如何使用 aws cdk 将 Cognito UserPool 创建为身份验证提供程序之一的 Cognito IdentityPool?
How to create Cognito IdentityPool with Cognito UserPool as one of the Authentication provider using aws cdk?
我正在尝试创建一个 Cognito FederatedIdentityPool 并将 CognitoUserPool 作为一个身份验证提供程序。创建 UserPool 非常简单:
const userPool = new cognito.CfnUserPool(this, 'MyCognitoUserPool')
const userPoolClient = new cognito.CfnUserPoolClient(this, 'RandomQuoteUserPoolClient', {
generateSecret: false,
userPoolId: userPool.userPoolId
});
但是我不确定如何将其连接到身份池:
const identityPool = new cognito.CfnIdentityPool(this, 'MyIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: ?????
});
基于 IdentityProvider API Documentation 看起来有一个属性 cognitoIdentityProviders,但是它接受 cdk.Token/CognitoIdentityProviderProperty.
的数组
现在我尝试创建一个 CognitoIdentityProviderProperty 对象并传递它 cognitoIdentityProviders: [{ clientId: userPoolClient.userPoolClientId }],但我得到以下异常:
1/2 | 09:48:35 | CREATE_FAILED | AWS::Cognito::IdentityPool | RandomQuoteIdentityPool Invalid Cognito Identity Provider (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: InvalidParameterException; Request ID: 4d6d579a-6455-11e9-99a9-85159bc87779)
new CdkWorkshopStack (/Users/cdk/lib/cdk-workshop-stack.ts:46:26)
\_ Object.<anonymous> (/Users/cdk/bin/cdk-workshop.ts:7:1)
\_ Module._compile (module.js:653:30)
\_ Object.Module._extensions..js (module.js:664:10)
\_ Module.load (module.js:566:32)
\_ tryModuleLoad (module.js:506:12)
\_ Function.Module._load (module.js:498:3)
\_ Function.Module.runMain (module.js:694:10)
\_ startup (bootstrap_node.js:204:16)
\_ bootstrap_node.js:625:3
我什至尝试从 AWS 控制台复制 id 并在此处对其进行硬编码,仍然是同样的错误。
- 谁能帮我解释一下如何在
CfnIdentityPool 中配置身份验证提供程序。
- 为什么会有UserPool and CfnUserPool?它们之间有什么区别,应该使用哪个?
我想出了如何将 UserPool 附加到身份池
const userPool = new cognito.CfnUserPool(this, 'MyCognitoUserPool')
const userPoolClient = new cognito.CfnUserPoolClient(this, 'MyCognitoUserPoolClient', {
generateSecret: false,
userPoolId: userPool.userPoolId
});
const identityPool = new cognito.CfnIdentityPool(this, 'MyCognitoIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [{
clientId: userPoolClient.userPoolClientId,
providerName: userPool.userPoolProviderName
}]
});
仍在努力将 Role 附加到 IdentityPool,并且不知道 CfnUserPool 和 UserPool 之间的区别。但是,这个问题可以标记为部分解决。
这是我在创建身份池时设法模仿通过 aws 控制台创建的默认配置的方式,其中用户池作为身份提供者。除了您所要求的功能(允许未经身份验证的访问并指定密码策略)之外,它还包括一些其他功能,但很容易根据您的需要进行修改。
const userPool = new cognito.UserPool(this, 'MyUserPool', {
signInType: SignInType.EMAIL,
autoVerifiedAttributes: [
UserPoolAttribute.EMAIL
]
});
const cfnUserPool = userPool.node.defaultChild as cognito.CfnUserPool;
cfnUserPool.policies = {
passwordPolicy: {
minimumLength: 8,
requireLowercase: false,
requireNumbers: false,
requireUppercase: false,
requireSymbols: false
}
};
const userPoolClient = new cognito.UserPoolClient(this, 'MyUserPoolClient', {
generateSecret: false,
userPool: userPool,
userPoolClientName: 'MyUserPoolClientName'
});
const identityPool = new cognito.CfnIdentityPool(this, 'MyCognitoIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [{
clientId: userPoolClient.userPoolClientId,
providerName: userPool.userPoolProviderName,
}]
});
const unauthenticatedRole = new iam.Role(this, 'CognitoDefaultUnauthenticatedRole', {
assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
"StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
"ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" },
}, "sts:AssumeRoleWithWebIdentity"),
});
unauthenticatedRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
resources: ["*"],
}));
const authenticatedRole = new iam.Role(this, 'CognitoDefaultAuthenticatedRole', {
assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
"StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
"ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" },
}, "sts:AssumeRoleWithWebIdentity"),
});
authenticatedRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
resources: ["*"],
}));
const defaultPolicy = new cognito.CfnIdentityPoolRoleAttachment(this, 'DefaultValid', {
identityPoolId: identityPool.ref,
roles: {
'unauthenticated': unauthenticatedRole.roleArn,
'authenticated': authenticatedRole.roleArn
}
});
Why is there a UserPool and CfnUserPool? What is difference between them and which one is supposed to be used?
