LoginSignup
1
0

More than 1 year has passed since last update.

@cloud-solution

CloudFormationでCognitoIDプールを作成する

Posted at

CloudFormationでCognitoIDプールを作成するサンプルです。
・未認証ユーザのアクセスを許可
・IDプロバイダーは未指定

AWSTemplateFormatVersion: '2010-09-09'

# 入力パラメータ
Parameters:
  StackName:
    Type: String
  Env:
    Type: String

Resources:
  # IDプール
  MyIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      # IDプール名
      IdentityPoolName: "MyIdentityPoolName"
      # 認証されていないIDへのアクセスを許可
      AllowUnauthenticatedIdentities: true

  # 未認証ユーザ用ポリシー
  CognitoUnauthenticatedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "UnauthenticatedPolicy for Cognito ID Pool."
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
          - iot:Connect
          - iot:Subscribe
          - iot:Receive
          - iot:Get*
          - cognito-sync:*
          - cognito-identity:*
          Resource:
          - "*"
  # 未認証ユーザ用ロール
  CognitoUnauthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      Description: "UnauthenticatedRole for Cognito ID Pool."
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action: "sts:AssumeRoleWithWebIdentity"
          Principal:
            Federated: cognito-identity.amazonaws.com
          Condition:
            StringEquals:
              "cognito-identity.amazonaws.com:aud":
                Ref: MyIdentityPool
            ForAnyValue:StringLike:
              "cognito-identity.amazonaws.com:amr": unauthenticated
      ManagedPolicyArns:
      - Ref: CognitoUnauthenticatedPolicy

  # 認証済ユーザ用ポリシー
  CognitoAuthenticatedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "AuthenticatedPolicy for Cognito ID Pool."
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
          - iot:Connect
          - iot:Subscribe
          - iot:Receive
          - iot:Get*
          - cognito-sync:*
          - cognito-identity:*
          Resource:
          - "*"

  # 認証済ユーザ用ロール
  CognitoAuthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      Description: "AuthenticatedRole for Cognito ID Pool."
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action: "sts:AssumeRoleWithWebIdentity"
          Principal:
            Federated: cognito-identity.amazonaws.com
          Condition:
            StringEquals:
              "cognito-identity.amazonaws.com:aud":
                Ref: MyIdentityPool
            ForAnyValue:StringLike:
              "cognito-identity.amazonaws.com:amr": authenticated
      ManagedPolicyArns:
      - Ref: CognitoAuthenticatedPolicy

  # CognitoIDプールに認証・未認証ユーザ用ロールをアタッチ
  RoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId:
        Ref: MyIdentityPool
      Roles:
        unauthenticated:
          Fn::GetAtt:
          - CognitoUnauthenticatedRole
          - Arn
        authenticated:
          Fn::GetAtt:
          - CognitoAuthenticatedRole
          - Arn

Outputs:
  MyIdentityPool:
    Value:
      Ref: MyIdentityPool
  CognitoUnauthenticatedRole:
    Value:
      Ref: CognitoUnauthenticatedRole
  CognitoAuthenticatedRole:
    Value:
      Ref: CognitoAuthenticatedRole

以上

1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0