Cognito User/Identity Pools as serverless.yml resource defs

I’m having trouble finding an example so forgive me if it’s my search skills that are lacking here, but has anybody sucessfully set up the Resources section in your serverless.yml file to construct User and Identity Pools automatically?

Really, I’m trying to automate what @fanjie and @jayair have done here:


In your serverless yaml file, you can use cloud formation template to create cognito pool as shown below and then you can use the output of the cognito pool how ever you want, in this example, I created an env variable that will be injected to lambda’s.

Hope this helps.

 environment:
USER_POOL:
   'Fn::GetAtt': [ userPool, Arn ]


userPool:
    Type: AWS::Cognito::UserPool
    Properties:
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
      #AliasAttributes:
      #  - String
      #AutoVerifiedAttributes:
      #  - String
      #DeviceConfiguration:
      #  DeviceConfiguration
      #EmailConfiguration:
      #  EmailConfiguration
      #EmailVerificationMessage: String
      #EmailVerificationSubject: String
      #LambdaConfig:
      #  LambdaConfig
      #MfaConfiguration: String
      #Policies:
      #  Policies
      UserPoolName: ${self:provider.custom.stage}-XXXX
      Schema:
        - AttributeDataType: String
          Mutable: true
          Name: role
      #SmsAuthenticationMessage: String
      #SmsConfiguration:
      #  SmsConfiguration
      #SmsVerificationMessage: String
      #UserPoolTags:
      #  String: String
3 Likes

I’m also having trouble with this, I can create the user pool, but I can’t seem to reference the user pool as a cognito provider in the identity pool section, and it fails saying the provider name is wrong.

It’s hard to find sample for these things.

That syntax works great for the environment variables, but I’m trying to set the authorizer arn and this:

    events:
  - http:
      path: location
      method: post
      cors: true
      authorizer:
        arn: 'Fn::GetAtt': [ UserPool, Arn ]

Fails, I’m guessing in part because of order of operations. What I’d like is for the Resources to generate and then fetch the arn to put as my authorizer.

try with ‘Fn::GetAtt’: [ UserPool, Arn ] on a new line

You can still reference the environment variable within the authorizer or define the environment variable for that function. Haven’t tried it but try and see what happens.

If there is dependency issue, Cloud Front provides depends on clause you can use that so you can manage the order of resource creation

@altcatalin Thanks for the idea, but it still barfs on it on a new line.

@pgali The environment variable can be read in the function no problem, but I’m trying to get the framework to set up the authorizer for me automatically. That may be asking to much, I’m beginning to think 8).

have you also tried with the long function form?
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html

this works

functions:
  ConsumerFunction:
    ...
    environment:
      QUEUE_ARN:
        Fn::GetAtt:
          - Queue
          - Arn

resources:  # CloudFormation template syntax
  Resources:

    # SQS
    Queue:
      Type: AWS::SQS::Queue
      ...

FYI, just got confirmation that this is a bug that will be fixed as part of a larger ARN issue, workaround described here:

Basically, create your stack once, come back to your serverless.yml and hard code the ARN that gets generated.

I found this gist on github which helped solve a lot of my problems: https://gist.github.com/singledigit/2c4d7232fa96d9e98a3de89cf6ebe7a5

I’ve gotten this to work with text message verification using gist from @barticus… but how it works with email verification I am not sure.

Has anyone found out more about this. I’m looking to do the exact same thing you @nerdguru.

Can’t see to get the authorizer to take in a GetAtt call to the resource. I keep getting the SLS error
functionArn.split is not a function

I was able to get serverless to generate my identity pool using the following:

IdentityPool:
  Type: "AWS::Cognito::IdentityPool"
  Properties:
    IdentityPoolName: identitypoolname
    AllowUnauthenticatedIdentities: true
    CognitoIdentityProviders: 
      - ClientId:
          Ref: UserPoolClient
        ProviderName:
          'Fn::GetAtt': [ MyUserPool, ProviderName ]

Hope this helps

This will setup userpools that are compatible with aws-amplify

service:
  name: digiStatic

frameworkVersion: ">=1.1.0 <2.0.0"

provider:
  name: aws
  runtime: nodejs6.10
  memorySize: 512
  # Serverless variables like ${self:custom.prefix} We use variableSyntax here
  # to change serverless vars to look instead like $<self:custom.prefix>
  variableSyntax: '\$<([ :a-zA-Z0-9._,\\-\\/\\(\\)]+?)>'

plugins:
  - serverless-stack-output

custom:
  output:
    handler: scripts/output.handler # Same syntax as you already know
    file: ../stack.json # toml, yaml, yml, and json format is available

resources:
  Resources:

    # Creates a user pool in cognito for your app to auth against

    # Fixme: customer email address needs to be manually entered and verified
    # https://console.aws.amazon.com/ses/home?region=us-east-1#verified-senders-email:

