AWS Serverless IdentityPoolRoleAttachment

MustSeeMelons · June 8, 2018, 3:35pm

So, I’m creating a role for my Cognito users to be able to call API Gateway:

IdentityAuthenticatedRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Federated: "cognito-identity.amazonaws.com"
              Action:
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals: 
                  "cognito-identity.amazonaws.com:aud":
                    - Ref: CognitoIdentityPoolStandardUserIdentityPool
                ForAnyValue:StringLike:
                  "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
          - PolicyName: CognitoGatewayExecute
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                    - "execute-api:Invoke"
                  Resource: "arn:aws:execute-api:*:*:*"
        MaxSessionDuration: 3600

Then I’m attaching the role to my IdentityPoolRoleAttachment:

CognitoIdentityPoolRoleAttachment:
  DependsOn: CognitoIdentityPoolStandardUserIdentityPool
  Type: AWS::Cognito::IdentityPoolRoleAttachment
  Properties:
    IdentityPoolId:
      Fn::Join:
        - ''
        - - Ref: CognitoIdentityPoolStandardUserIdentityPool
          - ''
    Roles:
      authenticated:
        Fn:GetAtt
          - IdentityAuthenticatedRole
          - Arn

According to the docs it should work, but it of course does not:

CognitoIdentityPoolRoleAttachment - Access to Role 'Fn:GetAtt - IdentityAuthenticatedRole - Arn' is forbidden.

Can someone please shed some light on this?

P.S. As I’ve already pasted this snippet, there is one more thing: I’m using Fn::Join, because otherwise I’m greeted with “Is not of type String” error, is there a better way to handle it?

buggy · June 10, 2018, 12:13pm

I think the syntax is supposed to be:

CognitoIdentityPoolRoleAttachment:
  DependsOn: CognitoIdentityPoolStandardUserIdentityPool
  Type: AWS::Cognito::IdentityPoolRoleAttachment
  Properties:
    IdentityPoolId:
      Ref: CognitoIdentityPoolStandardUserIdentityPool
    Roles:
      authenticated:
        "Fn::GetAtt": [IdentityAuthenticatedRole, Arn ]

I tend to prefer an alternative syntax so if that fails please try:

  Properties:
    IdentityPoolId: { "Ref": "CognitoIdentityPoolStandardUserIdentityPool" }
    Roles:
      authenticated: { "Fn::GetAtt": ["IdentityAuthenticatedRole", "Arn" ] }

MustSeeMelons · June 11, 2018, 8:25am

You were right, my syntax was simply wrong, thanks! Somehow could not see it.

Topic		Replies	Views
Properly setting up IdentityPoolRoleAttachment Serverless Framework aws	3	2325	May 2, 2019
Cognito IdentityPoolRoleAttachment Role Mappings Serverless Framework aws	1	3357	November 1, 2017
Guidance on Cognito Serverless Architectures aws	2	1232	June 6, 2018
API Authentication with Cognito Serverless Framework aws	7	12843	December 18, 2018
CognitoIdentityCredentials is not authorized to access this resource Serverless Framework lambda	2	2922	June 2, 2018

AWS Serverless IdentityPoolRoleAttachment

Related Topics