I am trying to use the aws-cdk to create the cognito stack (User pool and identity pool) along the IAM roles, but I don't seem to be able to configure on the Identity Pool, the Attributes for access control on the cognito authentication provider to be able to add principal keys for the custom mapping:
Identity Pool Attribute Access Control
If anyone could help me I appreciate it, my code for creating the identity pool is this:
const identityPool = new CfnIdentityPool(this, "IdentityPool", {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [{
clientId: userPoolClient.userPoolClientId,
providerName: userPool.userPoolProviderName,
}, ]
});
// Create authenticated role
const authenticatedRole = new Role(this, "AuthenticatedRole", {
assumedBy: new FederatedPrincipal(
'cognito-identity.amazonaws.com', {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": identityPool.ref
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
},
}, "sts:AssumeRoleWithWebIdentity")
})
// Create authenticated role
const unauthenticatedRole = new Role(this, "UnauthenticatedRole", {
assumedBy: new FederatedPrincipal(
'cognito-identity.amazonaws.com', {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": identityPool.ref
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
},
}, "sts:AssumeRoleWithWebIdentity")
})
new CfnIdentityPoolRoleAttachment(this, 'IdentityPoolRoleAttachment', {
identityPoolId: identityPool.ref,
roles: {
"authenticated": authenticatedRole.roleArn,
"unauthenticated": unauthenticatedRole.roleArn
},
roleMappings: {
mapping: {
type: "Token",
ambiguousRoleResolution: "Deny",
identityProvider: `cognito-idp.${Stack.of(this).region}.amazonaws.com/${
userPool.userPoolId}:${userPoolClient.userPoolClientId}`
}
}
})
