logo
down
shadow

AWS Cloudformation can not create stack when AWS::Cognito::IdentityPoolRoleAttachment resource has RoleMappings attribut


AWS Cloudformation can not create stack when AWS::Cognito::IdentityPoolRoleAttachment resource has RoleMappings attribut

By : Chloe Chao
Date : November 28 2020, 08:01 AM
To fix this issue I've got the same issue, and unfortunately as i could see the RoleMappings are not supported yet into CloudFormation, so we ever will catch this 'Internal Failure'. But there is some workarounds that you can do to solve your problem. In my case I've used the boto3 library to invoke IdentityPool updates inside a Lambda Function and I've used the Severless Framework, but the same purpose could be did with SAM or another CloudFormation stack framework. So, I did these steps using 2 separated stacks:
Create First stack including all your Cognito Resources (UserPool, UserPoolClient, IdentityPool) and IamRoles that you will assign them and on the Outputs section, Export the necessary IDs and ARNs of your Resources to be used on the next stack.
code :

service: cognito-template

provider:
  name: aws
  stage: dev
  region: us-east-1
  stackName: cognito-template-${self:provider.stage}-resources

custom:
  system:
    name: myapp
    cognitoclientname: MyAppClient

resources:
  Resources:
    # ## ## ## ## ## ## ## ## ## ## ## ## ## Definicao de Usuários Cognito UserPool ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## # 
    UserPool:
      Type: AWS::Cognito::UserPool
      Properties:
        UserPoolName: ${self:custom.system.name}userpool
        AdminCreateUserConfig: 
          AllowAdminCreateUserOnly: True
          UnusedAccountValidityDays: 30
        EmailVerificationMessage: Clique no link abaixo para verificar seu endereço de e-mail. {####}
        EmailVerificationSubject: Seu link de verificação
        MfaConfiguration: OFF
        Policies: 
          PasswordPolicy:
            MinimumLength: 8
            RequireLowercase: false
            RequireNumbers: false
            RequireSymbols: false
            RequireUppercase: false
        Schema: 
          - AttributeDataType: String
            DeveloperOnlyAttribute: false
            Mutable: true
            Name: name
            Required: true
          - AttributeDataType: String
            DeveloperOnlyAttribute: false
            Mutable: true
            Name: family_name
            Required: true
          - AttributeDataType: String
            DeveloperOnlyAttribute: false
            Mutable: true
            Name: email
            Required: true
          - AttributeDataType: String
            DeveloperOnlyAttribute: false
            Mutable: true
            Name: phone_number
            Required: true
          - AttributeDataType: String
            DeveloperOnlyAttribute: false
            Mutable: true
            Name: gender
            Required: true
          - AttributeDataType: String
            DeveloperOnlyAttribute: false
            Mutable: true
            Name: permission
            Required: false
        UsernameAttributes: 
          - email
          - phone_number
    # ## ## ## ## ## ## ## ## ## ## ## ## ## Client Cognito ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## # 
    AppUserPoolClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
          ClientName: ${self:custom.system.cognitoclientname}
          ExplicitAuthFlows: 
            - ADMIN_NO_SRP_AUTH
            - USER_PASSWORD_AUTH
          GenerateSecret: false
          RefreshTokenValidity: 1
          UserPoolId: !Ref UserPool
    # ## ## ## ## ## ## ## ## ## ## ## ## ## Provedor de Identidade Cognito ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## # 
    AppIdentityPool:
      Type: AWS::Cognito::IdentityPool
      Properties:
        IdentityPoolName: ${self:custom.system.name}identitypool
        AllowUnauthenticatedIdentities: false
        CognitoIdentityProviders: 
          - ClientId: !Ref AppUserPoolClient
            ProviderName: !GetAtt UserPool.ProviderName
    AppIdentitiesRolesAttachment:
      Type: AWS::Cognito::IdentityPoolRoleAttachment
      DependsOn:
        - AppIdentityPool
        - CognitoAuthorizedRole
        - CognitoUnAuthorizedRole
      Properties:
        IdentityPoolId: !Ref AppIdentityPool
        Roles: 
          authenticated: !GetAtt CognitoAuthorizedRole.Arn
          unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn
    CognitoAuthorizedRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument: 
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal: 
