无法通过CloudFormation设置Cognito用户池客户端的属性 [英] Cannot set a property of cognito userpool client via cloudformation
问题描述
我正在尝试通过cloudformation运行congnito,并且一切正常,但是cognito中的部分如下:
I am trying to run congnito via cloudformation and everything works but there is section in cognito as follows:
您看到的是启用身份提供者部分
,我找不到在Cloudformation中可以将其设置为我的Cognito用户池的地方!
As you see there is section "Enable identity providers" and I can not find where I can set it to my cognito user pool in cloudformation!
我尝试了此属性,但是它说不被支持。
I tried this attributes but it says not supported.
SupportedIdentityProviders
这是我的用户池客户端代码:
Here is my code for user pool client:
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: !Sub ${project}-client
ExplicitAuthFlows:
- ADMIN_NO_SRP_AUTH
- USER_PASSWORD_AUTH
GenerateSecret: false
UserPoolId: !Ref UserPool
RefreshTokenValidity: 30
这是我的用户池:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${project}-user-pool-test
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
MfaConfiguration: "OFF"
LambdaConfig:
CustomMessage:
Fn::ImportValue: !Sub ${project}-${EnvironmentApp}-lambda-cognito-custom-message-post
Policies:
PasswordPolicy:
MinimumLength: !Ref MinimumLength
RequireLowercase: !Ref RequireLowercase
RequireNumbers: !Ref RequireNumbers
RequireSymbols: !Ref RequireSymbols
RequireUppercase: !Ref RequireUppercase
Schema:
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub ${project}-stg
Required: false
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub zuora-stg
Required: false
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub salesforce-stg
Required: false
是否支持云形成?感谢您的帮助吗?
Is it supported in cloud formation? I appreciate any help?
推荐答案
如其他答案所示,到目前为止,CloudFormation本身还无法完成此操作。但是,正如ASR的建议所建议的,可以通过CloudFormation自定义资源来实现。
As other answer suggest, this can't be done in CloudFormation natively as of yet. However, as ASR answer advises it is possible to do so through CloudFormation custom resource.
我的雇主已开放其自定义资源集合,包括 CognitoUserPool 和 CognitoDomainName
(CloudFormation中也不支持)。自定义资源源代码
可以在github上找到
My employer has open sourced its collection of custom resources, including CognitoUserPool and CognitoDomainName (which is also not supported in CloudFormation). Custom resources source code can be found on github
以下是进行设置的手动说明-您始终可以通过将自定义资源支持Lambda放在CloudFormation中来进一步自动进行操作。
Below are manual directions on setting this up - you can always automate things further by placing Custom Resource backing Lambda in CloudFormation as well.
以下所有命令均适用于Mac。您可能需要修改其他
平台的base64标志
All commands below are for Mac. You may need to modify base64 flags for other platforms
aws iam create-role --role-name LambdaRoleCognito --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
aws iam attach-role-policy --role-name LambdaRoleCognito \
--policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
aws iam attach-role-policy --role-name LambdaRoleCognito \
--policy-arn arn:aws:iam::aws:policy/AmazonCognitoPowerUser
2。下载lambda源代码,上传到您的本地存储桶,并创建lambda
2. Download lambda source code, upload to your local bucket, and create lambda
wget https://github.com/base2Services/cloudformation-custom-resources-nodejs/releases/download/1.0.0/ccr-nodejs-1.0.0.zip
account_id=$(aws sts get-caller-identity --query Account --output text)
aws s3 mb s3://${account_id}.cfncustomres.source
aws s3 cp ccr-nodejs-1.0.0.zip s3://${account_id}.cfncustomres.source/ccr-nodejs-1.0.0.zip
aws lambda create-function --function-name CfnCrCognitUPC --runtime nodejs6.10 \
--role arn:aws:iam::${account_id}:role/LambdaRoleCognito \
--timeout 30 \
--memory-size 512 \
--code S3Bucket=${account_id}.cfncustomres.source,S3Key=ccr-nodejs-1.0.0.zip \
--handler cognito-user-pool-client/index.handler
3。 可选通过调用测试有效负载来调用测试lambda
3. Optional Test lambda by invoking with test payload
aws lambda invoke --function-name CfnCrCognitUPC --payload '{
"StackId": "arn:aws:cloudformation:us-west-2:EXAMPLE/stack-name/guid",
"ResponseURL": "http://pre-signed-S3-url-for-response",
"ResourceProperties": {
"ClientName": "MyCCRCreatedUP",
"SupportedIdentityProviders": [
"COGNITO"
],
"UserPoolId":"!! REPLACE WITH YOUR USER POOL ID !!"
},
"RequestType": "Create",
"ResourceType": "Custom::TestResource",
"RequestId": "unique id for this create request",
"LogicalResourceId": "MyTestResource"
}' --log-type Tail --invocation-type RequestResponse output.txt --query LogResult --output text | base64 -D
4。在CloudFormation模板中创建自定义资源
有关所有受支持属性的列表,请参见自定义资源JSON模式
Resources:
MyPoolApplication:
Type: Custom::CognitoUserPool
Properties:
ServiceToken: arn:aws:lambda:<<REPLACE_WITH_YOUR_REGION>>:<<REPLACE_WITH_YOUR_ACCOUNT_ID>>:function:CfnCrCognitUPC
ClientName: ApplicationClientNameHere
UserPoolId:
Ref: UserPool
SupportedIdentityProviders:
- COGNITO
.... other support properties ....
这篇关于无法通过CloudFormation设置Cognito用户池客户端的属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!