CloudFormationでCognitoIDプールを作成する

AWS

CloudFormationでCognitoIDプールを作成するサンプルです。
・未認証ユーザのアクセスを許可
・IDプロバイダーは未指定

AWSTemplateFormatVersion: '2010-09-09'

# 入力パラメータ
Parameters:
  StackName:
    Type: String
  Env:
    Type: String

Resources:
  # IDプール
  MyIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      # IDプール名
      IdentityPoolName: "MyIdentityPoolName"
      # 認証されていないIDへのアクセスを許可
      AllowUnauthenticatedIdentities: true

  # 未認証ユーザ用ポリシー
  CognitoUnauthenticatedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "UnauthenticatedPolicy for Cognito ID Pool."
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
          - iot:Connect
          - iot:Subscribe
          - iot:Receive
          - iot:Get*
          - cognito-sync:*
          - cognito-identity:*
          Resource:
          - "*"
  # 未認証ユーザ用ロール
  CognitoUnauthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      Description: "UnauthenticatedRole for Cognito ID Pool."
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action: "sts:AssumeRoleWithWebIdentity"
          Principal:
            Federated: cognito-identity.amazonaws.com
          Condition:
            StringEquals:
              "cognito-identity.amazonaws.com:aud":
                Ref: MyIdentityPool
            ForAnyValue:StringLike:
              "cognito-identity.amazonaws.com:amr": unauthenticated
      ManagedPolicyArns:
      - Ref: CognitoUnauthenticatedPolicy

  # 認証済ユーザ用ポリシー
  CognitoAuthenticatedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "AuthenticatedPolicy for Cognito ID Pool."
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
          - iot:Connect
          - iot:Subscribe
          - iot:Receive
          - iot:Get*
          - cognito-sync:*
          - cognito-identity:*
          Resource:
          - "*"

  # 認証済ユーザ用ロール
  CognitoAuthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      Description: "AuthenticatedRole for Cognito ID Pool."
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action: "sts:AssumeRoleWithWebIdentity"
          Principal:
            Federated: cognito-identity.amazonaws.com
          Condition:
            StringEquals:
              "cognito-identity.amazonaws.com:aud":
                Ref: MyIdentityPool
            ForAnyValue:StringLike:
              "cognito-identity.amazonaws.com:amr": authenticated
      ManagedPolicyArns:
      - Ref: CognitoAuthenticatedPolicy

  # CognitoIDプールに認証・未認証ユーザ用ロールをアタッチ
  RoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId:
        Ref: MyIdentityPool
      Roles:
        unauthenticated:
          Fn::GetAtt:
          - CognitoUnauthenticatedRole
          - Arn
        authenticated:
          Fn::GetAtt:
          - CognitoAuthenticatedRole
          - Arn

Outputs:
  MyIdentityPool:
    Value:
      Ref: MyIdentityPool
  CognitoUnauthenticatedRole:
    Value:
      Ref: CognitoUnauthenticatedRole
  CognitoAuthenticatedRole:
    Value:
      Ref: CognitoAuthenticatedRole

以上

タイトルとURLをコピーしました