无法通过 cloudformation 设置 属性 的 Cognito 用户池客户端
Cannot set a property of cognito userpool client via cloudformation
我正在尝试 运行 通过 cloudformation 进行 congnito,一切正常,但 cognito 中有如下部分:
如您所见,有部分 "Enable identity providers"
我找不到在哪里可以将它设置到 cloudformation 中的 cognito 用户池!
我试过这个属性,但它说不支持。
SupportedIdentityProviders
这是我的用户池客户端代码:
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: !Sub ${project}-client
ExplicitAuthFlows:
- ADMIN_NO_SRP_AUTH
- USER_PASSWORD_AUTH
GenerateSecret: false
UserPoolId: !Ref UserPool
RefreshTokenValidity: 30
这是我的用户群:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${project}-user-pool-test
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
MfaConfiguration: "OFF"
LambdaConfig:
CustomMessage:
Fn::ImportValue: !Sub ${project}-${EnvironmentApp}-lambda-cognito-custom-message-post
Policies:
PasswordPolicy:
MinimumLength: !Ref MinimumLength
RequireLowercase: !Ref RequireLowercase
RequireNumbers: !Ref RequireNumbers
RequireSymbols: !Ref RequireSymbols
RequireUppercase: !Ref RequireUppercase
Schema:
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub ${project}-stg
Required: false
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub zuora-stg
Required: false
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub salesforce-stg
Required: false
云形成是否支持?感谢任何帮助?
我 运行 上个月遇到了同样的问题。 CFN 尚不支持此 属性。所以我最终使用 CFN 自定义资源来创建池客户端。更多关于 CFN Custom Resource 的信息。本质上,我让 CFN 调用 Lambda 函数来创建用户池客户端(SDK 支持所有属性)。
正如 ASR 所说,这在 Cloudformation 中似乎还不支持。
我们最终尝试了 Terraform - 它确实支持它,例如
resource "aws_cognito_user_pool_client" "my_client" {
...
supported_identity_providers = ["COGNITO"]
}
我们现在已经将所有内容都切换为使用 Terraform,因为它比 Cloudformation 更容易理解、阅读和编写。
我知道这可能不是您想要的答案,但希望对您有所帮助。
正如其他答案所建议的,这目前还不能在 CloudFormation 中本地完成。但是,正如 ASR 回答所建议的那样,可以通过 CloudFormation 自定义资源来做到这一点。
我的雇主开源了其自定义资源集合,包括 CognitoUserPool 和 CognitoDomainName
(CloudFormation 也不支持)。自定义资源源码
can be found on github
以下是有关设置的手动说明 - 您始终可以通过在 CloudFormation 中放置支持 Lambda 的自定义资源来进一步自动化。
以下所有命令均适用于 Mac。您可能需要修改其他的 base64 标志
平台
1。为 Lambda 创建 IAM 角色
aws iam create-role --role-name LambdaRoleCognito --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
aws iam attach-role-policy --role-name LambdaRoleCognito \
--policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
aws iam attach-role-policy --role-name LambdaRoleCognito \
--policy-arn arn:aws:iam::aws:policy/AmazonCognitoPowerUser
2。下载 lambda 源代码,上传到您的本地存储桶,并创建 lambda
wget https://github.com/base2Services/cloudformation-custom-resources-nodejs/releases/download/1.0.0/ccr-nodejs-1.0.0.zip
account_id=$(aws sts get-caller-identity --query Account --output text)
aws s3 mb s3://${account_id}.cfncustomres.source
aws s3 cp ccr-nodejs-1.0.0.zip s3://${account_id}.cfncustomres.source/ccr-nodejs-1.0.0.zip
aws lambda create-function --function-name CfnCrCognitUPC --runtime nodejs6.10 \
--role arn:aws:iam::${account_id}:role/LambdaRoleCognito \
--timeout 30 \
--memory-size 512 \
--code S3Bucket=${account_id}.cfncustomres.source,S3Key=ccr-nodejs-1.0.0.zip \
--handler cognito-user-pool-client/index.handler
3。 可选 通过使用测试负载调用来测试 lambda
aws lambda invoke --function-name CfnCrCognitUPC --payload '{
"StackId": "arn:aws:cloudformation:us-west-2:EXAMPLE/stack-name/guid",
"ResponseURL": "http://pre-signed-S3-url-for-response",
"ResourceProperties": {
"ClientName": "MyCCRCreatedUP",
"SupportedIdentityProviders": [
"COGNITO"
],
"UserPoolId":"!! REPLACE WITH YOUR USER POOL ID !!"
