Open ghost opened 5 years ago
I've spent some more time on this and figured out that it can be configured within the aws_cognito_identity_pool_roles_attachment. Below is an example:
resource "aws_cognito_identity_pool_roles_attachment" "aws_cognito_identity_pool_roles_attachment" {
identity_pool_id = "${aws_cognito_identity_pool.your_identity_pool.id}"
role_mapping {
identity_provider = "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.your-user-pool.id}:${aws_cognito_user_pool_client.your_app_client.id}"
type = "Token"
ambiguous_role_resolution = "Deny"
}
roles {
"authenticated" = "${aws_iam_role.your_cognito_authenticated.arn}"
}
}
This can be closed I guess but it would be nice to add this and related cases to the Terraform documentation and examples.
I've spent some more time on this and figured out that it can be configured within the aws_cognito_identity_pool_roles_attachment. Below is an example:
resource "aws_cognito_identity_pool_roles_attachment" "aws_cognito_identity_pool_roles_attachment" { identity_pool_id = "${aws_cognito_identity_pool.your_identity_pool.id}" role_mapping { identity_provider = "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.your-user-pool.id}:${aws_cognito_user_pool_client.your_app_client.id}" type = "Token" ambiguous_role_resolution = "Deny" } roles { "authenticated" = "${aws_iam_role.your_cognito_authenticated.arn}" } }
This can be closed I guess but it would be nice to add this and related cases to the Terraform documentation and examples.
I believe there's a typo above that will cause Terraform to error out with, "Argument names must be quoted."
Should be:
roles = { "authenticated" = "${aws_iam_role.your_cognito_authenticated.arn}" }
Thanks for adding this example. I did find it surprising that aws_cognito_identity_pool_roles_attachment
requires roles.authenticated
to be set. In my case I'm also setting ambiguous_role_resolution = "Deny"
and the AWS Console lets me proceed without any authenticated role defined.
how to set both authenticated and unauthenticated roles ?
I agree with @rprieto
when ambiguous_role_resolution
is set to Deny
the roles
property should not be mandatory
I also agree with @rprieto, roles should not be mandatory if when ambiguous_role_resolution
is set to Deny
.
This issue was originally opened by @Alexis2000 as hashicorp/terraform#19438. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform v0.11.10 provider.aws v1.45.0
Terraform Configuration Files
Expected Behaviour
I have to be able to set configuration options for Authenticated Role selection and in particular the settings for 'Choose role from token' and within that 'use default authentication role'.
Actual Behaviour
I can only define the user-pool-id and client-id and server_side_token_check here. The 'Choose role from token' and within that 'use default authentication role' seem to be entirely absent. These options are given to me in the AWS console but not in Terraform.