The highest tagged major version is
README
¶
Amazon Cognito Identity Pool Construct Library
Identity Pools are in a separate module while the API is being stabilized. Once we stabilize the module, they will be included into the stable aws-cognito library. Please provide feedback on this experience by creating an issue here
Amazon Cognito Identity Pools enable you to grant your users access to other AWS services.
Identity Pools are one of the two main components of Amazon Cognito, which provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.
The other main component in Amazon Cognito is user pools. User Pools are user directories that provide sign-up and sign-in options for your app users.
This module is part of the AWS Cloud Development Kit project.
import "github.com/aws/aws-cdk-go/awscdk"
Table of Contents
Identity Pools
Identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to an account.
Identity pools can be used in conjunction with Cognito User Pools or by accessing external federated identity providers directly. Learn more at Amazon Cognito Identity Pools.
Authenticated and Unauthenticated Identities
Identity pools define two types of identities: authenticated(user) and unauthenticated (guest). Every identity in
an identity pool is either authenticated or unauthenticated. Each identity pool has a default role for authenticated
identities, and a default role for unauthenticated identities. Absent other overriding rules (see below), these are the
roles that will be assumed by the corresponding users in the authentication process.
A basic Identity Pool with minimal configuration has no required props, with default authenticated (user) and unauthenticated (guest) roles applied to the identity pool:
awscdk.NewIdentityPool(this, jsii.String("myIdentityPool"))
By default, both the authenticated and unauthenticated roles will have no permissions attached. Grant permissions
to roles using the public authenticatedRole and unauthenticatedRole properties:
import dynamodb "github.com/aws/aws-cdk-go/awscdk"
var table table
identityPool := awscdk.NewIdentityPool(this, jsii.String("myIdentityPool"))
// Grant permissions to authenticated users
table.grantReadWriteData(identityPool.authenticatedRole)
// Grant permissions to unauthenticated guest users
table.grantReadData(identityPool.unauthenticatedRole)
//Or add policy statements straight to the role
identityPool.authenticatedRole.addToPrincipalPolicy(iam.NewPolicyStatement(&policyStatementProps{
effect: iam.effect_ALLOW,
actions: []*string{
jsii.String("dynamodb:*"),
},
resources: []*string{
jsii.String("*"),
},
}))
The default roles can also be supplied in IdentityPoolProps:
stack := awscdk.Newstack()
authenticatedRole := iam.NewRole(this, jsii.String("authRole"), &roleProps{
assumedBy: iam.NewServicePrincipal(jsii.String("service.amazonaws.com")),
})
unauthenticatedRole := iam.NewRole(this, jsii.String("unauthRole"), &roleProps{
assumedBy: iam.NewServicePrincipal(jsii.String("service.amazonaws.com")),
})
identityPool := awscdk.NewIdentityPool(this, jsii.String("TestIdentityPoolActions"), &identityPoolProps{
authenticatedRole: authenticatedRole,
unauthenticatedRole: unauthenticatedRole,
})
Authentication Providers
Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools, Login with Amazon, Sign in with Apple, Facebook, Google, SAML, or any OpenID Connect Providers) or a developer provider (your own backend authentication process).
Authentication providers can be associated with an Identity Pool by first associating them with a Cognito User Pool or by associating the provider directly with the identity pool.
User Pool Authentication Provider
In order to attach a user pool to an identity pool as an authentication provider, the identity pool needs properties
from both the user pool and the user pool client. For this reason identity pools use a UserPoolAuthenticationProvider
to gather the necessary properties from the user pool constructs.
userPool := cognito.NewUserPool(this, jsii.String("Pool"))
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
userPools: []iUserPoolAuthenticationProvider{
awscdk.NewUserPoolAuthenticationProvider(&userPoolAuthenticationProviderProps{
userPool: userPool,
}),
},
},
})
User pools can also be associated with an identity pool after instantiation. The Identity Pool's addUserPoolAuthentication method
returns the User Pool Client that has been created:
var identityPool identityPool
userPool := cognito.NewUserPool(this, jsii.String("Pool"))
userPoolClient := identityPool.addUserPoolAuthentication(awscdk.NewUserPoolAuthenticationProvider(&userPoolAuthenticationProviderProps{
userPool: userPool,
}))
Server Side Token Check
With the IdentityPool CDK Construct, by default the pool is configured to check with the integrated user pools to
make sure that the user has not been globally signed out or deleted before the identity pool provides an OIDC token or
AWS credentials for the user.
If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error. This setting can be disabled, however, in several ways.
