无法通过CloudFormation设置Cognito用户池客户端的属性 [英] Cannot set a property of cognito userpool client via cloudformation

问题描述

我正在尝试通过cloudformation运行congnito，并且一切正常，但是cognito中的部分如下：

I am trying to run congnito via cloudformation and everything works but there is section in cognito as follows:

您看到的是启用身份提供者部分
，我找不到在Cloudformation中可以将其设置为我的Cognito用户池的地方！

As you see there is section "Enable identity providers" and I can not find where I can set it to my cognito user pool in cloudformation!

我尝试了此属性，但是它说不被支持。

I tried this attributes but it says not supported.

SupportedIdentityProviders

这是我的用户池客户端代码：

Here is my code for user pool client:

  UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
  ClientName: !Sub ${project}-client
  ExplicitAuthFlows:
   - ADMIN_NO_SRP_AUTH
   - USER_PASSWORD_AUTH
  GenerateSecret: false
  UserPoolId: !Ref UserPool
  RefreshTokenValidity: 30

这是我的用户池：

  UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
  UserPoolName: !Sub ${project}-user-pool-test
  AutoVerifiedAttributes:
    - email
  UsernameAttributes:
    - email
  MfaConfiguration: "OFF"
  LambdaConfig:
    CustomMessage:
      Fn::ImportValue: !Sub ${project}-${EnvironmentApp}-lambda-cognito-custom-message-post
  Policies:
    PasswordPolicy:
      MinimumLength: !Ref MinimumLength
      RequireLowercase: !Ref RequireLowercase
      RequireNumbers: !Ref RequireNumbers
      RequireSymbols: !Ref RequireSymbols
      RequireUppercase: !Ref RequireUppercase
  Schema:
    -
        AttributeDataType: String
        DeveloperOnlyAttribute: false
        Mutable: true
        Name: !Sub ${project}-stg
        Required: false
    -
        AttributeDataType: String
        DeveloperOnlyAttribute: false
        Mutable: true
        Name: !Sub zuora-stg
        Required: false
    -
        AttributeDataType: String
        DeveloperOnlyAttribute: false
        Mutable: true
        Name: !Sub salesforce-stg
        Required: false

是否支持云形成？感谢您的帮助吗？

Is it supported in cloud formation? I appreciate any help?

推荐答案

如其他答案所示，到目前为止，CloudFormation本身还无法完成此操作。但是，正如ASR的建议所建议的，可以通过CloudFormation自定义资源来实现。

As other answer suggest, this can't be done in CloudFormation natively as of yet. However, as ASR answer advises it is possible to do so through CloudFormation custom resource.

我的雇主已开放其自定义资源集合，包括 CognitoUserPool 和 CognitoDomainName
（CloudFormation中也不支持）。自定义资源源代码
可以在github上找到

My employer has open sourced its collection of custom resources, including CognitoUserPool and CognitoDomainName (which is also not supported in CloudFormation). Custom resources source code can be found on github

以下是进行设置的手动说明-您始终可以通过将自定义资源支持Lambda放在CloudFormation中来进一步自动进行操作。

Below are manual directions on setting this up - you can always automate things further by placing Custom Resource backing Lambda in CloudFormation as well.

以下所有命令均适用于Mac。您可能需要修改其他
平台的base64标志

All commands below are for Mac. You may need to modify base64 flags for other platforms

aws iam create-role --role-name LambdaRoleCognito --assume-role-policy-document '{
      "Version": "2012-10-17",
      "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "Service": "lambda.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
      }
  ]
  }'
aws iam attach-role-policy --role-name LambdaRoleCognito \
  --policy-arn  arn:aws:iam::aws:policy/CloudWatchLogsFullAccess

aws iam attach-role-policy --role-name LambdaRoleCognito \
  --policy-arn  arn:aws:iam::aws:policy/AmazonCognitoPowerUser

2。下载lambda源代码，上传到您的本地存储桶，并创建lambda

2. Download lambda source code, upload to your local bucket, and create lambda

wget https://github.com/base2Services/cloudformation-custom-resources-nodejs/releases/download/1.0.0/ccr-nodejs-1.0.0.zip
account_id=$(aws sts get-caller-identity --query Account --output text)
aws s3 mb s3://${account_id}.cfncustomres.source
aws s3 cp ccr-nodejs-1.0.0.zip s3://${account_id}.cfncustomres.source/ccr-nodejs-1.0.0.zip

aws lambda create-function --function-name CfnCrCognitUPC --runtime nodejs6.10 \
    --role arn:aws:iam::${account_id}:role/LambdaRoleCognito  \
    --timeout 30 \
    --memory-size 512 \
    --code S3Bucket=${account_id}.cfncustomres.source,S3Key=ccr-nodejs-1.0.0.zip \
    --handler cognito-user-pool-client/index.handler

3。 可选通过调用测试有效负载来调用测试lambda

3. Optional Test lambda by invoking with test payload

aws lambda invoke --function-name CfnCrCognitUPC --payload '{
  "StackId": "arn:aws:cloudformation:us-west-2:EXAMPLE/stack-name/guid",
  "ResponseURL": "http://pre-signed-S3-url-for-response",
  "ResourceProperties": {
    "ClientName": "MyCCRCreatedUP",
    "SupportedIdentityProviders": [
      "COGNITO"
    ],
    "UserPoolId":"!! REPLACE WITH YOUR USER POOL ID !!"
  },
  "RequestType": "Create",
  "ResourceType": "Custom::TestResource",
  "RequestId": "unique id for this create request",
  "LogicalResourceId": "MyTestResource"
}' --log-type Tail --invocation-type RequestResponse output.txt --query LogResult --output text | base64 -D

4。在CloudFormation模板中创建自定义资源

有关所有受支持属性的列表，请参见自定义资源JSON模式

Resources:
  MyPoolApplication:
    Type: Custom::CognitoUserPool
    Properties:
      ServiceToken: arn:aws:lambda:<<REPLACE_WITH_YOUR_REGION>>:<<REPLACE_WITH_YOUR_ACCOUNT_ID>>:function:CfnCrCognitUPC
      ClientName: ApplicationClientNameHere
      UserPoolId: 
        Ref: UserPool
      SupportedIdentityProviders:
        - COGNITO
      .... other support properties .... 

这篇关于无法通过CloudFormation设置Cognito用户池客户端的属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！