    # Time based MFA can not be enabled from script
    # I have asked AWS to fix this

    UserPool:
      Type: "AWS::Cognito::UserPool"
      Properties:
        UserPoolName: $<self:service>-user-pool
        SmsVerificationMessage: "Your verification code is {####}."
        AutoVerifiedAttributes:
          - email
        MfaConfiguration: "OFF"
        EmailVerificationSubject: "Your Digispeaker verification code"
        EmailVerificationMessage: "Your Digispeaker verification code is {####}."
        SmsAuthenticationMessage: "Your Digispeaker authentication code is {####}."
        Schema:
          - Name: name
            AttributeDataType: String
            Mutable: true
            Required: false
          - Name: email
            AttributeDataType: String
            Mutable: false
            Required: true
          - Name: phone_number
            AttributeDataType: String
            Mutable: true
            Required: false
        Policies:
          PasswordPolicy:
            RequireLowercase: true
            RequireSymbols: false
            RequireNumbers: true
            MinimumLength: 8
            RequireUppercase: true
        AdminCreateUserConfig:
          InviteMessageTemplate:
            EmailMessage: "Your Digispeaker username is {username} and temporary password is {####}."
            EmailSubject: "Your temporary Digispeaker password"
            SMSMessage: "Your Digispeaker username is {username} and temporary password is {####}."
          UnusedAccountValidityDays: 7
          AllowAdminCreateUserOnly: false

    # Creates a User Pool Client to be used by the identity pool
    UserPoolClient:
      Type: "AWS::Cognito::UserPoolClient"
      Properties:
        ClientName: $<self:service>-client
        GenerateSecret: false
        UserPoolId: 
          Ref: UserPool
    
    # Creates a federeated Identity pool
    IdentityPool:
      Type: "AWS::Cognito::IdentityPool"
      Properties:
        IdentityPoolName: $<self:service>Identity
        AllowUnauthenticatedIdentities: true
        CognitoIdentityProviders: 
          - ClientId: 
              Ref: UserPoolClient
            ProviderName:
              'Fn::GetAtt': [ UserPool, ProviderName ]
        SupportedLoginProviders:
          'graph.facebook.com': "xxxxxxxxxx"
        OpenIdConnectProviderARNs:
          - 'arn:aws:iam::xxxxxxxxxxx:oidc-provider/accounts.google.com'

    # Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
    CognitoUnAuthorizedRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument: 
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal: 
                Federated: "cognito-identity.amazonaws.com"
              Action: 
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals: 
                  "cognito-identity.amazonaws.com:aud":
                    Ref: IdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": unauthenticated
        Policies:
          - PolicyName: "CognitoUnauthorizedPolicy"
            PolicyDocument: 
              Version: "2012-10-17"
              Statement: 
                - Effect: "Allow"
                  Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                  Resource: "*"

    # Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation
    # Only allows users in the previously created Identity Pool
    CognitoAuthorizedRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument: 
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal: 
                Federated: "cognito-identity.amazonaws.com"
              Action: 
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals: 
                  "cognito-identity.amazonaws.com:aud":
                    Ref: IdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
          - PolicyName: "CognitoAuthorizedPolicy"
            PolicyDocument: 
              Version: "2012-10-17"
              Statement: 
                - Effect: "Allow"
                  Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                    - "cognito-identity:*"
                  Resource: "*"
                - Effect: "Allow"
                  Action:
                    - "lambda:InvokeFunction"
                  Resource: "*"
    
    # Assigns the roles to the Identity Pool
    IdentityPoolRoleMapping:
      Type: "AWS::Cognito::IdentityPoolRoleAttachment"
      Properties:
        IdentityPoolId: 
          Ref: IdentityPool
        Roles:
          authenticated:
              'Fn::GetAtt': [ CognitoAuthorizedRole, Arn ]
          unauthenticated:
              'Fn::GetAtt': [ CognitoUnAuthorizedRole, Arn ]

  Outputs:
    UserPoolId:
      Value: 
        Ref: UserPool
      Export:
        Name: "UserPool::Id"
    UserPoolClientId:
      Value:
        Ref: UserPoolClient
      Export:
        Name: "UserPoolClient::Id"
    IdentityPoolId:
      Value:
        Ref: IdentityPool
      Export:
        Name: "IdentityPool::Id"
9 Likes

Thanks @jonsmirl - your example has been extremely helpful to me. Any chance you could tell me what I’d need to change to configure the User Pool resource so that it is set up to use the user’s email address as their “username”. I can do this via the AWS console but I want to put this config in serverless.yml.

I think you remove the ‘name’ field. But does amplify support that yet? I don’t think they have gotten around to making the userpool stuff configurable yet.

I don’t really know much about amplify. I just want to add the config for my user pool to my serverless service and I was able to take what I needed from your example and use that to create a user pool successfully, just not with the exact config I need.

The ‘name’ field is different to ‘username’ so I don’t think removing that will achieve what I want. Are you able to point me in direction of any docs/tutorials that might help me out? Thanks again!

Use the UI to get it the way you like it. Then use the CLI to describe it.

aws cognito-idp describe-user-pool --user-pool-id xxxxxxx

4 Likes

Ah ha! Didn’t know I could do that. Thanks, that’s super helpful.

hi all
so i want use cognito pool id use in lambda function.

i try to import UserPool::Id to env varible and then use env varible inside lambda. but its not work
got a error :circuiler dependency error within serverless deploy