Setting disableServerSideTokenCheck to true will change the default behavior to no server side token check. Learn
more here:
var identityPool identityPool
userPool := cognito.NewUserPool(this, jsii.String("Pool"))
identityPool.addUserPoolAuthentication(awscdk.NewUserPoolAuthenticationProvider(&userPoolAuthenticationProviderProps{
userPool: userPool,
disableServerSideTokenCheck: jsii.Boolean(true),
}))
Associating an External Provider Directly
One or more external identity providers can be associated with an identity pool directly using
authenticationProviders:
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
amazon: &identityPoolAmazonLoginProvider{
appId: jsii.String("amzn1.application.12312k3j234j13rjiwuenf"),
},
facebook: &identityPoolFacebookLoginProvider{
appId: jsii.String("1234567890123"),
},
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
apple: &identityPoolAppleLoginProvider{
servicesId: jsii.String("com.myappleapp.auth"),
},
twitter: &identityPoolTwitterLoginProvider{
consumerKey: jsii.String("my-twitter-id"),
consumerSecret: jsii.String("my-twitter-secret"),
},
},
})
To associate more than one provider of the same type with the identity pool, use User Pools, OpenIdConnect, or SAML. Only one provider per external service can be attached directly to the identity pool.
OpenId Connect and Saml
OpenID Connect is an open standard for authentication that is supported by a number of login providers. Amazon Cognito supports linking of identities with OpenID Connect providers that are configured through AWS Identity and Access Management.
An identity provider that supports Security Assertion Markup Language 2.0 (SAML 2.0) can be used to provide a simple onboarding flow for users. The SAML-supporting identity provider specifies the IAM roles that can be assumed by users so that different users can be granted different sets of permissions. Associating an OpenId Connect or Saml provider with an identity pool:
var openIdConnectProvider openIdConnectProvider
var samlProvider samlProvider
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
openIdConnectProviders: []iOpenIdConnectProvider{
openIdConnectProvider,
},
samlProviders: []iSamlProvider{
samlProvider,
},
},
})
Custom Providers
The identity pool's behavior can be customized further using custom developer authenticated identities. With developer authenticated identities, users can be registered and authenticated via an existing authentication process while still using Amazon Cognito to synchronize user data and access AWS resources.
Like the supported external providers, though, only one custom provider can be directly associated with the identity pool.
var openIdConnectProvider openIdConnectProvider
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
openIdConnectProviders: []iOpenIdConnectProvider{
openIdConnectProvider,
},
customProvider: jsii.String("my-custom-provider.example.com"),
},
})
Role Mapping
In addition to setting default roles for authenticated and unauthenticated users, identity pools can also be used to define rules to choose the role for each user based on claims in the user's ID token by using Role Mapping. When using role mapping, it's important to be aware of some of the permissions the role will need. An in depth review of roles and role mapping can be found here.
Using a token-based approach to role mapping will allow mapped roles to be passed through the cognito:roles or
cognito:preferred_role claims from the identity provider:
import "github.com/aws/aws-cdk-go/awscdk"
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
roleMappings: []identityPoolRoleMapping{
&identityPoolRoleMapping{
providerUrl: awscdk.IdentityPoolProviderUrl_AMAZON(),
useToken: jsii.Boolean(true),
},
},
})
Using a rule-based approach to role mapping allows roles to be assigned based on custom claims passed from the identity provider:
import "github.com/aws/aws-cdk-go/awscdk"
var adminRole role
var nonAdminRole role
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
// Assign specific roles to users based on whether or not the custom admin claim is passed from the identity provider
roleMappings: []identityPoolRoleMapping{
&identityPoolRoleMapping{
providerUrl: awscdk.IdentityPoolProviderUrl_AMAZON(),
rules: []roleMappingRule{
&roleMappingRule{
claim: jsii.String("custom:admin"),
claimValue: jsii.String("admin"),
mappedRole: adminRole,
},
&roleMappingRule{
claim: jsii.String("custom:admin"),
claimValue: jsii.String("admin"),
matchType: awscdk.RoleMappingMatchType_NOTEQUAL,
mappedRole: nonAdminRole,
},
},
},
},
})
Role mappings can also be added after instantiation with the Identity Pool's addRoleMappings method:
import "github.com/aws/aws-cdk-go/awscdk"
var identityPool identityPool
var myAddedRoleMapping1 identityPoolRoleMapping
var myAddedRoleMapping2 identityPoolRoleMapping
var myAddedRoleMapping3 identityPoolRoleMapping
identityPool.addRoleMappings(myAddedRoleMapping1, myAddedRoleMapping2, myAddedRoleMapping3)
Provider Urls
Role mappings must be associated with the url of an Identity Provider which can be supplied
IdentityPoolProviderUrl. Supported Providers have static Urls that can be used:
import "github.com/aws/aws-cdk-go/awscdk"
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
roleMappings: []identityPoolRoleMapping{
&identityPoolRoleMapping{
providerUrl: awscdk.IdentityPoolProviderUrl_FACEBOOK(),
useToken: jsii.Boolean(true),
},
},
})
For identity providers that don't have static Urls, a custom Url or User Pool Client Url can be supplied:
import "github.com/aws/aws-cdk-go/awscdk"
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
roleMappings: []identityPoolRoleMapping{
&identityPoolRoleMapping{
providerUrl: awscdk.IdentityPoolProviderUrl.userPool(jsii.String("cognito-idp.my-idp-region.amazonaws.com/my-idp-region_abcdefghi:app_client_id")),
useToken: jsii.Boolean(true),
},
&identityPoolRoleMapping{
providerUrl: awscdk.IdentityPoolProviderUrl.custom(jsii.String("my-custom-provider.com")),
useToken: jsii.Boolean(true),
},
},
})
See here for more information.