UserPool 是资源的 high-level 表示,是首选的工作方式,但尚未实现所有属性。 CfnUserPool(任何前缀为 class 的 Cfn)是映射到 Cloudformation 资源的 low-level 表示。当 high-level class 不能满足您的需求时,您可以同时使用这两种方法,如示例中所示。
CDK 必须已更改此创建。我用@CCarlos 的例子得到了它:
const pool = new cognito.CfnUserPool(this, "cdkUserpool", {
userPoolName: "cdkUserPoolName",
usernameAttributes: ["email"],
});
const client = new cognito.CfnUserPoolClient(this, "cdkClient", {
userPoolId: pool.ref, // <--- This part has changed.
explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
generateSecret: false,
readAttributes: [
"preferred_username",
"website",
"email",
"name",
"zoneinfo",
"phone_number",
"phone_number_verified",
"email_verified",
],
writeAttributes: ["name", "zoneinfo", "phone_number"],
});
我正在尝试创建一个 Cognito FederatedIdentityPool 并将 CognitoUserPool 作为一个身份验证提供程序。创建 UserPool 非常简单:
const userPool = new cognito.CfnUserPool(this, 'MyCognitoUserPool')
const userPoolClient = new cognito.CfnUserPoolClient(this, 'RandomQuoteUserPoolClient', {
generateSecret: false,
userPoolId: userPool.userPoolId
});
但是我不确定如何将其连接到身份池:
const identityPool = new cognito.CfnIdentityPool(this, 'MyIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: ?????
});
基于 IdentityProvider API Documentation 看起来有一个属性 cognitoIdentityProviders,但是它接受 cdk.Token/CognitoIdentityProviderProperty.
现在我尝试创建一个 CognitoIdentityProviderProperty 对象并传递它 cognitoIdentityProviders: [{ clientId: userPoolClient.userPoolClientId }],但我得到以下异常:
1/2 | 09:48:35 | CREATE_FAILED | AWS::Cognito::IdentityPool | RandomQuoteIdentityPool Invalid Cognito Identity Provider (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: InvalidParameterException; Request ID: 4d6d579a-6455-11e9-99a9-85159bc87779)
new CdkWorkshopStack (/Users/cdk/lib/cdk-workshop-stack.ts:46:26)
\_ Object.<anonymous> (/Users/cdk/bin/cdk-workshop.ts:7:1)
\_ Module._compile (module.js:653:30)
\_ Object.Module._extensions..js (module.js:664:10)
\_ Module.load (module.js:566:32)
\_ tryModuleLoad (module.js:506:12)
\_ Function.Module._load (module.js:498:3)
\_ Function.Module.runMain (module.js:694:10)
\_ startup (bootstrap_node.js:204:16)
\_ bootstrap_node.js:625:3
我什至尝试从 AWS 控制台复制 id 并在此处对其进行硬编码,仍然是同样的错误。
- 谁能帮我解释一下如何在
CfnIdentityPool中配置身份验证提供程序。 - 为什么会有UserPool and CfnUserPool?它们之间有什么区别,应该使用哪个?
