Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RoleMappings with IdentityPoolRoleAttachment resource issue (can't use Join)

See original GitHub issue

class IdentityPoolRoleAttachment(AWSObject):
    resource_type = "AWS::Cognito::IdentityPoolRoleAttachment"

    props = {
        'IdentityPoolId': (basestring, True),
        'RoleMappings': (dict, False),
        'Roles': (dict, False),
    }

On the RoleMappings prop of the IdentityPoolRoleAttachment resource, there is a mismatch with the official configuration :

RoleMappings How users for a specific identity provider are to mapped to roles. This is a string to RoleMapping object map. The string identifies the identity provider, for example, “graph.facebook.com” or “cognito-idp-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id”

To build the provider name string of the cognito user pool with the client id, it’s necessary to Join multiple values like this :

Join(":", [GetAtt(cognito_user_pool, "ProviderName"),GetAtt(cognito_user_pool_app_client, "Name")])

But if I put the Join value as a key of the RoleMappings dict, I have the following error:

TypeError: key <troposphere.Join object at 0x1020bb0d0> is not a string

Is it a CloudFormation limitation or Troposphere limitation? Thanks !

Issue Analytics

State:
Created 6 years ago
Comments:5 (1 by maintainers)

Top GitHub Comments

1reaction

michaellieberherrcommented, Dec 14, 2017

Just stumbled upon this github discussion, I’m not using troposphere myself, but run into the same issue with cognito a few months ago. see the discussion at https://forums.aws.amazon.com/message.jspa?messageID=790437#790437 - it’s a cloudformation design flaw. We wrote a custom resource backed by a lambda function (see aws forum link) to work around the issue.

0reactions

3dw1npcommented, May 15, 2019

thx @michaellieberherr a long time after, here is my final integration with troposphere example:

class CustomTransformedRoleMapping(AWSCustomObject):
    resource_type = "Custom::TransformedRoleMapping"
    props = {
        'ServiceToken': (basestring, True),
        'Type': (basestring, True),
        'AmbiguousRoleResolution': (basestring, True),
        'IdentityProvider': (basestring, True),
    }

code = [
    "var response = require('cfn-response');",
    "exports.handler = function(event, context) {",
    "  console.log('REQUEST RECEIVED: ', JSON.stringify(event));"
    "  let resourceProperties = event.ResourceProperties;",
    "  let responseData = {};",
    "  if (!resourceProperties.IdentityProvider || !resourceProperties.Type) {",
    "    responseData.Message = 'Missing required parameter \"IdentityProvider\" or \"Type\"';",
    "    response.send(event, context, response.FAILED, responseData);"
    "  }",
    "  responseData = {",
    "    RoleMapping: {",
    "      [resourceProperties.IdentityProvider]: {",
    "        Type: resourceProperties.Type,",
    "      },",
    "    },",
    "  };",
    "  if (resourceProperties.AmbiguousRoleResolution) {",
    "    responseData.RoleMapping[resourceProperties.IdentityProvider].AmbiguousRoleResolution = resourceProperties.AmbiguousRoleResolution;",
    "  }",
    "  if (resourceProperties.RulesConfiguration) {",
    "    responseData.RoleMapping[resourceProperties.IdentityProvider].RulesConfiguration = resourceProperties.RulesConfiguration;",
    "  }",
    "  response.send(event, context, response.SUCCESS, responseData);",
    "};"
]

function_cognito_role_mappings_provider_name = t.add_resource(Function(
    "FunctionCognitoRoleMappingsProviderName",
    Code=Code(
        ZipFile=Join("", code)
    ),
    Handler="index.handler",
    Role=GetAtt("LambdaExecutionRole", "Arn"),
    Runtime="nodejs8.10",
    Timeout=30
))

cognito_idp_role_mapping = t.add_resource(CustomTransformedRoleMapping(
    "TransformedRoleMapping",
    ServiceToken=GetAtt(function_cognito_role_mappings_provider_name, "Arn"),
    Type="Token",
    AmbiguousRoleResolution="AuthenticatedRole",
    IdentityProvider=Join(":", [GetAtt(cognito_user_pool, "ProviderName"), Ref(cognito_user_pool_client)])
))

t.add_resource(IdentityPoolRoleAttachment(
    "idpRoleAttachment",
    IdentityPoolId=Ref(cognito_identity_pool),
    RoleMappings=GetAtt(cognito_idp_role_mapping, "RoleMapping"),
    Roles={
        'authenticated': GetAtt(cognito_role_auth, "Arn"),
        'unauthenticated': GetAtt(cognito_role_unauth, "Arn")
    }
))

Top Results From Across the Web

AWS::Cognito::IdentityPoolRoleAttachment RoleMapping

RoleMapping is a property of the AWS::Cognito::IdentityPoolRoleAttachment resource that defines the role-mapping attributes of an Amazon Cognito identity ...

AWS::Cognito::IdentityPoolRoleAttachment RoleMapping

RoleMapping is a property of the AWS::Cognito::IdentityPoolRoleAttachment resource that defines the role-mapping attributes of an Amazon Cognito identity ...

Additional claims not showing up on cognito ID token

I am using a following CloudFormention Template to add cognito:preferred_role claim to my ID token. IdentityPoolRoleAttachment: Type: ...

Properly setting up IdentityPoolRoleAttachment

Having an issue with IdentityPoolRoleAttachment, on deploy I get: ... Resources: CognitoIdentityPool: Type: AWS::Cognito::IdentityPool ...

awscognito - Go Packages

Identity pools enable you to grant your users access to other AWS services. ... The `AWS::Cognito::IdentityPoolRoleAttachment` resource manages the role ...