Authentication Flow
Identity Pool Authentication Flow defaults to the enhanced, simplified flow. The Classic (basic) Authentication Flow
can also be implemented using allowClassicFlow:
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
allowClassicFlow: jsii.Boolean(true),
})
Cognito Sync
It's now recommended to integrate AWS AppSync for synchronizing app data across devices, so
Cognito Sync features like PushSync, CognitoEvents, and CognitoStreams are not a part of IdentityPool. More
information can be found here.
Importing Identity Pools
You can import existing identity pools into your stack using Identity Pool static methods with the Identity Pool Id or Arn:
awscdk.IdentityPool.fromIdentityPoolId(this, jsii.String("my-imported-identity-pool"), jsii.String("us-east-1:dj2823ryiwuhef937"))
awscdk.IdentityPool.fromIdentityPoolArn(this, jsii.String("my-imported-identity-pool"), jsii.String("arn:aws:cognito-identity:us-east-1:123456789012:identitypool/us-east-1:dj2823ryiwuhef937"))
Documentation
¶
Index ¶
- func IdentityPoolRoleAttachment_IsConstruct(x interface{}) *bool
- func IdentityPoolRoleAttachment_IsResource(construct awscdk.IConstruct) *bool
- func IdentityPool_IsConstruct(x interface{}) *bool
- func IdentityPool_IsResource(construct awscdk.IConstruct) *bool
- func NewIdentityPoolProviderUrl_Override(i IdentityPoolProviderUrl, type_ IdentityPoolProviderType, value *string)
- func NewIdentityPoolRoleAttachment_Override(i IdentityPoolRoleAttachment, scope constructs.Construct, id *string, ...)
- func NewIdentityPool_Override(i IdentityPool, scope constructs.Construct, id *string, ...)
- func NewUserPoolAuthenticationProvider_Override(u UserPoolAuthenticationProvider, props *UserPoolAuthenticationProviderProps)
- type IIdentityPool
- type IIdentityPoolRoleAttachment
- type IUserPoolAuthenticationProvider
- type IdentityPool
- type IdentityPoolAmazonLoginProvider
- type IdentityPoolAppleLoginProvider
- type IdentityPoolAuthenticationProviders
- type IdentityPoolDigitsLoginProvider
- type IdentityPoolFacebookLoginProvider
- type IdentityPoolGoogleLoginProvider
- type IdentityPoolProps
- type IdentityPoolProviderType
- type IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_AMAZON() IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_APPLE() IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_Custom(url *string) IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_DIGITS() IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_FACEBOOK() IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_GOOGLE() IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_OpenId(url *string) IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_Saml(url *string) IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_TWITTER() IdentityPoolProviderUrl
- func IdentityPoolProviderUrl_UserPool(url *string) IdentityPoolProviderUrl
- func NewIdentityPoolProviderUrl(type_ IdentityPoolProviderType, value *string) IdentityPoolProviderUrl
- type IdentityPoolProviders
- type IdentityPoolRoleAttachment
- type IdentityPoolRoleAttachmentProps
- type IdentityPoolRoleMapping
- type IdentityPoolTwitterLoginProvider
- type RoleMappingMatchType
- type RoleMappingRule
- type UserPoolAuthenticationProvider
- type UserPoolAuthenticationProviderBindConfig
- type UserPoolAuthenticationProviderBindOptions
- type UserPoolAuthenticationProviderProps
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IdentityPoolRoleAttachment_IsConstruct ¶
func IdentityPoolRoleAttachment_IsConstruct(x interface{}) *bool
Return whether the given object is a Construct. Experimental.
func IdentityPoolRoleAttachment_IsResource ¶
func IdentityPoolRoleAttachment_IsResource(construct awscdk.IConstruct) *bool
Check whether the given construct is a Resource. Experimental.
func IdentityPool_IsConstruct ¶
func IdentityPool_IsConstruct(x interface{}) *bool
Return whether the given object is a Construct. Experimental.
func IdentityPool_IsResource ¶
func IdentityPool_IsResource(construct awscdk.IConstruct) *bool
Check whether the given construct is a Resource. Experimental.
func NewIdentityPoolProviderUrl_Override ¶
func NewIdentityPoolProviderUrl_Override(i IdentityPoolProviderUrl, type_ IdentityPoolProviderType, value *string)
Experimental.
func NewIdentityPoolRoleAttachment_Override ¶
func NewIdentityPoolRoleAttachment_Override(i IdentityPoolRoleAttachment, scope constructs.Construct, id *string, props *IdentityPoolRoleAttachmentProps)
Experimental.
func NewIdentityPool_Override ¶
func NewIdentityPool_Override(i IdentityPool, scope constructs.Construct, id *string, props *IdentityPoolProps)
Experimental.
func NewUserPoolAuthenticationProvider_Override ¶
func NewUserPoolAuthenticationProvider_Override(u UserPoolAuthenticationProvider, props *UserPoolAuthenticationProviderProps)
Experimental.
