search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.93k forks source link

[Cognito] Support Authenticated role selection for identity pool #21398

Open vumdao opened 2 years ago

vumdao commented 2 years ago

Describe the feature

We should have method/option for setting the Identity Pool at Authentication providers for 'Choose Role from Token' instead of the default 'Use default role' (as per attached screen shot).

image

Use Case

For AWS opensearch, I want to seperate IAM role at Configure domain level access policy which includes Dev role and admin Role. Using AWS congition for opensearch authentication we need to update Authentication providers and choose option Choose Role from Token for combining Cognito user group. It means If no roles are specified in the token, the role resolution will be invoked. By default, it will fall back to the default role specified for this Identity Pool. You can also choose to DENY the request.

Proposed Solution

I'm using @aws-cdk/aws-cognito-identitypool-alpha and hope this construct supports the feature

Other Information

No response

Acknowledgements

CDK version used

2.34.2

Environment details (OS name and version, etc.)

Ubuntu 20.04

corymhall commented 2 years ago

@vumdao you should be able to do this by setting useToken to true

new IdentityPool(this, 'IP', {
    roleMappings: [{
    useToken: true,
    providerUrl: IdentityPoolProviderUrl.custom(''),
    }],
});
vumdao commented 2 years ago

@corymhall I got following error when trying your suggestion

12:01:16 PM | UPDATE_FAILED        | AWS::Cognito::IdentityPoolRoleAttachment | mmbvcs1stag2identi...Attachment69EB5254
Property validation failure: [The property {/RoleMappings/Type} is required]

If we use providerUrl: IdentityPoolProviderUrl.userPool('cognito-idp.my-idp-region.amazonaws.com/my-idp-region_abcdefghi:app_client_id'), then how can we get the app_client_id which is created by opensearch as we just provide it the userPoolId

      cognitoDashboardsAuth: {
        identityPoolId: identityPool.identityPoolId,
        userPoolId: props.cognitoUserPool.userPoolId,
        role: cognitoOpensearchRole
      },
corymhall commented 2 years ago

@vumdao ok I see. So opensearch will automatically create an app client for you (there is no way to create one for opensearch to use) and this id is needed when configuring the role mapping in the identity pool. Since the app client id is not something that is returned by the opensearch CFN resource it looks like the only thing we could do is to use a CFN custom resource to retrieve the app client id.