Open mjendza opened 2 years ago
mjendza
commented
2 years ago aws cognito-idp admin-initiate-auth --user-pool-id us-west-2_aaaaaaaaa --client-id 3n4b5urk1ft4fl3mg5e62d9ado --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=jane@example.com,PASSWORD=passwordaws cognito-identity get-id --cli-input-json file://get_id.json{
“AccountId”: “YOUR AWS ACCOUNT ID (it should be numbers only!)”,
“IdentityPoolId”: “YOUR IDENTITY POOL ID”,
“Logins”: {
"YOUR IDENTITY POOL PROVIDER NAME”: “THIS IS YOUR ID TOKEN KEY just pasted here just like that eyJraWQiOiJ4Y0VBQ1fVDdjQzeHkJcU5uczdrb32Z0TXJ4eWw4NHVGXC9kZm9DTVk0YnpxWT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI3NGI0YzkxYy1lYzViLTRiOWMtOWRmNS03OTdjMjEyZjIwMmIiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYWRkcmVzcyI6eyJmb3JtYXR0ZWQiOiIyIEF2ZSBSkZBMYWZheWV0dGUifSwiYmlydGhkYXRlIjoiMDNcLzA3XC8xOTg3IiwiZ2VuZGVyIjoM2MyZiIsImN1c3RvbTp6aXAiOiIwMjExMSIsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNTcxMDk1NDEyLCJwaG9uZV9udW1iZXIiOiIrMTYxNzg2MDM1MzkiLCJleHAiOjE1NzEwOTkwMTIsImlhdCI6MTU3MTA5NTQxMiwiZmFtaWx5X25hbWUiOiJEZXYiLCJlbWFpbCI6InRlc3QrZGV2X3VzZXIxQGdldGJyaW8uY29tIn0.S50sa8OKWXAsTtFTY6n1OLtAJmV3Qoy4dahBqMLfXE9lOW6Ckn-e79An3Lsioncz2HD6OhACoWTEDpSLvAMLqdCCpxPm5WX-bOVuu_YZ9y4Rf3ZmSFU_LZpyjPtX9IwwFkzumex4UTIR-5lrbZX6bZvZaqsNGGOIRzlEev9GWcmBVD2FzMblMF2Hhha3Ugk4xXKyGhjYEpz-Aoir1Rx5YORCag47IDz-_C2EDNXObaIn9Xkw-NX_3cd0g-aiyv_zSPnISaha3Q49yjTdPVpTdR7dD9PIkBeZxsCgdMjY4HfmhsLjWz9r82E8tFMSNL9yf3m8Fr5mOu7KNFczh5DPUq”
}
}aws cognito-identity get-credentials-for-identity --cli-input-json file://get_credentials_for_identity.json{
“IdentityId”: “Your IDENTITY ID that you JUST GOT by running the previous command”,
“Logins”: {
"YOUR IDENTITY POOL PROVIDER NAME”: “YOUR SUPER LONG ID TOKEN”
}
} MyCognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
...
MyCognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref MyCognitoUserPool
GenerateSecret: false
MyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
CognitoIdentityProviders:
- ClientId: !Ref MyCognitoUserPoolClient
ProviderName: !GetAtt MyCognitoUserPool.ProviderName
MyIdentityPoolAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated
Policies:
- PolicyName: identity-pool-auth-cognito-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-identity:*
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-auth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:DeleteObject
- s3:GetObject
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- Fn::Sub:
- '${documentBucket}/protected/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- Fn::Sub:
- '${documentBucket}/private/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- PolicyName: identity-pool-auth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
- 'private/${cognito-identity.amazonaws.com:sub}/'
- 'private/${cognito-identity.amazonaws.com:sub}/*'
MyIdentityPoolUnAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- unauthenticated
Policies:
- PolicyName: identity-pool-unauth-sync-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-unauth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- Fn::Sub:
- '${documentBucket}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
MyIdentityPoolRoleAtt:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref MyIdentityPool
Roles:
"authenticated": !GetAtt MyIdentityPoolAuthRole.Arn
"unauthenticated": !GetAtt MyIdentityPoolUnAuthRole.Arn
https://stackoverflow.com/questions/55748978/aws-cognito-how-to-get-the-token-for-api-command-line-testing