                Federated: "cognito-identity.amazonaws.com"
              Action: 
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals: 
                  "cognito-identity.amazonaws.com:aud": !Ref AppIdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
          - PolicyName: "CognitoAuthorizedPolicy"
            PolicyDocument: 
              Version: "2012-10-17"
              Statement: 
                - Effect: "Allow"
                  Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                    - "cognito-identity:*"
                  Resource: "*"
                - Effect: "Allow"
                  Action:
                    - "lambda:InvokeFunction"
                  Resource: "*"
    CognitoUnAuthorizedRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument: 
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal: 
                Federated: "cognito-identity.amazonaws.com"
              Action: 
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals: 
                  "cognito-identity.amazonaws.com:aud": !Ref AppIdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": unauthenticated
        Policies:
          - PolicyName: "CognitoUnauthorizedPolicy"
            PolicyDocument: 
              Version: "2012-10-17"
              Statement: 
                - Effect: "Allow"
                  Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                  Resource: "*"
    AdministradorRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument: 
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal: 
                Federated: "cognito-identity.amazonaws.com"
              Action: 
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals: 
                  "cognito-identity.amazonaws.com:aud": !Ref AppIdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
          - PolicyName: "CognitoAdministradorPolicy"
            PolicyDocument: 
              Version: "2012-10-17"
              Statement: 
                - Effect: "Allow"
                  Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                  Resource: "*"
    GerenciadorRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument: 
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal: 
                Federated: "cognito-identity.amazonaws.com"
              Action: 
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals: 
                  "cognito-identity.amazonaws.com:aud": !Ref AppIdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
          - PolicyName: "CognitoAdministradorPolicy"
            PolicyDocument: 
              Version: "2012-10-17"
              Statement: 
                - Effect: "Allow"
                  Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                  Resource: "*"
                - Effect: "Allow"
                  Action:
                    - "s3:GetObject"
                    - "s3:PutObject"
                  Resource: 
                    - "arn:aws:s3:::${self:custom.system.name}/public/*"
  # ## ## ## ## ## ## ## ## ## ## ## ## ## IAM Permission to lambda script execute update into IdentityPoolRoleMappings ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #                   
    MigrationScriptRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument: 
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal: 
                Service: 
                  - lambda.amazonaws.com
              Action: 
                - "sts:AssumeRole"
        Policies:
          - PolicyName: "MigrationScriptPolicy"
            PolicyDocument: 
              Version: "2012-10-17"
              Statement: 
                - Effect: "Allow"
                  Action: 
                    - "cognito-idp:*"
                    - "cognito-identity:*"
                    - "iam:*"
                  Resource: "*"
  Outputs:
    UserPoolId:
      Value: !Ref UserPool
      Export:
        Name: "UserPool::Id"
    UserPoolArn:
      Value: !GetAtt UserPool.Arn
      Export:
        Name: "UserPool::Arn"
    UserPoolClientId:
      Value: !Ref AppUserPoolClient
      Export:
        Name: "AppUserPoolClient::Id"
    AppIdentityPoolId:
      Value: !Ref AppIdentityPool
      Export:
        Name: "AppIdentityPool::Id"
    AdministradorRoleArn:
      Value: !GetAtt AdministradorRole.Arn
      Export:
        Name: "AdministradorRole::Arn"
    GerenciadorRoleArn:
      Value: !GetAtt GerenciadorRole.Arn
      Export:
        Name: "GerenciadorRole::Arn"
    MigrationScriptRoleArn:
      Value: !GetAtt MigrationScriptRole.Arn
      Export:
        Name: "MigrationScriptRole::Arn"