},
"RequestType": "Create",
"ResourceType": "Custom::TestResource",
"RequestId": "unique id for this create request",
"LogicalResourceId": "MyTestResource"
}' --log-type Tail --invocation-type RequestResponse output.txt --query LogResult --output text | base64 -D
4。在 CloudFormation 模板中创建自定义资源
要查看所有支持的属性列表 custom resource JSON schema
Resources:
MyPoolApplication:
Type: Custom::CognitoUserPool
Properties:
ServiceToken: arn:aws:lambda:<<REPLACE_WITH_YOUR_REGION>>:<<REPLACE_WITH_YOUR_ACCOUNT_ID>>:function:CfnCrCognitUPC
ClientName: ApplicationClientNameHere
UserPoolId:
Ref: UserPool
SupportedIdentityProviders:
- COGNITO
.... other support properties ....
从 October 2019 开始,cognito 资源现在受 cloudformation 支持。使用 AWS::Cognito::UserPool、AWS::Cognito::UserPoolClient、AWS::Cognito::UserPoolDomain 等预期类型创建资源
要启用身份提供商,需要设置以下相关 CF 属性。
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
UserPoolId: !Ref UserPool
SupportedIdentityProviders:
- COGNITO
- Facebook
- Google
- LoginWithAmazon
...
cloudformation 的文档可用 here。
正如其他答案所述,现在有一种使用 CloudFormation 设置 UserPoolClient 的方法,但是我遇到这个问题是为了寻找具体的示例,因为我对某些参数感到困惑。我想把它放在这里,以防万一有人也在找例子。
在我的示例中,我还包含了一个联合登录 google 以使其更加完整。如果您不想使用 google 登录,只需将其从 SupportedIdentityProviders.
中删除即可
下面的模板:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
envParameter:
Type: String
Default: dev
AllowedValues: [ dev, staging, prod ]
Description: Suffix to be added for names.
Resources:
myUserPool:
DependsOn: [ cognitoSMSRole ]
Type: AWS::Cognito::UserPool
Properties:
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_email
Priority: 1
- Name: verified_phone_number
Priority: 2
AdminCreateUserConfig:
AllowAdminCreateUserOnly: False
AutoVerifiedAttributes:
- phone_number
EnabledMfas:
- SMS_MFA
MfaConfiguration: OPTIONAL
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: True
RequireNumbers: True
RequireSymbols: True
RequireUppercase: True
TemporaryPasswordValidityDays: 7
Schema:
- AttributeDataType: String
DeveloperOnlyAttribute: False
Mutable: False
Name: name
Required: True
- AttributeDataType: String
DeveloperOnlyAttribute: False
Mutable: False
Name: last_name
Required: False
SmsConfiguration:
ExternalId: !Sub cognito-sms-role-${envParameter}
SnsCallerArn: !GetAtt cognitoSMSRole.Arn
UsernameAttributes:
- phone_number
UsernameConfiguration:
CaseSensitive: False
UserPoolName: !Sub UserPool-${envParameter}
cognitoSMSRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "cognito-idp.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "CognitoSNSPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "sns:publish"
Resource: "*"
cognitoClient:
DependsOn: [ myUserPool, googleProvider ]
Type: AWS::Cognito::UserPoolClient
Properties:
AllowedOAuthFlows:
- code
- implicit
AllowedOAuthFlowsUserPoolClient: True
AllowedOAuthScopes:
- email
- openid
- profile
CallbackURLs:
- http://google.co.uk
ClientName: !Sub cognito-appid-${envParameter}
GenerateSecret: False
LogoutURLs:
- http://google.co.uk
PreventUserExistenceErrors: ENABLED
RefreshTokenValidity: 1
SupportedIdentityProviders:
- COGNITO
- Google
UserPoolId: !Ref myUserPool
googleProvider:
DependsOn: [ myUserPool ]
Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
AttributeMapping:
name: emailAddress
sub: Username
ProviderDetails:
client_id: client_id.apps.googleusercontent.com
client_secret: this_is_the_client_secret
authorize_scopes: email openid profile
ProviderName: Google
ProviderType: Google
UserPoolId: !Ref myUserPool
Outputs:
userPool:
Description: "User pool ID"
Value: !Ref myUserPool
identityPool:
Description: "Identity pool ID"
Value: !Ref cognitoClient
我正在尝试 运行 通过 cloudformation 进行 congnito,一切正常,但 cognito 中有如下部分:
如您所见,有部分 "Enable identity providers" 我找不到在哪里可以将它设置到 cloudformation 中的 cognito 用户池!