Types ¶
type IIdentityPool ¶
type IIdentityPool interface {
awscdk.IResource
// The ARN of the Identity Pool.
// Experimental.
IdentityPoolArn() *string
// The id of the Identity Pool in the format REGION:GUID.
// Experimental.
IdentityPoolId() *string
// Name of the Identity Pool.
// Experimental.
IdentityPoolName() *string
}
Represents a Cognito IdentityPool. Experimental.
func IdentityPool_FromIdentityPoolArn ¶
func IdentityPool_FromIdentityPoolArn(scope constructs.Construct, id *string, identityPoolArn *string) IIdentityPool
Import an existing Identity Pool from its Arn. Experimental.
func IdentityPool_FromIdentityPoolId ¶
func IdentityPool_FromIdentityPoolId(scope constructs.Construct, id *string, identityPoolId *string) IIdentityPool
Import an existing Identity Pool from its id. Experimental.
type IIdentityPoolRoleAttachment ¶
type IIdentityPoolRoleAttachment interface {
awscdk.IResource
// Id of the Attachments Underlying Identity Pool.
// Experimental.
IdentityPoolId() *string
}
Represents an Identity Pool Role Attachment. Experimental.
type IUserPoolAuthenticationProvider ¶
type IUserPoolAuthenticationProvider interface {
// The method called when a given User Pool Authentication Provider is added (for the first time) to an Identity Pool.
// Experimental.
Bind(scope constructs.Construct, identityPool IIdentityPool, options *UserPoolAuthenticationProviderBindOptions) *UserPoolAuthenticationProviderBindConfig
}
Represents the concept of a User Pool Authentication Provider.
You use user pool authentication providers to configure User Pools and User Pool Clients for use with Identity Pools. Experimental.
type IdentityPool ¶
type IdentityPool interface {
awscdk.Resource
IIdentityPool
// Default role for authenticated users.
// Experimental.
AuthenticatedRole() awsiam.IRole
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
// Experimental.
Env() *awscdk.ResourceEnvironment
// The ARN of the Identity Pool.
// Experimental.
IdentityPoolArn() *string
// The id of the Identity Pool in the format REGION:GUID.
// Experimental.
IdentityPoolId() *string
// The name of the Identity Pool.
// Experimental.
IdentityPoolName() *string
// The construct tree node associated with this construct.
// Experimental.
Node() awscdk.ConstructNode
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
// Experimental.
PhysicalName() *string
// The stack in which this resource is defined.
// Experimental.
Stack() awscdk.Stack
// Default role for unauthenticated users.
// Experimental.
UnauthenticatedRole() awsiam.IRole
// Adds Role Mappings to Identity Pool.
// Experimental.
AddRoleMappings(roleMappings ...*IdentityPoolRoleMapping)
// Add a User Pool to the IdentityPool and configure User Pool Client to handle identities.
// Experimental.
AddUserPoolAuthentication(userPool IUserPoolAuthenticationProvider)
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
// Experimental.
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Experimental.
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
// Experimental.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
// Experimental.
GetResourceNameAttribute(nameAttr *string) *string
// Perform final modifications before synthesis.
//
// This method can be implemented by derived constructs in order to perform
// final changes before synthesis. prepare() will be called after child
// constructs have been prepared.
//
// This is an advanced framework feature. Only use this if you
// understand the implications.
// Experimental.
OnPrepare()
// Allows this construct to emit artifacts into the cloud assembly during synthesis.
//
// This method is usually implemented by framework-level constructs such as `Stack` and `Asset`
// as they participate in synthesizing the cloud assembly.
// Experimental.
OnSynthesize(session constructs.ISynthesisSession)
// Validate the current construct.
//
// This method can be implemented by derived constructs in order to perform
// validation logic. It is called on all constructs before synthesis.
//
// Returns: An array of validation error messages, or an empty array if the construct is valid.
// Experimental.
OnValidate() *[]*string
// Perform final modifications before synthesis.
//
// This method can be implemented by derived constructs in order to perform
// final changes before synthesis. prepare() will be called after child
// constructs have been prepared.
//
// This is an advanced framework feature. Only use this if you
// understand the implications.
