# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 Description: > This template creates Cognito user and identity pools. Unauthorized access is denied any access by default. Authorized and unauthorized roles are created for identity pool. Authorized role does not have any policy associated, add it in the parent stack with privileges needed. Parameters: UserPoolAdminGroupName: Description: User pool group name for API administrators Type: String Default: apiAdmins Resources: UserPool: Type: AWS::Cognito::UserPool Properties: UserPoolName: !Sub ${AWS::StackName}-UserPool AdminCreateUserConfig: AllowAdminCreateUserOnly: false AutoVerifiedAttributes: - email - phone_number MfaConfiguration: "OPTIONAL" SmsConfiguration: ExternalId: !Sub ${AWS::StackName} SnsCallerArn: !GetAtt UserPoolMFASNSRole.Arn Schema: - Name: name AttributeDataType: String Mutable: true Required: true - Name: email AttributeDataType: String Mutable: true Required: true - Name: phone_number AttributeDataType: String Mutable: false Required: false UsernameAttributes: - email UserPoolTags: Key: Name Value: !Sub ${AWS::StackName} User Pool UserPoolMFASNSRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "cognito-idp.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: !Sub "${AWS::StackName}-CognitoMFASNSPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "sns:publish" Resource: "*" UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: ClientName: !Sub ${AWS::StackName}UserPoolClient ExplicitAuthFlows: - ALLOW_USER_PASSWORD_AUTH - ALLOW_USER_SRP_AUTH - ALLOW_REFRESH_TOKEN_AUTH GenerateSecret: false PreventUserExistenceErrors: ENABLED RefreshTokenValidity: 30 SupportedIdentityProviders: - COGNITO UserPoolId: !Ref UserPool AllowedOAuthFlowsUserPoolClient: true AllowedOAuthFlows: - 'code' AllowedOAuthScopes: - 'email' - 'openid' CallbackURLs: - 'http://localhost' UserPoolDomain: Type: AWS::Cognito::UserPoolDomain Properties: Domain: !Ref UserPoolClient UserPoolId: !Ref UserPool IdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: !Sub ${AWS::StackName}-IdentityPool AllowUnauthenticatedIdentities: false CognitoIdentityProviders: - ClientId: !Ref UserPoolClient ProviderName: !GetAtt UserPool.ProviderName CognitoUnAuthorizedRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Federated: "cognito-identity.amazonaws.com" Action: - "sts:AssumeRoleWithWebIdentity" Condition: StringEquals: "cognito-identity.amazonaws.com:aud": !Ref IdentityPool "ForAnyValue:StringLike": "cognito-identity.amazonaws.com:amr": unauthenticated Tags: - Key: Name Value: !Sub ${AWS::StackName} Cognito Identity Pool Unauthorized Role CognitoAuthorizedRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Federated: "cognito-identity.amazonaws.com" Action: - "sts:AssumeRoleWithWebIdentity" Condition: StringEquals: "cognito-identity.amazonaws.com:aud": !Ref IdentityPool "ForAnyValue:StringLike": "cognito-identity.amazonaws.com:amr": authenticated Tags: - Key: Name Value: !Sub ${AWS::StackName} Cognito Identity Pool Unauthorized Role IdentityPoolRoleMapping: Type: "AWS::Cognito::IdentityPoolRoleAttachment" Properties: IdentityPoolId: !Ref IdentityPool Roles: authenticated: !GetAtt CognitoAuthorizedRole.Arn unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn ApiAdministratorsUserPoolGroup: Type: AWS::Cognito::UserPoolGroup Properties: Description: User group for API Administrators GroupName: !Ref UserPoolAdminGroupName Precedence: 0 UserPoolId: !Ref UserPool Outputs: UserPool: Description: Cognito User Pool ID Value: !Ref UserPool Export: Name: !Sub ${AWS::StackName}-UserPool UserPoolClient: Description: Cognito User Pool Application Client ID Value: !Ref UserPoolClient Export: Name: !Sub ${AWS::StackName}-UserPoolClient IdentityPool: Description: Cognito Identity Pool ID Value: !Ref IdentityPool Export: Name: !Sub ${AWS::StackName}-IdentityPool UserPoolAdminGroupName: Description: User Pool group name for API administrators Value: !Ref UserPoolAdminGroupName Export: Name: !Sub ${AWS::StackName}-UserPoolAdminGroupName CognitoIdentityPoolAuthorizedUserRole: Description: IAM role for Cognito Identity Pool authorized users Value: !Ref CognitoAuthorizedRole Export: Name: !Sub ${AWS::StackName}-CognitoAuthorizedRole CognitoLoginURL: Description: Cognito User Pool Application Client Hosted Login UI URL Value: !Sub 'https://${UserPoolClient}.auth.${AWS::Region}.amazoncognito.com/login?client_id=${UserPoolClient}&response_type=code&redirect_uri=http://localhost' CognitoAuthCommand: Description: AWS CLI command for Amazon Cognito User Pool authentication Value: !Sub 'aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id ${UserPoolClient} --auth-parameters USERNAME=,PASSWORD='