AWSTemplateFormatVersion: '2010-09-09' |
Description: Cognito Stack |
Parameters: |
AuthName: |
Type: String |
Description: Unique Auth Name for Cognito Resources |
Resources: |
# Creates a role that allows Cognito to send SNS messages |
SNSRole: |
Type: "AWS::IAM::Role" |
Properties: |
AssumeRolePolicyDocument: |
Version: "2012-10-17" |
Statement: |
- Effect: "Allow" |
Principal: |
Service: |
- "cognito-idp.amazonaws.com" |
Action: |
- "sts:AssumeRole" |
Policies: |
- PolicyName: "CognitoSNSPolicy" |
PolicyDocument: |
Version: "2012-10-17" |
Statement: |
- Effect: "Allow" |
Action: "sns:publish" |
Resource: "*" |
# Creates a user pool in cognito for your app to auth against |
# This example requires MFA and validates the phone number to use as MFA |
# Other fields can be added to the schema |
UserPool: |
Type: "AWS::Cognito::UserPool" |
Properties: |
UserPoolName: !Sub ${AuthName}-user-pool |
AutoVerifiedAttributes: |
- phone_number |
MfaConfiguration: "ON" |
SmsConfiguration: |
ExternalId: !Sub ${AuthName}-external |
SnsCallerArn: !GetAtt SNSRole.Arn |
Schema: |
- Name: name |
AttributeDataType: String |
Mutable: true |
Required: true |
- Name: email |
AttributeDataType: String |
Mutable: false |
Required: true |
- Name: phone_number |
AttributeDataType: String |
Mutable: false |
Required: true |
- Name: slackId |
AttributeDataType: String |
Mutable: true |
# Creates a User Pool Client to be used by the identity pool |
UserPoolClient: |
Type: "AWS::Cognito::UserPoolClient" |
Properties: |
ClientName: !Sub ${AuthName}-client |
GenerateSecret: false |
UserPoolId: !Ref UserPool |
# Creates a federeated Identity pool |
IdentityPool: |
Type: "AWS::Cognito::IdentityPool" |
Properties: |
IdentityPoolName: !Sub ${AuthName}Identity |
AllowUnauthenticatedIdentities: true |
CognitoIdentityProviders: |
- ClientId: !Ref UserPoolClient |
ProviderName: !GetAtt UserPool.ProviderName |
# Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool |
CognitoUnAuthorizedRole: |
Type: "AWS::IAM::Role" |
Properties: |
AssumeRolePolicyDocument: |
Version: "2012-10-17" |
Statement: |
- Effect: "Allow" |
Principal: |
Federated: "cognito-identity.amazonaws.com" |
Action: |
- "sts:AssumeRoleWithWebIdentity" |
Condition: |
StringEquals: |
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool |
"ForAnyValue:StringLike": |
"cognito-identity.amazonaws.com:amr": unauthenticated |
Policies: |
- PolicyName: "CognitoUnauthorizedPolicy" |
PolicyDocument: |
Version: "2012-10-17" |
Statement: |
- Effect: "Allow" |
Action: |
- "mobileanalytics:PutEvents" |
- "cognito-sync:*" |
Resource: "*" |
# Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation |
# Only allows users in the previously created Identity Pool |
CognitoAuthorizedRole: |
Type: "AWS::IAM::Role" |
Properties: |
AssumeRolePolicyDocument: |
Version: "2012-10-17" |
Statement: |
- Effect: "Allow" |
Principal: |
Federated: "cognito-identity.amazonaws.com" |
Action: |
- "sts:AssumeRoleWithWebIdentity" |
Condition: |
StringEquals: |
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool |
"ForAnyValue:StringLike": |
"cognito-identity.amazonaws.com:amr": authenticated |
Policies: |
- PolicyName: "CognitoAuthorizedPolicy" |
PolicyDocument: |
Version: "2012-10-17" |
Statement: |
- Effect: "Allow" |
Action: |
- "mobileanalytics:PutEvents" |
- "cognito-sync:*" |
- "cognito-identity:*" |
Resource: "*" |
- Effect: "Allow" |
Action: |
- "lambda:InvokeFunction" |
Resource: "*" |
# Assigns the roles to the Identity Pool |
IdentityPoolRoleMapping: |
Type: "AWS::Cognito::IdentityPoolRoleAttachment" |
Properties: |
IdentityPoolId: !Ref IdentityPool |
Roles: |
authenticated: !GetAtt CognitoAuthorizedRole.Arn |
unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn |
Outputs: |
UserPoolId: |
Value: !Ref UserPool |
Export: |
Name: "UserPool::Id" |
UserPoolClientId: |
Value: !Ref UserPoolClient |
Export: |
Name: "UserPoolClient::Id" |
IdentityPoolId: |
Value: !Ref IdentityPool |
Export: |
Name: "IdentityPool::Id" |
You could try creating the pool you want manually, then print out a JSON spec of it to describe the pool using Amazon's https://github.com/awslabs/aws-shell or perhaps aws-cli, not sure about aws-cli.
You can then convert the JSON to YAML to see the differences more clearly.
Or to import the spec in order to create a new pool, you need to remove the properties like DateCreated, PoolID, etc which are specific to the previous pool. The aws-shell command is:
Here is a link to docs
Hope this helps.