如何使用aws cdk将Cognito UserPool作为身份验证提供程序之一创建Cognito IdentityPool? [英] How to create Cognito IdentityPool with Cognito UserPool as one of the Authentication provider using aws cdk?
问题描述
我正在尝试使用CognitoUserPool作为一个身份验证提供程序创建一个Cognito FederatedIdentityPool.创建UserPool非常简单:
I am trying to create a Cognito FederatedIdentityPool with CognitoUserPool as one Authentication Provider. Creating UserPool was easy enough:
const userPool = new cognito.CfnUserPool(this, 'MyCognitoUserPool')
const userPoolClient = new cognito.CfnUserPoolClient(this, 'RandomQuoteUserPoolClient', {
generateSecret: false,
userPoolId: userPool.userPoolId
});
但是我不确定如何将其连接到身份池:
However I am not sure how to connect this to an Identity Pool:
const identityPool = new cognito.CfnIdentityPool(this, 'MyIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: ?????
});
Based on IdentityProvider API Documentation it looks like there is a propert cognitoIdentityProviders, however it accepts an array of cdk.Token/CognitoIdentityProviderProperty.
现在,我尝试创建一个 CognitoIdentityProviderProperty 对象并将其传递给cognitoIdentityProviders: [{ clientId: userPoolClient.userPoolClientId }],但出现以下异常:
Now I tried creating a CognitoIdentityProviderProperty object and pass it cognitoIdentityProviders: [{ clientId: userPoolClient.userPoolClientId }], but I am getting following exception:
1/2 | 09:48:35 | CREATE_FAILED | AWS::Cognito::IdentityPool | RandomQuoteIdentityPool Invalid Cognito Identity Provider (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: InvalidParameterException; Request ID: 4d6d579a-6455-11e9-99a9-85159bc87779)
new CdkWorkshopStack (/Users/cdk/lib/cdk-workshop-stack.ts:46:26)
\_ Object.<anonymous> (/Users/cdk/bin/cdk-workshop.ts:7:1)
\_ Module._compile (module.js:653:30)
\_ Object.Module._extensions..js (module.js:664:10)
\_ Module.load (module.js:566:32)
\_ tryModuleLoad (module.js:506:12)
\_ Function.Module._load (module.js:498:3)
\_ Function.Module.runMain (module.js:694:10)
\_ startup (bootstrap_node.js:204:16)
\_ bootstrap_node.js:625:3
我什至尝试从AWS Console复制ID并在此处对其进行硬编码,仍然是相同的错误.
I even tried copying id from AWS Console and hardcoding it here, still same error.
- 有人可以帮助我解释如何在
CfnIdentityPool中配置身份验证提供程序. - 为什么会有 UserPool 和 CfnUserPool ?它们之间有什么区别,应该使用哪一个?
- Can someone please help me in explaining how can I configure Authentication Providers in
CfnIdentityPool. - Why is there a UserPool and CfnUserPool? What is difference between them and which one is supposed to be used?
推荐答案
这是当您创建以用户池作为身份提供者的身份池时,通过aws控制台模拟的默认配置的方法.除了要求的功能外,它还包括其他一些功能(允许未经身份验证的访问并指定密码策略),但是很容易根据您的需要进行修改.
This is the way I managed to mimic the default configuration created through the aws console when you create an identity pool with a user pool as identity provider. It includes some other features apart from what you have asked (allows unauthenticated access and specify the password policy), but is easy to modify to your needs.
const userPool = new cognito.UserPool(this, 'MyUserPool', {
signInType: SignInType.EMAIL,
autoVerifiedAttributes: [
UserPoolAttribute.EMAIL
]
});
const cfnUserPool = userPool.node.defaultChild as cognito.CfnUserPool;
cfnUserPool.policies = {
passwordPolicy: {
minimumLength: 8,
requireLowercase: false,
requireNumbers: false,
requireUppercase: false,
requireSymbols: false
}
};
const userPoolClient = new cognito.UserPoolClient(this, 'MyUserPoolClient', {
generateSecret: false,
userPool: userPool,
userPoolClientName: 'MyUserPoolClientName'
});
const identityPool = new cognito.CfnIdentityPool(this, 'MyCognitoIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [{
clientId: userPoolClient.userPoolClientId,
providerName: userPool.userPoolProviderName,
}]
});
const unauthenticatedRole = new iam.Role(this, 'CognitoDefaultUnauthenticatedRole', {
assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
"StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
"ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" },
}, "sts:AssumeRoleWithWebIdentity"),
});
unauthenticatedRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
resources: ["*"],
}));
const authenticatedRole = new iam.Role(this, 'CognitoDefaultAuthenticatedRole', {
assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
"StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
"ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" },
}, "sts:AssumeRoleWithWebIdentity"),
});
authenticatedRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
resources: ["*"],
}));
const defaultPolicy = new cognito.CfnIdentityPoolRoleAttachment(this, 'DefaultValid', {
identityPoolId: identityPool.ref,
roles: {
'unauthenticated': unauthenticatedRole.roleArn,
'authenticated': authenticatedRole.roleArn
}
});
为什么会有UserPool和CfnUserPool?它们之间有什么区别,应该使用哪一个?
Why is there a UserPool and CfnUserPool? What is difference between them and which one is supposed to be used?
UserPool是资源的高级表示,是首选的工作方式,但尚未实现所有属性. CfnUserPool(任何带Cfn前缀的类)是映射到Cloudformation资源的低级表示形式.如示例所示,当高级类不能满足您的需要时,您可以同时使用两者.
UserPool is a high-level representation of the resource and is the prefered way to work but not all the properties are implemented yet. CfnUserPool (an any Cfn prefixed class) is a low-level representation that maps to a Cloudformation resource. You can use both when the high-level class don't fulfill your necessities, as in the example.
这篇关于如何使用aws cdk将Cognito UserPool作为身份验证提供程序之一创建Cognito IdentityPool?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
