-
Notifications
You must be signed in to change notification settings - Fork 102
/
cognito.yaml
204 lines (186 loc) · 6.25 KB
/
cognito.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
Description: >
This template creates Cognito user and identity pools.
Unauthorized access is denied any access by default.
Authorized and unauthorized roles are created for identity pool.
Authorized role does not have any policy associated, add it in the parent
stack with privileges needed.
Parameters:
UserPoolAdminGroupName:
Description: User pool group name for API administrators
Type: String
Default: apiAdmins
Resources:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Sub ${AWS::StackName}-UserPool
AdminCreateUserConfig:
AllowAdminCreateUserOnly: false
AutoVerifiedAttributes:
- email
- phone_number
MfaConfiguration: "OPTIONAL"
SmsConfiguration:
ExternalId: !Sub ${AWS::StackName}
SnsCallerArn: !GetAtt UserPoolMFASNSRole.Arn
Schema:
- Name: name
AttributeDataType: String
Mutable: true
Required: true
- Name: email
AttributeDataType: String
Mutable: true
Required: true
- Name: phone_number
AttributeDataType: String
Mutable: false
Required: false
UsernameAttributes:
- email
UserPoolTags:
Key: Name
Value: !Sub ${AWS::StackName} User Pool
UserPoolMFASNSRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "cognito-idp.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: !Sub "${AWS::StackName}-CognitoMFASNSPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "sns:publish"
Resource: "*"
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName:
!Sub ${AWS::StackName}UserPoolClient
ExplicitAuthFlows:
- ALLOW_USER_PASSWORD_AUTH
- ALLOW_USER_SRP_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
GenerateSecret: false
PreventUserExistenceErrors: ENABLED
RefreshTokenValidity: 30
SupportedIdentityProviders:
- COGNITO
UserPoolId: !Ref UserPool
AllowedOAuthFlowsUserPoolClient: true
AllowedOAuthFlows:
- 'code'
AllowedOAuthScopes:
- 'email'
- 'openid'
CallbackURLs:
- 'http://localhost'
UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
Domain: !Ref UserPoolClient
UserPoolId: !Ref UserPool
IdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName:
!Sub ${AWS::StackName}-IdentityPool
AllowUnauthenticatedIdentities: false
CognitoIdentityProviders:
- ClientId: !Ref UserPoolClient
ProviderName: !GetAtt UserPool.ProviderName
CognitoUnAuthorizedRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Tags:
- Key: Name
Value: !Sub ${AWS::StackName} Cognito Identity Pool Unauthorized Role
CognitoAuthorizedRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Tags:
- Key: Name
Value: !Sub ${AWS::StackName} Cognito Identity Pool Unauthorized Role
IdentityPoolRoleMapping:
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
authenticated: !GetAtt CognitoAuthorizedRole.Arn
unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn
ApiAdministratorsUserPoolGroup:
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: User group for API Administrators
GroupName: !Ref UserPoolAdminGroupName
Precedence: 0
UserPoolId: !Ref UserPool
Outputs:
UserPool:
Description: Cognito User Pool ID
Value: !Ref UserPool
Export:
Name: !Sub ${AWS::StackName}-UserPool
UserPoolClient:
Description: Cognito User Pool Application Client ID
Value: !Ref UserPoolClient
Export:
Name: !Sub ${AWS::StackName}-UserPoolClient
IdentityPool:
Description: Cognito Identity Pool ID
Value: !Ref IdentityPool
Export:
Name: !Sub ${AWS::StackName}-IdentityPool
UserPoolAdminGroupName:
Description: User Pool group name for API administrators
Value: !Ref UserPoolAdminGroupName
Export:
Name: !Sub ${AWS::StackName}-UserPoolAdminGroupName
CognitoIdentityPoolAuthorizedUserRole:
Description: IAM role for Cognito Identity Pool authorized users
Value: !Ref CognitoAuthorizedRole
Export:
Name: !Sub ${AWS::StackName}-CognitoAuthorizedRole
CognitoLoginURL:
Description: Cognito User Pool Application Client Hosted Login UI URL
Value: !Sub 'https://${UserPoolClient}.auth.${AWS::Region}.amazoncognito.com/login?client_id=${UserPoolClient}&response_type=code&redirect_uri=http://localhost'
CognitoAuthCommand:
Description: AWS CLI command for Amazon Cognito User Pool authentication
Value: !Sub 'aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id ${UserPoolClient} --auth-parameters USERNAME=<username>,PASSWORD=<password>'