我试过这个属性,但它说不支持。
SupportedIdentityProviders
这是我的用户池客户端代码:
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: !Sub ${project}-client
ExplicitAuthFlows:
- ADMIN_NO_SRP_AUTH
- USER_PASSWORD_AUTH
GenerateSecret: false
UserPoolId: !Ref UserPool
RefreshTokenValidity: 30
这是我的用户群:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${project}-user-pool-test
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
MfaConfiguration: "OFF"
LambdaConfig:
CustomMessage:
Fn::ImportValue: !Sub ${project}-${EnvironmentApp}-lambda-cognito-custom-message-post
Policies:
PasswordPolicy:
MinimumLength: !Ref MinimumLength
RequireLowercase: !Ref RequireLowercase
RequireNumbers: !Ref RequireNumbers
RequireSymbols: !Ref RequireSymbols
RequireUppercase: !Ref RequireUppercase
Schema:
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub ${project}-stg
Required: false
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub zuora-stg
Required: false
-
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: !Sub salesforce-stg
Required: false
云形成是否支持?感谢任何帮助?
我 运行 上个月遇到了同样的问题。 CFN 尚不支持此 属性。所以我最终使用 CFN 自定义资源来创建池客户端。更多关于 CFN Custom Resource 的信息。本质上,我让 CFN 调用 Lambda 函数来创建用户池客户端(SDK 支持所有属性)。
正如 ASR 所说,这在 Cloudformation 中似乎还不支持。
我们最终尝试了 Terraform - 它确实支持它,例如
resource "aws_cognito_user_pool_client" "my_client" {
...
supported_identity_providers = ["COGNITO"]
}
我们现在已经将所有内容都切换为使用 Terraform,因为它比 Cloudformation 更容易理解、阅读和编写。
我知道这可能不是您想要的答案,但希望对您有所帮助。
正如其他答案所建议的,这目前还不能在 CloudFormation 中本地完成。但是,正如 ASR 回答所建议的那样,可以通过 CloudFormation 自定义资源来做到这一点。
我的雇主开源了其自定义资源集合,包括 CognitoUserPool 和 CognitoDomainName (CloudFormation 也不支持)。自定义资源源码 can be found on github
以下是有关设置的手动说明 - 您始终可以通过在 CloudFormation 中放置支持 Lambda 的自定义资源来进一步自动化。
以下所有命令均适用于 Mac。您可能需要修改其他的 base64 标志 平台
1。为 Lambda 创建 IAM 角色
aws iam create-role --role-name LambdaRoleCognito --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
aws iam attach-role-policy --role-name LambdaRoleCognito \
--policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
aws iam attach-role-policy --role-name LambdaRoleCognito \
--policy-arn arn:aws:iam::aws:policy/AmazonCognitoPowerUser
2。下载 lambda 源代码,上传到您的本地存储桶,并创建 lambda
wget https://github.com/base2Services/cloudformation-custom-resources-nodejs/releases/download/1.0.0/ccr-nodejs-1.0.0.zip
account_id=$(aws sts get-caller-identity --query Account --output text)
aws s3 mb s3://${account_id}.cfncustomres.source
aws s3 cp ccr-nodejs-1.0.0.zip s3://${account_id}.cfncustomres.source/ccr-nodejs-1.0.0.zip
aws lambda create-function --function-name CfnCrCognitUPC --runtime nodejs6.10 \
--role arn:aws:iam::${account_id}:role/LambdaRoleCognito \
--timeout 30 \
--memory-size 512 \
--code S3Bucket=${account_id}.cfncustomres.source,S3Key=ccr-nodejs-1.0.0.zip \
--handler cognito-user-pool-client/index.handler
3。 可选 通过使用测试负载调用来测试 lambda
aws lambda invoke --function-name CfnCrCognitUPC --payload '{
"StackId": "arn:aws:cloudformation:us-west-2:EXAMPLE/stack-name/guid",
"ResponseURL": "http://pre-signed-S3-url-for-response",
"ResourceProperties": {
"ClientName": "MyCCRCreatedUP",
"SupportedIdentityProviders": [
"COGNITO"
],
"UserPoolId":"!! REPLACE WITH YOUR USER POOL ID !!"