// Experimental.
Prepare()
// Allows this construct to emit artifacts into the cloud assembly during synthesis.
//
// This method is usually implemented by framework-level constructs such as `Stack` and `Asset`
// as they participate in synthesizing the cloud assembly.
// Experimental.
Synthesize(session awscdk.ISynthesisSession)
// Returns a string representation of this construct.
// Experimental.
ToString() *string
// Validate the current construct.
//
// This method can be implemented by derived constructs in order to perform
// validation logic. It is called on all constructs before synthesis.
//
// Returns: An array of validation error messages, or an empty array if the construct is valid.
// Experimental.
Validate() *[]*string
}
Define a Cognito Identity Pool.
Example:
var openIdConnectProvider openIdConnectProvider
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
openIdConnectProviders: []iOpenIdConnectProvider{
openIdConnectProvider,
},
customProvider: jsii.String("my-custom-provider.example.com"),
},
})
Experimental.
func NewIdentityPool ¶
func NewIdentityPool(scope constructs.Construct, id *string, props *IdentityPoolProps) IdentityPool
Experimental.
type IdentityPoolAmazonLoginProvider ¶
type IdentityPoolAmazonLoginProvider struct {
// App Id for Amazon Identity Federation.
// Experimental.
AppId *string `field:"required" json:"appId" yaml:"appId"`
}
Login Provider for Identity Federation using Amazon Credentials.
Example:
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
amazon: &identityPoolAmazonLoginProvider{
appId: jsii.String("amzn1.application.12312k3j234j13rjiwuenf"),
},
facebook: &identityPoolFacebookLoginProvider{
appId: jsii.String("1234567890123"),
},
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
apple: &identityPoolAppleLoginProvider{
servicesId: jsii.String("com.myappleapp.auth"),
},
twitter: &identityPoolTwitterLoginProvider{
consumerKey: jsii.String("my-twitter-id"),
consumerSecret: jsii.String("my-twitter-secret"),
},
},
})
Experimental.
type IdentityPoolAppleLoginProvider ¶
type IdentityPoolAppleLoginProvider struct {
// App Id for Apple Identity Federation.
// Experimental.
ServicesId *string `field:"required" json:"servicesId" yaml:"servicesId"`
}
Login Provider for Identity Federation using Apple Credentials.
Example:
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
amazon: &identityPoolAmazonLoginProvider{
appId: jsii.String("amzn1.application.12312k3j234j13rjiwuenf"),
},
facebook: &identityPoolFacebookLoginProvider{
appId: jsii.String("1234567890123"),
},
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
apple: &identityPoolAppleLoginProvider{
servicesId: jsii.String("com.myappleapp.auth"),
},
twitter: &identityPoolTwitterLoginProvider{
consumerKey: jsii.String("my-twitter-id"),
consumerSecret: jsii.String("my-twitter-secret"),
},
},
})
Experimental.
type IdentityPoolAuthenticationProviders ¶
type IdentityPoolAuthenticationProviders struct {
// App Id for Amazon Identity Federation.
// Experimental.
Amazon *IdentityPoolAmazonLoginProvider `field:"optional" json:"amazon" yaml:"amazon"`
// Services Id for Apple Identity Federation.
// Experimental.
Apple *IdentityPoolAppleLoginProvider `field:"optional" json:"apple" yaml:"apple"`
// Consumer Key and Secret for Digits Identity Federation.
// Experimental.
Digits *IdentityPoolDigitsLoginProvider `field:"optional" json:"digits" yaml:"digits"`
// App Id for Facebook Identity Federation.
// Experimental.
Facebook *IdentityPoolFacebookLoginProvider `field:"optional" json:"facebook" yaml:"facebook"`
// Client Id for Google Identity Federation.
// Experimental.
Google *IdentityPoolGoogleLoginProvider `field:"optional" json:"google" yaml:"google"`
// Consumer Key and Secret for Twitter Identity Federation.
// Experimental.
Twitter *IdentityPoolTwitterLoginProvider `field:"optional" json:"twitter" yaml:"twitter"`
// The Developer Provider Name to associate with this Identity Pool.
// Experimental.
CustomProvider *string `field:"optional" json:"customProvider" yaml:"customProvider"`
// The OpenIdConnect Provider associated with this Identity Pool.
// Experimental.
OpenIdConnectProviders *[]awsiam.IOpenIdConnectProvider `field:"optional" json:"openIdConnectProviders" yaml:"openIdConnectProviders"`
// The Security Assertion Markup Language Provider associated with this Identity Pool.
// Experimental.
SamlProviders *[]awsiam.ISamlProvider `field:"optional" json:"samlProviders" yaml:"samlProviders"`
// The User Pool Authentication Providers associated with this Identity Pool.
// Experimental.
UserPools *[]IUserPoolAuthenticationProvider `field:"optional" json:"userPools" yaml:"userPools"`
}
Authentication providers for using in identity pool.
