I am trying to define custom Role Mappings as described here, but I just cannot find a proper syntax for the required String to RoleMapping object map notation. I could use a simple static string, like for example cognito-idp-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id as the key value, but I want to use a reference, such that the configuration is clean.
UsersIdentityPool:
Type: 'AWS::Cognito::IdentityPool'
Properties:
IdentityPoolName: '${self:service}_${opt:stage, self:provider.stage}_users'
AllowUnauthenticatedIdentities: false
CognitoIdentityProviders:
- ClientId:
Ref: UsersPoolClient
ProviderName:
'Fn::GetAtt':
- "UsersPool"
- "ProviderName"
ServerSideTokenCheck: true
UsersIdentityPoolRoleAttachment:
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId:
Ref: UsersIdentityPool
<<< --- START --- >>>
RoleMappings:
Ref: UsersIdentityPool
AmbiguousRoleResolution: "Deny"
Type: "Token"
<<< --- END --- >>>
Roles:
authenticated:
'Fn::GetAtt':
- "UsersIdentityPoolRoleAuthenticated"
- "Arn"
unauthenticated:
'Fn::GetAtt':
- "UsersIdentityPoolRoleUnAuthenticated"
- "Arn"