Question:
I’ve created Cognito User Pool through AWS Console, but I want to automate creation of new Cognito User Pools through CloudFormation. Can I export my current User Pool configuration to CloudFormation template?
Answer:
Its not possible to export. You would need the below 6 resources to automate the process.
- Cognito Authenticated role
- Cognito unAuthenticated role
- User pool
- User Pool Client
- Identity Pool
- Identity Pool Role attachment
You would need 3 outputs which you might need to use in your code. Below is the code for creating these
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
AWSTemplateFormatVersion: 2010-09-09 Parameters: envParameter: Type: String Default: dev AllowedValues: [ dev, test, qa, prod ] Description: Suffix to be added for names. Resources: myApiUserPool: Type: "AWS::Cognito::UserPool" Properties: UserPoolName: !Sub myApiUserPool${envParameter} myApiUserPoolClient: Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: !Sub myApiUserPoolClient${envParameter}, GenerateSecret: False RefreshTokenValidity: 30 UserPoolId: !Ref myApiUserPool myApiIdentityPool: Type: "AWS::Cognito::IdentityPool" Properties: IdentityPoolName: !Sub myApiIdentityPool${envParameter} AllowUnauthenticatedIdentities: False CognitoIdentityProviders: - ClientId: !Ref myApiUserPoolClient ProviderName: !GetAtt myApiUserPool.ProviderName cognitoUnauthRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Unauth_Role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Federated: cognito-identity.amazonaws.com Action: [ 'sts:AssumeRole' ] Policies: - PolicyName: cognitounauth PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - mobileanalytics:PutEvents - cognito-sync:* Resource: - "*" cognitoAuthRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Auth_Role AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Federated: cognito-identity.amazonaws.com Action: [ 'sts:AssumeRole' ] Policies: - PolicyName: cognitoauth PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - mobileanalytics:PutEvents - cognito-sync:* - execute-api:* Resource: - "*" myApiIdentityPoolRoleAttachment: DependsOn: [ myApiIdentityPool, cognitoUnauthRole, cognitoAuthRole ] Type: "AWS::Cognito::IdentityPoolRoleAttachment" Properties: IdentityPoolId: !Ref myApiIdentityPool Roles: authenticated: !GetAtt cognitoAuthRole.Arn unauthenticated: !GetAtt cognitoUnauthRole.Arn Outputs: userPool: Description: "User pool ID" Value: !Ref myApiUserPool identityPool: Description: "Identity pool ID" Value: !Ref myApiIdentityPool ClientId: Description: "Client id for the user pool appclient" Value: !Ref myApiUserPoolClient |