Cognito Identity Pool Attributes for access control

[rchristopher]

:question: General Issue

I have a Cognito Identity Pool created with the CfnIdentityPool object, I've attached a Cognito authentication provider to it, and using the CfnIdentityPoolRoleAttachment object I've set role selection to "Token". This all works when deploying the stack.

I seem to be unable to set the "Attributes for access control" custom mappings key-value pairs for the Cognito authentication provider. They can be set from the console, however every time I update the stack these console changes are lost.

Is there a way to set these values using either the CFN objects or the CDK objects for Cognito identity pools?

The Question

Environment

• CDK CLI Version: 1.115.0 (build f0ca40f)
• Module Version: 1.115.0
• Node.js Version: v12.14.0
• OS: Windows 10
• Language: Java

Other information

Working java cdk code to create the identity pool from a cloud formation stack

this.identityPool = CfnIdentityPool.Builder.create(this, "IDPool")
        .identityPoolName("test_identity_pool")
        .allowUnauthenticatedIdentities(false)
        .allowClassicFlow(false)
        .cognitoIdentityProviders(Arrays.asList(
                CfnIdentityPool.CognitoIdentityProviderProperty.builder()
                        .providerName(this.userPool.getUserPoolProviderName())
                        .clientId(this.userPoolClient.getUserPoolClientId())
                        .serverSideTokenCheck(true)
                        .build()
        ))
        .build();

CfnIdentityPoolRoleAttachment roleAttachment = CfnIdentityPoolRoleAttachment.Builder.create(this, "IDRoleAttachment")
        .identityPoolId(identityPool.getRef())
        .roles(Map.of())
        .roleMappings(Map.of("TokenId1",
                CfnIdentityPoolRoleAttachment.RoleMappingProperty.builder()
                        .type("Token")
                        .ambiguousRoleResolution("Deny")
                        .identityProvider("cognito-idp.us-east-1.amazonaws.com/" + this.userPool.getUserPoolId() + ":" + this.userPoolClient.getUserPoolClientId())
                        .build()))
        .build();

[nija-at]

Hi @rchristopher

I seem to be unable to set the "Attributes for access control" custom mappings key-value pairs for the Cognito authentication provider

What exactly do you mean by this statement? You could mean, (a) able to configure them in the CDK but not present in the template, or (b) present in the template but not set in the identity pool that you view in the console, or (c) not available to configure in the CDK.

Which one of these do you mean?

(a) is the only one that the CDK team would be responsible for. For (b), you will need to reach out to the Cognito service team to see why properties in CloudFormation are not reflected in the service For (c), you will need to reach to out to the Cognito service team asking them to provide a way to configure these via CloudFormation resource types.

[rchristopher]

Hi @nija-at,

Thanks for your response. I believe that (c) is correct. It seems that those options are not available to configure from the cloudformation resource types. I will reach out to the Cognito service team.

[nija-at]

Thanks. Closing this issue.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[misha-erm]

@rchristopher hello, did you find how to configure "Attributes for access control" from aws-cdk? Thanks in advance for any tips

[JakeStoeffler]

For those looking to do this, there is an example here: https://github.com/aws-samples/amazon-cognito-abac-authorization-with-react-example/blob/main/lib/cognito_identity_pool_sample-stack.ts