Example:
var openIdConnectProvider openIdConnectProvider
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
openIdConnectProviders: []iOpenIdConnectProvider{
openIdConnectProvider,
},
customProvider: jsii.String("my-custom-provider.example.com"),
},
})
See: https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html
Experimental.
type IdentityPoolDigitsLoginProvider ¶
type IdentityPoolDigitsLoginProvider struct {
// App Id for Twitter Identity Federation.
// Experimental.
ConsumerKey *string `field:"required" json:"consumerKey" yaml:"consumerKey"`
// App Secret for Twitter Identity Federation.
// Experimental.
ConsumerSecret *string `field:"required" json:"consumerSecret" yaml:"consumerSecret"`
}
Login Provider for Identity Federation using Digits Credentials.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
identityPoolDigitsLoginProvider := &identityPoolDigitsLoginProvider{
consumerKey: jsii.String("consumerKey"),
consumerSecret: jsii.String("consumerSecret"),
}
Experimental.
type IdentityPoolFacebookLoginProvider ¶
type IdentityPoolFacebookLoginProvider struct {
// App Id for Facebook Identity Federation.
// Experimental.
AppId *string `field:"required" json:"appId" yaml:"appId"`
}
Login Provider for Identity Federation using Facebook Credentials.
Example:
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
amazon: &identityPoolAmazonLoginProvider{
appId: jsii.String("amzn1.application.12312k3j234j13rjiwuenf"),
},
facebook: &identityPoolFacebookLoginProvider{
appId: jsii.String("1234567890123"),
},
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
apple: &identityPoolAppleLoginProvider{
servicesId: jsii.String("com.myappleapp.auth"),
},
twitter: &identityPoolTwitterLoginProvider{
consumerKey: jsii.String("my-twitter-id"),
consumerSecret: jsii.String("my-twitter-secret"),
},
},
})
Experimental.
type IdentityPoolGoogleLoginProvider ¶
type IdentityPoolGoogleLoginProvider struct {
// App Id for Google Identity Federation.
// Experimental.
ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
}
Login Provider for Identity Federation using Google Credentials.
Example:
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
amazon: &identityPoolAmazonLoginProvider{
appId: jsii.String("amzn1.application.12312k3j234j13rjiwuenf"),
},
facebook: &identityPoolFacebookLoginProvider{
appId: jsii.String("1234567890123"),
},
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
apple: &identityPoolAppleLoginProvider{
servicesId: jsii.String("com.myappleapp.auth"),
},
twitter: &identityPoolTwitterLoginProvider{
consumerKey: jsii.String("my-twitter-id"),
consumerSecret: jsii.String("my-twitter-secret"),
},
},
})
Experimental.
type IdentityPoolProps ¶
type IdentityPoolProps struct {
// Enables the Basic (Classic) authentication flow.
// Experimental.
AllowClassicFlow *bool `field:"optional" json:"allowClassicFlow" yaml:"allowClassicFlow"`
// Wwhether the identity pool supports unauthenticated logins.
// Experimental.
AllowUnauthenticatedIdentities *bool `field:"optional" json:"allowUnauthenticatedIdentities" yaml:"allowUnauthenticatedIdentities"`
// The Default Role to be assumed by Authenticated Users.
// Experimental.
AuthenticatedRole awsiam.IRole `field:"optional" json:"authenticatedRole" yaml:"authenticatedRole"`
// Authentication providers for using in identity pool.
// Experimental.
AuthenticationProviders *IdentityPoolAuthenticationProviders `field:"optional" json:"authenticationProviders" yaml:"authenticationProviders"`
// The name of the Identity Pool.
// Experimental.
IdentityPoolName *string `field:"optional" json:"identityPoolName" yaml:"identityPoolName"`
// Rules for mapping roles to users.
// Experimental.
RoleMappings *[]*IdentityPoolRoleMapping `field:"optional" json:"roleMappings" yaml:"roleMappings"`
// The Default Role to be assumed by Unauthenticated Users.
// Experimental.
UnauthenticatedRole awsiam.IRole `field:"optional" json:"unauthenticatedRole" yaml:"unauthenticatedRole"`
}
Props for the IdentityPool construct.
