |
|
Action: sts:AssumeRoleWithWebIdentity |
|
Condition: |
|
StringEquals: |
|
cognito-identity.amazonaws.com:aud: !Ref IdentityPool |
|
ForAnyValue:StringLike: |
|
cognito-identity.amazonaws.com:amr: unauthenticated |
|
Policies: |
|
- PolicyName: CognitoUnauthorizedPolicy |
|
PolicyDocument: |
|
Version: 2012-10-17 |
|
Statement: |
|
- Effect: Allow |
|
Action: |
|
- mobileanalytics:PutEvents |
|
- cognito-sync:* |
|
Resource: "*" |
|
|
|
# Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation |
|
# Only allows users in the previously created Identity Pool |
|
CognitoAuthorizedRole: |
|
Type: AWS::IAM::Role |
|
Properties: |
|
AssumeRolePolicyDocument: |
|
Version: 2012-10-17 |
|
Statement: |
|
- Effect: Allow |
|
Principal: |
|
Federated: cognito-identity.amazonaws.com |
|
Action: sts:AssumeRoleWithWebIdentity |
|
Condition: |
|
StringEquals: |
|
cognito-identity.amazonaws.com:aud: !Ref IdentityPool |
|
ForAnyValue:StringLike: |
|
cognito-identity.amazonaws.com:amr: authenticated |
|
|
|
Policies: |
|
- PolicyName: CognitoAuthorizedPolicy |
|
PolicyDocument: |
|
Version: 2012-10-17 |
|
Statement: |
|
- Effect: Allow |
|
Action: |
|
- cognito-identity:* |
|
- mobileanalytics:PutEvents |
|
- cognito-sync:* |
|
Resource: "*" |
|
|
|
- Effect: Allow |
|
Action: execute-api:Invoke |
|
Resource: arn:aws:execute-api:ap-southeast-1:*:${API_ID}/*/*/* |
|
|
|
# Assigns the roles to the Identity Pool |
|
IdentityPoolRoleMapping: |
|
Type: "AWS::Cognito::IdentityPoolRoleAttachment" |
|
Properties: |
|
IdentityPoolId: !Ref IdentityPool |
|
Roles: |
|
authenticated: !GetAtt CognitoAuthorizedRole.Arn |
|
unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn |
|
|
|
Outputs: |
|
UserPoolId: |
|
Value: !Ref UserPool |
|
Export: |
|
Name: "UserPool::Id" |
|
UserPoolClientId: |
|
Value: !Ref UserPoolClient |
|
Export: |
|
Name: "UserPoolClient::Id" |
|
IdentityPoolId: |
|
Value: !Ref IdentityPool |
|
Export: |
|
Name: "IdentityPool::Id" |