我想出了如何将 UserPool 附加到身份池
const userPool = new cognito.CfnUserPool(this, 'MyCognitoUserPool')
const userPoolClient = new cognito.CfnUserPoolClient(this, 'MyCognitoUserPoolClient', {
generateSecret: false,
userPoolId: userPool.userPoolId
});
const identityPool = new cognito.CfnIdentityPool(this, 'MyCognitoIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [{
clientId: userPoolClient.userPoolClientId,
providerName: userPool.userPoolProviderName
}]
});
仍在努力将 Role 附加到 IdentityPool,并且不知道 CfnUserPool 和 UserPool 之间的区别。但是,这个问题可以标记为部分解决。
这是我在创建身份池时设法模仿通过 aws 控制台创建的默认配置的方式,其中用户池作为身份提供者。除了您所要求的功能(允许未经身份验证的访问并指定密码策略)之外,它还包括一些其他功能,但很容易根据您的需要进行修改。
const userPool = new cognito.UserPool(this, 'MyUserPool', {
signInType: SignInType.EMAIL,
autoVerifiedAttributes: [
UserPoolAttribute.EMAIL
]
});
const cfnUserPool = userPool.node.defaultChild as cognito.CfnUserPool;
cfnUserPool.policies = {
passwordPolicy: {
minimumLength: 8,
requireLowercase: false,
requireNumbers: false,
requireUppercase: false,
requireSymbols: false
}
};
const userPoolClient = new cognito.UserPoolClient(this, 'MyUserPoolClient', {
generateSecret: false,
userPool: userPool,
userPoolClientName: 'MyUserPoolClientName'
});
const identityPool = new cognito.CfnIdentityPool(this, 'MyCognitoIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [{
clientId: userPoolClient.userPoolClientId,
providerName: userPool.userPoolProviderName,
}]
});
const unauthenticatedRole = new iam.Role(this, 'CognitoDefaultUnauthenticatedRole', {
assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
"StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
"ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" },
}, "sts:AssumeRoleWithWebIdentity"),
});
unauthenticatedRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
resources: ["*"],
}));
const authenticatedRole = new iam.Role(this, 'CognitoDefaultAuthenticatedRole', {
assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
"StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
"ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" },
}, "sts:AssumeRoleWithWebIdentity"),
});
authenticatedRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
resources: ["*"],
}));
const defaultPolicy = new cognito.CfnIdentityPoolRoleAttachment(this, 'DefaultValid', {
identityPoolId: identityPool.ref,
roles: {
'unauthenticated': unauthenticatedRole.roleArn,
'authenticated': authenticatedRole.roleArn
}
});
Why is there a UserPool and CfnUserPool? What is difference between them and which one is supposed to be used?
UserPool 是资源的 high-level 表示,是首选的工作方式,但尚未实现所有属性。 CfnUserPool(任何前缀为 class 的 Cfn)是映射到 Cloudformation 资源的 low-level 表示。当 high-level class 不能满足您的需求时,您可以同时使用这两种方法,如示例中所示。
CDK 必须已更改此创建。我用@CCarlos 的例子得到了它:
const pool = new cognito.CfnUserPool(this, "cdkUserpool", {
userPoolName: "cdkUserPoolName",
usernameAttributes: ["email"],
});
const client = new cognito.CfnUserPoolClient(this, "cdkClient", {
userPoolId: pool.ref, // <--- This part has changed.
explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
generateSecret: false,
readAttributes: [
"preferred_username",
"website",
"email",
"name",
"zoneinfo",
"phone_number",
"phone_number_verified",
"email_verified",
],
writeAttributes: ["name", "zoneinfo", "phone_number"],
});