Amc_rtty
Reputation: 3813
Error: "Conditions must be prefaced by a vendor." on creating Role in AWS CDK
I am getting an error of "Conditions must be prefaced by a vendor." when trying to use the AWS CDK to create a new role.
export const configureIAMRole = (scope: Construct) => {
const roleAction = 'sts:AssumeRoleWithWebIdentity';
const iamRole = new Role(scope, 'IAMRole', {
assumedBy: new FederatedPrincipal(
'cognito-identity.amazonaws.com',
{
StringEquals: { 'cognito-identity.amazonaws.com': identityPool.ref },
'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'authenticated' },
},
roleAction
),
});
return iamRole;
};
There are docs here which I tried to follow to add the vendor prefix e.g. "aws:StringEquals". That resulted in other errors e.g. invalid syntax.
The intention is to use Cognito for auth: user and pass, plus federated identities e.g. google. Thanks in advance for hints.
Upvotes: 2
Views: 4676
Answers (1)
Max Schenkelberg
Reputation: 855
Here is an example iam role app with identity pool:
https://github.com/cloudshiftstrategies/aws-cdk-examples/blob/master/iam-role-typescript-app
Looks like you forgot to add :aud to the end of 'cognito-identity.amazonaws.com' in the StringEquals. Should be
'cognito-identity.amazonaws.com:aud': identityPool.ref
Upvotes: 4
Related Questions
- AWS CDK - role and policy creation
- AWS CDK deploy using role
- AWS Role creation via Cloudformation error with LimitExceeded
- cdk import `As part of the import operation, you cannot modify or add [RoleArn]`
- aws cdk IAM Account trust role gives 'Condition must be prefaced by a vendor" error
- AWS Cloudformation Role is not authorized to perform AssumeRole on Role
- determine required permissions for AWS CDK
- AWS lambda cannot assume a role triggered by cloudformation
- creating aws IAM Role using cloudformation does not create RolePolicies
- CloudFormation IAM Role -- AssumeRolePolicyDocument