Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RoleMappings with IdentityPoolRoleAttachment resource issue (can't use Join)

See original GitHub issue

Issue Description

class IdentityPoolRoleAttachment(AWSObject):
    resource_type = "AWS::Cognito::IdentityPoolRoleAttachment"

    props = {
        'IdentityPoolId': (basestring, True),
        'RoleMappings': (dict, False),
        'Roles': (dict, False),

On the RoleMappings prop of the IdentityPoolRoleAttachment resource, there is a mismatch with the official configuration :

RoleMappings How users for a specific identity provider are to mapped to roles. This is a string to RoleMapping object map. The string identifies the identity provider, for example, “” or “

To build the provider name string of the cognito user pool with the client id, it’s necessary to Join multiple values like this :

Join(":", [GetAtt(cognito_user_pool, "ProviderName"),GetAtt(cognito_user_pool_app_client, "Name")])

But if I put the Join value as a key of the RoleMappings dict, I have the following error:

TypeError: key <troposphere.Join object at 0x1020bb0d0> is not a string

Is it a CloudFormation limitation or Troposphere limitation? Thanks !

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

michaellieberherrcommented, Dec 14, 2017

Just stumbled upon this github discussion, I’m not using troposphere myself, but run into the same issue with cognito a few months ago. see the discussion at - it’s a cloudformation design flaw. We wrote a custom resource backed by a lambda function (see aws forum link) to work around the issue.

3dw1npcommented, May 15, 2019

thx @michaellieberherr a long time after, here is my final integration with troposphere example:

class CustomTransformedRoleMapping(AWSCustomObject):
    resource_type = "Custom::TransformedRoleMapping"
    props = {
        'ServiceToken': (basestring, True),
        'Type': (basestring, True),
        'AmbiguousRoleResolution': (basestring, True),
        'IdentityProvider': (basestring, True),
code = [
    "var response = require('cfn-response');",
    "exports.handler = function(event, context) {",
    "  console.log('REQUEST RECEIVED: ', JSON.stringify(event));"
    "  let resourceProperties = event.ResourceProperties;",
    "  let responseData = {};",
    "  if (!resourceProperties.IdentityProvider || !resourceProperties.Type) {",
    "    responseData.Message = 'Missing required parameter \"IdentityProvider\" or \"Type\"';",
    "    response.send(event, context, response.FAILED, responseData);"
    "  }",
    "  responseData = {",
    "    RoleMapping: {",
    "      [resourceProperties.IdentityProvider]: {",
    "        Type: resourceProperties.Type,",
    "      },",
    "    },",
    "  };",
    "  if (resourceProperties.AmbiguousRoleResolution) {",
    "    responseData.RoleMapping[resourceProperties.IdentityProvider].AmbiguousRoleResolution = resourceProperties.AmbiguousRoleResolution;",
    "  }",
    "  if (resourceProperties.RulesConfiguration) {",
    "    responseData.RoleMapping[resourceProperties.IdentityProvider].RulesConfiguration = resourceProperties.RulesConfiguration;",
    "  }",
    "  response.send(event, context, response.SUCCESS, responseData);",

function_cognito_role_mappings_provider_name = t.add_resource(Function(
        ZipFile=Join("", code)
    Role=GetAtt("LambdaExecutionRole", "Arn"),

cognito_idp_role_mapping = t.add_resource(CustomTransformedRoleMapping(
    ServiceToken=GetAtt(function_cognito_role_mappings_provider_name, "Arn"),
    IdentityProvider=Join(":", [GetAtt(cognito_user_pool, "ProviderName"), Ref(cognito_user_pool_client)])

    RoleMappings=GetAtt(cognito_idp_role_mapping, "RoleMapping"),
        'authenticated': GetAtt(cognito_role_auth, "Arn"),
        'unauthenticated': GetAtt(cognito_role_unauth, "Arn")
Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS::Cognito::IdentityPoolRoleAttachment RoleMapping
RoleMapping is a property of the AWS::Cognito::IdentityPoolRoleAttachment resource that defines the role-mapping attributes of an Amazon Cognito identity ...
Read more >
AWS::Cognito::IdentityPoolRoleAttachment RoleMapping
RoleMapping is a property of the AWS::Cognito::IdentityPoolRoleAttachment resource that defines the role-mapping attributes of an Amazon Cognito identity ...
Read more >
Additional claims not showing up on cognito ID token
I am using a following CloudFormention Template to add cognito:preferred_role claim to my ID token. IdentityPoolRoleAttachment: Type: ...
Read more >
Properly setting up IdentityPoolRoleAttachment
Having an issue with IdentityPoolRoleAttachment, on deploy I get: ... Resources: CognitoIdentityPool: Type: AWS::Cognito::IdentityPool ...
Read more >
awscognito - Go Packages
Identity pools enable you to grant your users access to other AWS services. ... The `AWS::Cognito::IdentityPoolRoleAttachment` resource manages the role ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found