Node.js AWS Cognito与无服务器框架
我正在尝试将Cognito实现到我的nodejs应用程序中,以便使用无服务器框架进行用户管理。 我一直在配置identitypoolleattachment。我有一个cognito/fb/google提供的身份的角色,这就是我想到的:Node.js AWS Cognito与无服务器框架,node.js,amazon-web-services,amazon-cloudformation,serverless-framework,Node.js,Amazon Web Services,Amazon Cloudformation,Serverless Framework,我正在尝试将Cognito实现到我的nodejs应用程序中,以便使用无服务器框架进行用户管理。 我一直在配置identitypoolleattachment。我有一个cognito/fb/google提供的身份的角色,这就是我想到的: CognitoIdentityPoolRoleAttachment: DependsOn: UserPoolAuthenticatedRole Type: AWS::Cognito::IdentityPoolRoleAttachment Propert
CognitoIdentityPoolRoleAttachment:
DependsOn: UserPoolAuthenticatedRole
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
RoleMappings:
"cognito-identity.amazonaws.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- UserPoolAuthenticatedRole
- UserPoolUnauthenticatedRole
"graph.facebook.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- FacecookAuthenticatedRole
- FacecookUnauthenticatedRole
"accounts.google.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- GoogleAuthenticatedRole
- GoogleUnauthenticatedRole
ServerlessError: An error occurred: CognitoIdentityPoolRoleAttachment - Internal Failure.
CognitoUserPoolStandardUserPool:
Type: AWS::Cognito::UserPool
Properties:
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: true
Schema:
#- Name: name
# AttributeDataType: String
# Mutable: true
# Required: true
- Name: email
AttributeDataType: String
Mutable: false
Required: true
AutoVerifiedAttributes:
- email
CognitoUserPoolClientStandardUserPoolClient:
DependsOn: CognitoUserPoolStandardUserPool
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: Standard_Users
UserPoolId:
Ref: CognitoUserPoolStandardUserPool
RefreshTokenValidity: 1
GenerateSecret: false
CognitoIdentityPoolStandardUserIdentityPool:
DependsOn: CognitoUserPoolClientStandardUserPoolClient
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: false
SupportedLoginProviders:
"graph.facebook.com": ${self:provider.config.FB_APP_ID}
"accounts.google.com": ${self:provider.config.GOOGL_WEB_ID}
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClientStandardUserPoolClient
ProviderName:
Fn::GetAtt:
- CognitoUserPoolStandardUserPool
- ProviderName
ServerSideTokenCheck: true
# Authentiacted users can call API Gateway
UserPoolAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: UserPoolAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPoolStandardUserIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: UserPoolAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
FacebookAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: FacebookAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "graph.facebook.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"graph.facebook.com:app_id": ${self:provider.config.FB_APP_ID}
Policies:
- PolicyName: FacebookAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
GoogleAuthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
RoleName: GoogleAuthRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "accounts.google.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"accounts.google.com:aud": ${self:provider.config.GOOGL_WEB_ID}
Policies:
- PolicyName: GoogleAuthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "execute-api:Invoke"
Resource: "*"
MaxSessionDuration: 3600
# Unauthenticated users can only authenticate
UserPoolUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPoolStandardUserIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: UserPoolUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
FacecookUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "graph.facebook.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": ${self:provider.config.FB_APP_ID}
Policies:
- PolicyName: FacebookUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
GoogleUnauthenticatedRole:
DependsOn: CognitoIdentityPoolStandardUserIdentityPool
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated:
- "accounts.google.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": ${self:provider.config.GOOGL_WEB_ID}
Policies:
- PolicyName: GoogleUnauthenticatedPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-identity:*"
Resource: "*"
MaxSessionDuration: 3600
CognitoIdentityPoolRoleAttachment:
DependsOn: UserPoolAuthenticatedRole
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
RoleMappings:
"cognito-identity.amazonaws.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- UserPoolAuthenticatedRole
- UserPoolUnauthenticatedRole
"graph.facebook.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- FacecookAuthenticatedRole
- FacecookUnauthenticatedRole
"accounts.google.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- GoogleAuthenticatedRole
- GoogleUnauthenticatedRole