service: cognito-template

provider:
  name: aws
  stage: dev
  region: us-east-1
  stackName: cognito-template-${self:provider.stage}-functions

functions:
  migration-script:
    handler: lambda_function.handler
    runtime: python3.6
    role: 
      Fn::ImportValue: !Sub MigrationScriptRole::Arn
    environment:
      USER_POOL_REGION: us-east-1 # here you can change to you preferred region if you want
      USER_POOL_ID: 
        Fn::ImportValue: !Sub UserPool::Id
      USER_POOL_CLIENT_ID:
        Fn::ImportValue: !Sub AppUserPoolClient::Id
      IDENTITY_POOL_ID:
        Fn::ImportValue: !Sub AppIdentityPool::Id
      ADMINISTRADOR_ROLE_ARN:
        Fn::ImportValue: !Sub AdministradorRole::Arn
      GERENCIADOR_ROLE_ARN:
        Fn::ImportValue: !Sub GerenciadorRole::Arn

import boto3
import os

def handler(event, context): setup_cognito() return event def setup_cognito(): define_cognito_attributes() create_cognito_identity_roles() def create_cognito_identity_roles(): user_pool_region = os.environ['USER_POOL_REGION'] user_pool_id = os.environ['USER_POOL_ID'] user_pool_client_id = os.environ['USER_POOL_CLIENT_ID'] identity_pool_id = os.environ['IDENTITY_POOL_ID']
administrador_role = os.environ['ADMINISTRADOR_ROLE_ARN'] gerenciador_role = os.environ['GERENCIADOR_ROLE_ARN'] client_identity = boto3.client('cognito-identity') client_idp = boto3.client('cognito-idp') response = client_identity.get_identity_pool_roles(IdentityPoolId=identity_pool_id) identity_provider = "cognito-idp.{}.amazonaws.com/{}:{}".format(user_pool_region, user_pool_id, user_pool_client_id) options = { 'IdentityPoolId': response['IdentityPoolId'], 'Roles': response['Roles'], 'RoleMappings': { identity_provider: { 'Type': 'Rules', 'AmbiguousRoleResolution': 'AuthenticatedRole', 'RulesConfiguration': { 'Rules': [ { 'Claim': 'custom:permission', 'MatchType': 'Equals', 'Value': 'ADMNISTRADOR', 'RoleARN': administrador_role }, { 'Claim': 'custom:permission', 'MatchType': 'Equals', 'Value': 'GERENCIADOR', 'RoleARN': gerenciador_role } ] } } } } response = client_identity.set_identity_pool_roles(IdentityPoolId=options['IdentityPoolId'], Roles=options['Roles'], RoleMappings=options['RoleMappings']) def define_cognito_attributes(): user_pool_id = os.environ['USER_POOL_ID'] user_pool_client_id = os.environ['USER_POOL_CLIENT_ID'] client = boto3.client('cognito-idp') response = client.update_user_pool_client( UserPoolId=user_pool_id, ClientId=user_pool_client_id, WriteAttributes=[ 'custom:permission', 'phone_number', 'email', 'name', 'family_name', 'gender' ] )



Share : facebook icon twitter icon
Not able to update cloudformation stack when having AWS SNS:Topic Resource

Not able to update cloudformation stack when having AWS SNS:Topic Resource


By : John Galenski
Date : March 29 2020, 07:55 AM
I hope this helps you . I believe the error message Update to resource type AWS::SNS::Topic is not supported is not complaining about your permissions, but about the limitations of CloudFormation templates for SNS Topics.
The documentation for SNS resource templates states the following:
IdentityPoolRoleAttachment Resource cannot be updated

IdentityPoolRoleAttachment Resource cannot be updated


By : Phil Holladay
Date : March 29 2020, 07:55 AM
will help you Answer the question myself.
According to their support, the root cause is that modifying the role attachment is not support by CluodFormation
Updating a CloudFormation stack with a Cognito pool claims that we're adding attributes when we're not

Updating a CloudFormation stack with a Cognito pool claims that we're adding attributes when we're not


By : George
Date : March 29 2020, 07:55 AM
it fixes the issue Mostly by luck, I've found an answer that allows me to get around this in an automated manner.
How our scripts used to work
code :
cognitoSetup.template  --> <Serverless Framework> --> <cognitoSetup.template updated with triggers>
   "CognitoUserPool": {
     "Type": "AWS::Cognito::UserPool"
     ...
     "Properties": {
     ...
     "LambdaConfig": {
        "CustomMessage": "arn:aws:lambda:<our aws region>:<our account#>:function:main-<our stage>-onCognitoCustomMessage"
      }
    }
cognitoSetup.template  --> <Serverless Framework>
AWS Cloudformation - how to DependsOn resource from another nested stack

AWS Cloudformation - how to DependsOn resource from another nested stack


By : user3195509
Date : March 29 2020, 07:55 AM
With these it helps You don't really need to use DependsOn for you specific Scenario and I think this attribute doesn't even support referring to resources outside of the stack. The reason is that in order to reference a value in a nested stack, it needs to be passed in from Output attributes from another stack. And just passing an Output parameter to a nested stack makes this stack dependent on the other nested stack it was exported from - and that alone achieves your goal.
Taking your code,
code :
Parameters:

  MasterDB:
    Description: Make this stack dependent on RDS resource
    Type: String
How to determine what CloudFormation stack an AWS resource belongs to?

How to determine what CloudFormation stack an AWS resource belongs to?


By : Riza Chan
Date : March 29 2020, 07:55 AM
this one helps. You can pass PhysicalResourceId of a resource to desribe_stack_resources and get the stack information if it belongs to a CF stack To find an EC2 host for example
Related Posts Related Posts :
  • How to properly auto-scale AWS EC2 Instances group in a relatively complex infrastructures?
  • Storing Time Series in AWS DynamoDb
  • AWS lambda running shell script
  • on s3 upload to a bucket, trigger s3 copy to a different bucket
  • Running Map Reduce on a data set of around 10 GB on AWS
  • confused regading AWS lamda function execution limits
  • How can I use wildcards in `aws-cli ec2` commands?
  • Which one is better to user between Parse, Firebase and AWS Cognito?
  • Redirect Assets Using AWS S3 / CloudFront
  • Have custom Nginx error page when All backend servers unhealty
  • cannot get correct syntax for pljson
  • boto.sqs connect to non-aws endpoint
  • Is Fineuploader with File Chunking more expensive on Amazon S3?
  • Migrating DNS Service for an Existing Domain to Amazon Route 53
  • AWS giant data transfer
  • install redis on aws micro instance
  • shadow
    Privacy Policy - Terms - Contact Us © ourworld-yourmove.org