---
AWSTemplateFormatVersion : 2010-09-09
Description: Creates a Cognito Pool for the Amazon Sumerian Concierge Experience.
Outputs:
  CognitoIdentityPoolID:
    Description: The Cognito Identity Pool ID. Place this in the AWS settings of your Amazon Sumerian Scene
    Value:
      Ref: CognitoIdentityPool
Resources:
    CognitoIdentityPool:
        Type: AWS::Cognito::IdentityPool
        Properties:
          IdentityPoolName:
            Fn::Sub: "SumerianTutorialCognitoIdentityPool${AWS::StackName}"
          AllowUnauthenticatedIdentities: True
    CognitoIdentityExampleRole:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Action: sts:AssumeRoleWithWebIdentity
              Effect: Allow
              Principal:
                Federated: 'cognito-identity.amazonaws.com'
              Condition:
                StringEquals:
                  cognito-identity.amazonaws.com:aud:
                    Ref: CognitoIdentityPool
          ManagedPolicyArns:
          - arn:aws:iam::aws:policy/AmazonPollyReadOnlyAccess
          - arn:aws:iam::aws:policy/AmazonLexRunBotsOnly
          - arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
          - arn:aws:iam::aws:policy/AmazonS3FullAccess
          - arn:aws:iam::aws:policy/AmazonRekognitionReadOnlyAccess
    CognitoRoleAttachment:
      Type: "AWS::Cognito::IdentityPoolRoleAttachment"
      Properties:
        IdentityPoolId:
          Ref: CognitoIdentityPool
        Roles:
          unauthenticated:
            Fn::GetAtt: [CognitoIdentityExampleRole, Arn]