CloudFormation AWS::Cognito::IdentityPoolRoleAttachment RoleMappings syntax error

Question

In my AWS CloudFormation stack, I want to attach roles to Cognito identity pool (which works), and for Authentication providers > Cognito > Authenticated role selection, select "Choose role from token" using the CloudFormation syntax (which doesn't work), as followed:

    wzjCognitoIdentityPoolRoles:
      Type: AWS::Cognito::IdentityPoolRoleAttachment
      Properties:
        IdentityPoolId:
          Ref: wzjCognitoIdentityPool
        Roles:
          authenticated:
            Fn::GetAtt: [cognitoAuthRoleWithIdentity, Arn]
          unauthenticated:
            Fn::GetAtt: [cognitoAuthRoleNoIdentity, Arn]
        RoleMappings:
          Type: Token
          AmbiguousRoleResolution: AuthenticatedRole

When I deploy, I got the following error:

An error occurred: wzjCognitoIdentityPoolRoles - Property validation failure: [Value of property {/RoleMappings/Type} does not match type {Object}, Value of property {/RoleMappings/AmbiguousRoleResolution} does not match type {Object}].

But as I understand the AWS CloudFormation documentation, I think I use the correct syntax.

How can I fix that?

Thanks for your help.

Answer 1

You can get this generated this way:

!Join [ "", [ "cognito-idp.us-west-2.amazonaws.com" , "/", !Ref CognitoUserPool, ":", !Ref CognitoUserPoolAppClient], ]

Where CognitoUserPoolAppClient is of type AWS::Cognito::UserPoolClient.

I was able to successfully add the rules to Identity provider.

Answer 2

I think you should focus on the syntax of AWS::Cognito::IdentityPoolRoleAttachment but not RoleMappings.

From AWS::Cognito::IdentityPoolRoleAttachment, we can get in RoleMappings

This is a string to RoleMapping object map

So I think you can try:

RoleMappings:
  'graph.facebook.com':
      Type: Token
      AmbiguousRoleResolution: AuthenticatedRole

Here 'graph.facebook.com' is just an example.