Example:
var openIdConnectProvider openIdConnectProvider
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
openIdConnectProviders: []iOpenIdConnectProvider{
openIdConnectProvider,
},
customProvider: jsii.String("my-custom-provider.example.com"),
},
})
Experimental.
type IdentityPoolProviderType ¶
type IdentityPoolProviderType string
Types of Identity Pool Login Providers. Experimental.
const ( // Facebook Provider type. // Experimental. IdentityPoolProviderType_FACEBOOK IdentityPoolProviderType = "FACEBOOK" // Google Provider Type. // Experimental. IdentityPoolProviderType_GOOGLE IdentityPoolProviderType = "GOOGLE" // Amazon Provider Type. // Experimental. IdentityPoolProviderType_AMAZON IdentityPoolProviderType = "AMAZON" // Apple Provider Type. // Experimental. IdentityPoolProviderType_APPLE IdentityPoolProviderType = "APPLE" // Twitter Provider Type. // Experimental. IdentityPoolProviderType_TWITTER IdentityPoolProviderType = "TWITTER" // Digits Provider Type. // Experimental. IdentityPoolProviderType_DIGITS IdentityPoolProviderType = "DIGITS" // Open Id Provider Type. // Experimental. IdentityPoolProviderType_OPEN_ID IdentityPoolProviderType = "OPEN_ID" // Saml Provider Type. // Experimental. IdentityPoolProviderType_SAML IdentityPoolProviderType = "SAML" // User Pool Provider Type. // Experimental. IdentityPoolProviderType_USER_POOL IdentityPoolProviderType = "USER_POOL" // Custom Provider Type. // Experimental. IdentityPoolProviderType_CUSTOM IdentityPoolProviderType = "CUSTOM" )
type IdentityPoolProviderUrl ¶
type IdentityPoolProviderUrl interface {
// type of Provider Url.
// Experimental.
Type() IdentityPoolProviderType
// value of Provider Url.
// Experimental.
Value() *string
}
Keys for Login Providers - correspond to client id's of respective federation identity providers.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
roleMappings: []identityPoolRoleMapping{
&identityPoolRoleMapping{
providerUrl: awscdk.IdentityPoolProviderUrl.userPool(jsii.String("cognito-idp.my-idp-region.amazonaws.com/my-idp-region_abcdefghi:app_client_id")),
useToken: jsii.Boolean(true),
},
&identityPoolRoleMapping{
providerUrl: awscdk.IdentityPoolProviderUrl.custom(jsii.String("my-custom-provider.com")),
useToken: jsii.Boolean(true),
},
},
})
Experimental.
func IdentityPoolProviderUrl_AMAZON ¶
func IdentityPoolProviderUrl_AMAZON() IdentityPoolProviderUrl
func IdentityPoolProviderUrl_APPLE ¶
func IdentityPoolProviderUrl_APPLE() IdentityPoolProviderUrl
func IdentityPoolProviderUrl_Custom ¶
func IdentityPoolProviderUrl_Custom(url *string) IdentityPoolProviderUrl
Custom Provider Url. Experimental.
func IdentityPoolProviderUrl_DIGITS ¶
func IdentityPoolProviderUrl_DIGITS() IdentityPoolProviderUrl
func IdentityPoolProviderUrl_FACEBOOK ¶
func IdentityPoolProviderUrl_FACEBOOK() IdentityPoolProviderUrl
func IdentityPoolProviderUrl_GOOGLE ¶
func IdentityPoolProviderUrl_GOOGLE() IdentityPoolProviderUrl
func IdentityPoolProviderUrl_OpenId ¶
func IdentityPoolProviderUrl_OpenId(url *string) IdentityPoolProviderUrl
OpenId Provider Url. Experimental.
func IdentityPoolProviderUrl_Saml ¶
func IdentityPoolProviderUrl_Saml(url *string) IdentityPoolProviderUrl
Saml Provider Url. Experimental.
func IdentityPoolProviderUrl_TWITTER ¶
func IdentityPoolProviderUrl_TWITTER() IdentityPoolProviderUrl
func IdentityPoolProviderUrl_UserPool ¶
func IdentityPoolProviderUrl_UserPool(url *string) IdentityPoolProviderUrl
User Pool Provider Url. Experimental.
func NewIdentityPoolProviderUrl ¶
func NewIdentityPoolProviderUrl(type_ IdentityPoolProviderType, value *string) IdentityPoolProviderUrl
Experimental.
type IdentityPoolProviders ¶
type IdentityPoolProviders struct {
// App Id for Amazon Identity Federation.
// Experimental.
Amazon *IdentityPoolAmazonLoginProvider `field:"optional" json:"amazon" yaml:"amazon"`
// Services Id for Apple Identity Federation.
// Experimental.
Apple *IdentityPoolAppleLoginProvider `field:"optional" json:"apple" yaml:"apple"`
// Consumer Key and Secret for Digits Identity Federation.
// Experimental.
Digits *IdentityPoolDigitsLoginProvider `field:"optional" json:"digits" yaml:"digits"`
// App Id for Facebook Identity Federation.
// Experimental.
Facebook *IdentityPoolFacebookLoginProvider `field:"optional" json:"facebook" yaml:"facebook"`
// Client Id for Google Identity Federation.
// Experimental.
Google *IdentityPoolGoogleLoginProvider `field:"optional" json:"google" yaml:"google"`
// Consumer Key and Secret for Twitter Identity Federation.
// Experimental.
