22

I want to setup a cognito user pool and configure my google identity provider automatically with a cloudformation yml file.

I checked all the documentation but could not find anything even close to doing this. Any idea on how to do it?

enter image description here

sigmaxf
  • 7,998
  • 15
  • 65
  • 125
  • did you find out something? – balsick Mar 24 '18 at 16:01
  • unfortunately not. perhaps asking aws forums or customer service? I did a lot of search and I believe it's just not possible – sigmaxf Mar 24 '18 at 22:49
  • 3
    aws forums are not very active around cloudformation. neither is stackoverflow, as you can see. I've asked a question about integratins API gateway with step functions on cloudformation some weeks ago and nobody answered neither here nor on aws forums. Still, you could try – balsick Mar 25 '18 at 10:51
  • 1
    not much help there too, someone with premium support (for service related questions) could ask them, unfortunately not my case – sigmaxf Mar 28 '18 at 17:36

4 Answers4

15

UserPoolIdentityProvider was added in Oct 2019, official docs.

Your CloudFormation would then look something like

CognitoUserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties: 
    ProviderName: Google
    AttributeMapping:
      email: emailAddress
    ProviderDetails:
      client_id: <yourclientid>.apps.googleusercontent.com
      client_secret: <yourclientsecret>
      authorize_scopes: email openid
    ProviderType: Google
    UserPoolId: 
      Ref: CognitoUserPool
krutisfood
  • 143
  • 6
vgaltes
  • 1,150
  • 11
  • 18
  • This worked for me but you have to place this declaration before the AWS::Cognito::UserPool declaration in the yml file or didn't work for me – marchinram Nov 10 '19 at 22:37
  • What are you supposed to put if your user pool client does not have a secret? – Yu Chen Feb 05 '21 at 04:52
3

It seems a lot of Cognito details are not supported within Cloudformation as of right now, but there are ways to achieve what you want after the stack spins up, e.g. using Lambdas.

See the following answers:

Cannot set a property of cognito userpool client via cloudformation

Cloudformation Cognito - how to setup App Client Settings, Domain, and Federated Identities via SAM template

Jens Roland
  • 27,450
  • 14
  • 82
  • 104
2

You can achieve this using Lambda function as custom Cloudformation resources. I have made custom resources to allow creation of user pool domain, client settings and Identity providers on this repo

You will have somethings like this for creating identity provider, for example Facebook

FacebookIdp:
  Type: 'Custom::${self:service}-${self:provider.stage}-CUPIdentityProvider'
  DependsOn:
    - CFNSendResponseLambdaFunction
    - CUPIdentityProviderLambdaFunction
  Properties:
    ServiceToken:
      Fn::GetAtt: [CUPIdentityProviderLambdaFunction, Arn]
    UserPoolId:
      Ref: AppUserPool
    ProviderName: Facebook
    ProviderType: Facebook
    Client_id: 'YourFacebookAppID'
    Client_secret: 'YourFacebookAppSecert'
    Authorize_scopes: 'public_profile,email'

And then enable that identity provider on the user pool client settings

AppUserPoolClientSettings:
  Type: 'Custom::${self:service}-${self:provider.stage}-CUPClientSettings'
  DependsOn:
    - CFNSendResponseLambdaFunction
    - CUPClientSettingsLambdaFunction
    - FacebookIdp
  Properties:
    ServiceToken:
      Fn::GetAtt: [ CUPClientSettingsLambdaFunction, Arn]
    UserPoolId: 
      Ref: AppUserPool
    UserPoolClientId: 
      Ref: AppUserPoolClient
    SupportedIdentityProviders:
      - COGNITO
      - Facebook
    CallbackURL: 'https://www.yourdomain.com/callback' ##Replace this with your app callback url
    LogoutURL: 'https://www.yourdomain.com/logout' ##Replace this with your app logout url
    AllowedOAuthFlowsUserPoolClient: true
    AllowedOAuthFlows:
      - code
    AllowedOAuthScopes:
      - openid

Note that this repo is built using Serverless framework, if you wish to build this with pure cloudformation stacks, use the code on file CUPIdentityProvider.js to make your own custom resource.

Qassim Al-Shakhoori
  • 71
  • 1
  • 3
1

Using a generic custom resource provider, you can create all the resource CFN doesn't support.

The example given here specifically creates and configures Cognito for Google SAML auth.

It should be easy enough to change it to use Google oAuth instead of SAML by changing the parameters passed to the custom resource handler, for example.

  UserPoolIdentityProvider:
    Type: 'Custom::CognitoUserPoolIdentityProvider'
    Condition: HasMetadata
    DependsOn: UserPool
    Properties:
      ServiceToken: !Sub '${CustomResourceLambdaArn}'
      AgentService: cognito-idp
      AgentType: client
      # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp.html#CognitoIdentityProvider.Client.create_user_pool_domain
      AgentCreateMethod: create_identity_provider
      AgentUpdateMethod: update_identity_provider
      AgentDeleteMethod: delete_identity_provider
      AgentResourceId: ProviderName
      AgentCreateArgs:
        UserPoolId: !Sub '${UserPool}'
        ProviderName: google-provider
        AttributeMapping:
          email: emailAddress
        ProviderDetails:
          google_app_id: some_value
          google_app_secret: some_value
          google_authorize_scope: some_value
        ProviderType: Google
      AgentUpdateArgs:
        UserPoolId: !Sub '${UserPool}'
        ProviderName: google-provider
        AttributeMapping:
          email: emailAddress
        ProviderDetails:
          google_app_id: some_value
          google_app_secret: some_value
          google_authorize_scope: some_value
        ProviderType: Google
      AgentDeleteArgs:
        UserPoolId: !Sub '${UserPool}'
        ProviderName: google-provider

you'll need to create a test provider in the console to get the correct names for parameters under ProviderDetails, namely Google app ID, App secret and Authorize scope. Also the AttributeMapping might need to be set to something else.

ab77
  • 841
  • 12
  • 14