1. 技术文章
  2. Can I setup AWS Cognito User Pool Identity Providers with Cloudformation?

Can I setup AWS Cognito User Pool Identity Providers with Cloudformation?

笑着哭i 提交于 2019-12-03 12:21:20

问题


I want to setup a cognito user pool and configure my google identity provider automatically with a cloudformation yml file.

I checked all the documentation but could not find anything even close to doing this. Any idea on how to do it?


回答1:


It seems a lot of Cognito details are not supported within Cloudformation as of right now, but there are ways to achieve what you want after the stack spins up, e.g. using Lambdas.

See the following answers:

Cannot set a property of cognito userpool client via cloudformation

Cloudformation Cognito - how to setup App Client Settings, Domain, and Federated Identities via SAM template




回答2:


What worked for me is something like:

CognitoUserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties: 
    ProviderName: Google
    AttributeMapping:
      email: emailAddress
    ProviderDetails:
      client_id: <yourclientid>.apps.googleusercontent.com
      client_secret: <yourclientsecret>
      authorize_scopes: email openid
    ProviderType: Google
    UserPoolId: 
      Ref: CognitoUserPool



回答3:


You can achieve this using Lambda function as custom Cloudformation resources. I have made custom resources to allow creation of user pool domain, client settings and Identity providers on this repo

You will have somethings like this for creating identity provider, for example Facebook

FacebookIdp:
  Type: 'Custom::${self:service}-${self:provider.stage}-CUPIdentityProvider'
  DependsOn:
    - CFNSendResponseLambdaFunction
    - CUPIdentityProviderLambdaFunction
  Properties:
    ServiceToken:
      Fn::GetAtt: [CUPIdentityProviderLambdaFunction, Arn]
    UserPoolId:
      Ref: AppUserPool
    ProviderName: Facebook
    ProviderType: Facebook
    Client_id: 'YourFacebookAppID'
    Client_secret: 'YourFacebookAppSecert'
    Authorize_scopes: 'public_profile,email'

And then enable that identity provider on the user pool client settings

AppUserPoolClientSettings:
  Type: 'Custom::${self:service}-${self:provider.stage}-CUPClientSettings'
  DependsOn:
    - CFNSendResponseLambdaFunction
    - CUPClientSettingsLambdaFunction
    - FacebookIdp
  Properties:
    ServiceToken:
      Fn::GetAtt: [ CUPClientSettingsLambdaFunction, Arn]
    UserPoolId: 
      Ref: AppUserPool
    UserPoolClientId: 
      Ref: AppUserPoolClient
    SupportedIdentityProviders:
      - COGNITO
      - Facebook
    CallbackURL: 'https://www.yourdomain.com/callback' ##Replace this with your app callback url
    LogoutURL: 'https://www.yourdomain.com/logout' ##Replace this with your app logout url
    AllowedOAuthFlowsUserPoolClient: true
    AllowedOAuthFlows:
      - code
    AllowedOAuthScopes:
      - openid

Note that this repo is built using Serverless framework, if you wish to build this with pure cloudformation stacks, use the code on file CUPIdentityProvider.js to make your own custom resource.




回答4:


Using a generic custom resource provider, you can create all the resource CFN doesn't support.

The example given here specifically creates and configures Cognito for Google SAML auth.

It should be easy enough to change it to use Google oAuth instead of SAML by changing the parameters passed to the custom resource handler, for example.

  UserPoolIdentityProvider:
    Type: 'Custom::CognitoUserPoolIdentityProvider'
    Condition: HasMetadata
    DependsOn: UserPool
    Properties:
      ServiceToken: !Sub '${CustomResourceLambdaArn}'
      AgentService: cognito-idp
      AgentType: client
      # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp.html#CognitoIdentityProvider.Client.create_user_pool_domain
      AgentCreateMethod: create_identity_provider
      AgentUpdateMethod: update_identity_provider
      AgentDeleteMethod: delete_identity_provider
      AgentResourceId: ProviderName
      AgentCreateArgs:
        UserPoolId: !Sub '${UserPool}'
        ProviderName: google-provider
        AttributeMapping:
          email: emailAddress
        ProviderDetails:
          google_app_id: some_value
          google_app_secret: some_value
          google_authorize_scope: some_value
        ProviderType: Google
      AgentUpdateArgs:
        UserPoolId: !Sub '${UserPool}'
        ProviderName: google-provider
        AttributeMapping:
          email: emailAddress
        ProviderDetails:
          google_app_id: some_value
          google_app_secret: some_value
          google_authorize_scope: some_value
        ProviderType: Google
      AgentDeleteArgs:
        UserPoolId: !Sub '${UserPool}'
        ProviderName: google-provider

you'll need to create a test provider in the console to get the correct names for parameters under ProviderDetails, namely Google app ID, App secret and Authorize scope. Also the AttributeMapping might need to be set to something else.



来源:https://stackoverflow.com/questions/49395669/can-i-setup-aws-cognito-user-pool-identity-providers-with-cloudformation

标签
amazon-web-services
amazon-cloudformation
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!