},
"RequestType": "Create",
"ResourceType": "Custom::TestResource",
"RequestId": "unique id for this create request",
"LogicalResourceId": "MyTestResource"
}' --log-type Tail --invocation-type RequestResponse output.txt --query LogResult --output text | base64 -D
4。在 CloudFormation 模板中创建自定义资源
要查看所有支持的属性列表 custom resource JSON schema
Resources:
MyPoolApplication:
Type: Custom::CognitoUserPool
Properties:
ServiceToken: arn:aws:lambda:<<REPLACE_WITH_YOUR_REGION>>:<<REPLACE_WITH_YOUR_ACCOUNT_ID>>:function:CfnCrCognitUPC
ClientName: ApplicationClientNameHere
UserPoolId:
Ref: UserPool
SupportedIdentityProviders:
- COGNITO
.... other support properties ....
从 October 2019 开始,cognito 资源现在受 cloudformation 支持。使用 AWS::Cognito::UserPool、AWS::Cognito::UserPoolClient、AWS::Cognito::UserPoolDomain 等预期类型创建资源
要启用身份提供商,需要设置以下相关 CF 属性。
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
UserPoolId: !Ref UserPool
SupportedIdentityProviders:
- COGNITO
- Facebook
- Google
- LoginWithAmazon
...
cloudformation 的文档可用 here。
正如其他答案所述,现在有一种使用 CloudFormation 设置 UserPoolClient 的方法,但是我遇到这个问题是为了寻找具体的示例,因为我对某些参数感到困惑。我想把它放在这里,以防万一有人也在找例子。
在我的示例中,我还包含了一个联合登录 google 以使其更加完整。如果您不想使用 google 登录,只需将其从 SupportedIdentityProviders.
下面的模板:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
envParameter:
Type: String
Default: dev
AllowedValues: [ dev, staging, prod ]
Description: Suffix to be added for names.
Resources:
myUserPool:
DependsOn: [ cognitoSMSRole ]
Type: AWS::Cognito::UserPool
Properties:
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_email
Priority: 1
- Name: verified_phone_number
Priority: 2
AdminCreateUserConfig:
AllowAdminCreateUserOnly: False
AutoVerifiedAttributes:
- phone_number
EnabledMfas:
- SMS_MFA
MfaConfiguration: OPTIONAL
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: True
RequireNumbers: True
RequireSymbols: True
RequireUppercase: True
TemporaryPasswordValidityDays: 7
Schema:
- AttributeDataType: String
DeveloperOnlyAttribute: False
Mutable: False
Name: name
Required: True
- AttributeDataType: String
DeveloperOnlyAttribute: False
Mutable: False
Name: last_name
Required: False
SmsConfiguration:
ExternalId: !Sub cognito-sms-role-${envParameter}
SnsCallerArn: !GetAtt cognitoSMSRole.Arn
UsernameAttributes:
- phone_number
UsernameConfiguration:
CaseSensitive: False
UserPoolName: !Sub UserPool-${envParameter}
cognitoSMSRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "cognito-idp.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "CognitoSNSPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "sns:publish"
Resource: "*"
cognitoClient:
DependsOn: [ myUserPool, googleProvider ]
Type: AWS::Cognito::UserPoolClient
Properties:
AllowedOAuthFlows:
- code
- implicit
AllowedOAuthFlowsUserPoolClient: True
AllowedOAuthScopes:
- email
- openid
- profile
CallbackURLs:
- http://google.co.uk
ClientName: !Sub cognito-appid-${envParameter}
GenerateSecret: False
LogoutURLs:
- http://google.co.uk
PreventUserExistenceErrors: ENABLED
RefreshTokenValidity: 1
SupportedIdentityProviders:
- COGNITO
- Google
UserPoolId: !Ref myUserPool
googleProvider:
DependsOn: [ myUserPool ]
Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
AttributeMapping:
name: emailAddress
sub: Username
ProviderDetails:
client_id: client_id.apps.googleusercontent.com
client_secret: this_is_the_client_secret
authorize_scopes: email openid profile
ProviderName: Google
ProviderType: Google
UserPoolId: !Ref myUserPool
Outputs:
userPool:
Description: "User pool ID"
Value: !Ref myUserPool
identityPool:
Description: "Identity pool ID"
Value: !Ref cognitoClient