search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.63k stars 9.01k forks source link

Cognito Identity Pool - Authentication Providers - Authenticated role selection missing #6558

Open ghost opened 5 years ago

ghost commented 5 years ago

This issue was originally opened by @Alexis2000 as hashicorp/terraform#19438. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.11.10 provider.aws v1.45.0

Terraform Configuration Files

resource "aws_cognito_identity_pool" "some_identity_pool" {
  identity_pool_name = "Some Identity Pool"
  allow_unauthenticated_identities = false

  cognito_identity_providers {
    client_id               = "${aws_cognito_user_pool_client.app-client.id}"
    provider_name           = "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.some-user-pool.id}"
    server_side_token_check = true
  }
}

Expected Behaviour

I have to be able to set configuration options for Authenticated Role selection and in particular the settings for 'Choose role from token' and within that 'use default authentication role'.

Actual Behaviour

I can only define the user-pool-id and client-id and server_side_token_check here. The 'Choose role from token' and within that 'use default authentication role' seem to be entirely absent. These options are given to me in the AWS console but not in Terraform.

Alexis2000 commented 5 years ago

I've spent some more time on this and figured out that it can be configured within the aws_cognito_identity_pool_roles_attachment. Below is an example:

resource "aws_cognito_identity_pool_roles_attachment" "aws_cognito_identity_pool_roles_attachment" {
  identity_pool_id = "${aws_cognito_identity_pool.your_identity_pool.id}"
  role_mapping {
    identity_provider = "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.your-user-pool.id}:${aws_cognito_user_pool_client.your_app_client.id}"
    type = "Token"
    ambiguous_role_resolution = "Deny"
  }

  roles {
    "authenticated"   = "${aws_iam_role.your_cognito_authenticated.arn}"
  }
}

This can be closed I guess but it would be nice to add this and related cases to the Terraform documentation and examples.

r1n9w0rm commented 4 years ago

I've spent some more time on this and figured out that it can be configured within the aws_cognito_identity_pool_roles_attachment. Below is an example:

resource "aws_cognito_identity_pool_roles_attachment" "aws_cognito_identity_pool_roles_attachment" {
  identity_pool_id = "${aws_cognito_identity_pool.your_identity_pool.id}"
  role_mapping {
    identity_provider = "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.your-user-pool.id}:${aws_cognito_user_pool_client.your_app_client.id}"
    type = "Token"
    ambiguous_role_resolution = "Deny"
  }

  roles {
    "authenticated"   = "${aws_iam_role.your_cognito_authenticated.arn}"
  }
}

This can be closed I guess but it would be nice to add this and related cases to the Terraform documentation and examples.

I believe there's a typo above that will cause Terraform to error out with, "Argument names must be quoted."

Should be:

roles = { "authenticated" = "${aws_iam_role.your_cognito_authenticated.arn}" }

rprieto commented 4 years ago

Thanks for adding this example. I did find it surprising that aws_cognito_identity_pool_roles_attachment requires roles.authenticated to be set. In my case I'm also setting ambiguous_role_resolution = "Deny" and the AWS Console lets me proceed without any authenticated role defined.

debu99 commented 3 years ago

how to set both authenticated and unauthenticated roles ?

PeterBurner commented 2 years ago

I agree with @rprieto
when ambiguous_role_resolution is set to Deny the roles property should not be mandatory

daniloarcidiacono commented 1 year ago

I also agree with @rprieto, roles should not be mandatory if when ambiguous_role_resolution is set to Deny.