1

Based on what's described here and on other pages, I created via CDK a Cognito User Pool and an Identity Pool, and, after manually mapping the custom attributes, access is granted based on the custom attributes in the User Pool.

Now I'm trying to do everything in CDK, but I can't figure how to do the mapping of the custom attributes. The only thing I found that knows about attribute mapping is UserPoolIdentityProvider / CfnUserPoolIdentityProvider, but that is of the wrong type, and I cannot use it with a CfnIdentityPool in cognitoIdentityProviders.

I saw some unanswered posts about the same issue (this, or this), but hope dies last, so I thought maybe there will be an answer this time.

I was under the impression that everything is doable via CloudFormation, but this seems mistaken, as this post and others suggest.

So can the attribute mapping be done with CDK, or I need to use custom resources and Lambdas (or perhaps something else) if I want to automate this?

ciobi
  • 97
  • 1
  • 10
  • I did a little digging around in the CDK source (albeit the TypeScript Version) and found this PR: https://github.com/aws/aws-cdk/pull/8445/files. It feels like "UserPoolIdentityProviderAmazon" might be what you are looking for. I also located this document in which customAttributes are referenfed in the context of UserPool and Identity Pool example here: docs.aws.amazon.com/cdk/api/v1/docs/aws-cognito-readme.html, it could be pertinent. Would you be able to share what you have so far for the cognito portion of your CDK script? – IrishGeek82 Jan 20 '22 at 07:18
  • Thanks for taking a look. I put the CDK code at https://github.com/mciobanu/CognitoTest01. Regarding UserPoolIdentityProviderAmazon: As far as I can tell, this is just an alternative to signing in with Google / Facebook / etc, and doesn't know about Cognito user pools. – ciobi Jan 20 '22 at 10:59
  • @ciobi Have you ever found a solution for this? – florian norbert bepunkt May 01 '22 at 13:23
  • @floriannorbertbepunkt - I don't think there was a solution 4 months ago, and I didn't revisit the topic after that. What I ended up doing was setting the attribute manually after the first deploy. It stays set after new deploys, so no big deal. – ciobi May 03 '22 at 11:24
  • Thanks, apparently it is still not supported via Cloudformation (and therefore not via CDK). – florian norbert bepunkt May 03 '22 at 13:55
  • @floriannorbertbepunkt - Something I forgot to mention: If you really need the process to be fully automated, I'm pretty sure you can do it via [custom resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html) – ciobi May 04 '22 at 18:23

1 Answers1

2

Credits to original creator. Found this useful and solves the problem with Custom Resources.

https://github.com/aws-samples/amazon-cognito-abac-authorization-with-react-example/blob/main/lib/cognito_identity_pool_sample-stack.ts

 new cognito.CfnIdentityPoolRoleAttachment(this, "defaultRoles", {
  identityPoolId: identityPool.ref,
  roles: {
    'authenticated': authRole.attrArn
  }
})

const createParameters = {
  "IdentityPoolId": identityPool.ref,
  "IdentityProviderName": userPool.userPoolProviderName,
  "PrincipalTags": {
    "department": "department"
  },
  "UseDefaults": false
}

const setPrincipalTagAction = {
  action: "setPrincipalTagAttributeMap",
  service: "CognitoIdentity",
  parameters: createParameters,
  physicalResourceId: customResources.PhysicalResourceId.of(identityPool.ref)
}

const { region, account }  = Stack.of(this)
const identityPoolArn = `arn:aws:cognito-identity:${region}:${account}:identitypool/${identityPool.ref}`

// Creates a Custom resource (https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources-readme.html)
// This is necessary to attach Principal Tag mappings to the Identity Pool after it has been created.
// This uses the SDK, rather than CDK code, as attaching Principal Tags through CDK is currently not supported yet
new customResources.AwsCustomResource(this, 'CustomResourcePrincipalTags', {
  onCreate: setPrincipalTagAction,
  onUpdate: setPrincipalTagAction,
  policy: customResources.AwsCustomResourcePolicy.fromSdkCalls({
    resources: [identityPoolArn],
  }),
})
Vikram S
  • 792
  • 4
  • 7