Reputation: 756
AWS Serverless IdentityPoolRoleAttachment
So, I'm creating a role for my Cognito users to be able to call API Gateway:
IdentityAuthenticatedRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
- Ref: CognitoIdentityPoolStandardUserIdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: CognitoGatewayExecute
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "arn:aws:execute-api:*:*:*"
MaxSessionDuration: 3600
Then I'm attaching the role to my IdentityPoolRoleAttachment:
CognitoIdentityPoolRoleAttachment:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Fn::Join:
- ''
- - Ref: CognitoIdentityPoolStandardUserIdentityPool
- ''
Roles:
authenticated:
Fn:GetAtt
- IdentityAuthenticatedRole
- Arn
According to the docs it should work, but it of course does not:
CognitoIdentityPoolRoleAttachment - Access to Role 'Fn:GetAtt - IdentityAuthenticatedRole - Arn' is forbidden.
Can someone please shed some light on this?
P.S. As I've already pasted this snippet, there is one more thing: I'm using Fn::Join, because otherwise I'm greeted with "Is not of type String" error, is there a better way to handle it?
Upvotes: 0
Views: 346
Answers (1)
Reputation: 11006
Syntax Error
Your Fn::GetAtt syntax is just a little off. You need two colons between Fn and GetAtt, and then you need a colon at the end of that line. Like this:
authenticated:
Fn::GetAtt:
This will fix the strange error message that contains Fn:GetAtt... where a real role name should be.
Fn::Join
You can get rid of the Fn::Join call by just using Ref like so:
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
DependsOn
The DependsOn line is fine, but not needed. CloudFormation is smart enough to figure out this dependency for you.
YAML note
Finally, while this boils down to a readability preference, I usually put short lists (like the ones you pass to Fn::GetAtt) in square brackets. So you can replace this:
authenticated:
Fn::GetAtt:
- IdentityAuthenticatedRole
- Arn
with this:
authenticated:
Fn::GetAtt: [IdentityAuthenticatedRole, Arn]
Rewritten
The result is shorter, and arguably easier to read. Combining these suggestions results in this role attachment resource:
CognitoIdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
Roles:
authenticated:
Fn::GetAtt: [IdentityAuthenticatedRole, Arn]
Tested using Serverless 1.27.2
Upvotes: 1
Related Questions
- AWS IAM role creation for serverless framework - Best Practice
- Shared Lambda authorizer setup in Serverless Framework
- Serverless - Setting the authorization type to CUSTOM or COGNITO_USER_POOLS requires a valid authorizer
- Serverless framework deployment error: You're not authorized to access this resource
- Serverless framework AWS cross-account custom authorizer
- How does serverless works with amazon AWS Access Role?
- execute serverless deploy with aws role
- Cognito user pool authorizer With Serverless Framework
- Serverless authorizer as AWS user pool
- How to change aws credentials in Serverless 1.0?