Twitter *IdentityPoolTwitterLoginProvider `field:"optional" json:"twitter" yaml:"twitter"`
}
External Identity Providers To Connect to User Pools and Identity Pools.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
identityPoolProviders := &identityPoolProviders{
amazon: &identityPoolAmazonLoginProvider{
appId: jsii.String("appId"),
},
apple: &identityPoolAppleLoginProvider{
servicesId: jsii.String("servicesId"),
},
digits: &identityPoolDigitsLoginProvider{
consumerKey: jsii.String("consumerKey"),
consumerSecret: jsii.String("consumerSecret"),
},
facebook: &identityPoolFacebookLoginProvider{
appId: jsii.String("appId"),
},
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("clientId"),
},
twitter: &identityPoolTwitterLoginProvider{
consumerKey: jsii.String("consumerKey"),
consumerSecret: jsii.String("consumerSecret"),
},
}
Experimental.
type IdentityPoolRoleAttachment ¶
type IdentityPoolRoleAttachment interface {
awscdk.Resource
IIdentityPoolRoleAttachment
// The environment this resource belongs to.
//
// For resources that are created and managed by the CDK
// (generally, those created by creating new class instances like Role, Bucket, etc.),
// this is always the same as the environment of the stack they belong to;
// however, for imported resources
// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
// that might be different than the stack they were imported into.
// Experimental.
Env() *awscdk.ResourceEnvironment
// Id of the underlying identity pool.
// Experimental.
IdentityPoolId() *string
// The construct tree node associated with this construct.
// Experimental.
Node() awscdk.ConstructNode
// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
//
// This value will resolve to one of the following:
// - a concrete value (e.g. `"my-awesome-bucket"`)
// - `undefined`, when a name should be generated by CloudFormation
// - a concrete name generated automatically during synthesis, in
// cross-environment scenarios.
// Experimental.
PhysicalName() *string
// The stack in which this resource is defined.
// Experimental.
Stack() awscdk.Stack
// Apply the given removal policy to this resource.
//
// The Removal Policy controls what happens to this resource when it stops
// being managed by CloudFormation, either because you've removed it from the
// CDK application or because you've made a change that requires the resource
// to be replaced.
//
// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
// Experimental.
ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
// Experimental.
GeneratePhysicalName() *string
// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
//
// Normally, this token will resolve to `arnAttr`, but if the resource is
// referenced across environments, `arnComponents` will be used to synthesize
// a concrete ARN with the resource's physical name. Make sure to reference
// `this.physicalName` in `arnComponents`.
// Experimental.
GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
//
// Normally, this token will resolve to `nameAttr`, but if the resource is
// referenced across environments, it will be resolved to `this.physicalName`,
// which will be a concrete name.
// Experimental.
GetResourceNameAttribute(nameAttr *string) *string
// Perform final modifications before synthesis.
//
// This method can be implemented by derived constructs in order to perform
// final changes before synthesis. prepare() will be called after child
// constructs have been prepared.
//
// This is an advanced framework feature. Only use this if you
// understand the implications.
// Experimental.
OnPrepare()
// Allows this construct to emit artifacts into the cloud assembly during synthesis.
//
// This method is usually implemented by framework-level constructs such as `Stack` and `Asset`
// as they participate in synthesizing the cloud assembly.
// Experimental.
OnSynthesize(session constructs.ISynthesisSession)
// Validate the current construct.
//
// This method can be implemented by derived constructs in order to perform
// validation logic. It is called on all constructs before synthesis.
//
// Returns: An array of validation error messages, or an empty array if the construct is valid.
// Experimental.
OnValidate() *[]*string
// Perform final modifications before synthesis.
//
// This method can be implemented by derived constructs in order to perform
// final changes before synthesis. prepare() will be called after child
// constructs have been prepared.
//
// This is an advanced framework feature. Only use this if you
// understand the implications.
// Experimental.
Prepare()
// Allows this construct to emit artifacts into the cloud assembly during synthesis.
//
// This method is usually implemented by framework-level constructs such as `Stack` and `Asset`
// as they participate in synthesizing the cloud assembly.
// Experimental.
Synthesize(session awscdk.ISynthesisSession)
// Returns a string representation of this construct.
// Experimental.
ToString() *string
// Validate the current construct.
//
// This method can be implemented by derived constructs in order to perform
// validation logic. It is called on all constructs before synthesis.
//
// Returns: An array of validation error messages, or an empty array if the construct is valid.
// Experimental.
Validate() *[]*string
}
Defines an Identity Pool Role Attachment.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
var identityPool identityPool
var identityPoolProviderUrl identityPoolProviderUrl
var role role
identityPoolRoleAttachment := awscdk.Aws_cognito_identitypool.NewIdentityPoolRoleAttachment(this, jsii.String("MyIdentityPoolRoleAttachment"), &identityPoolRoleAttachmentProps{
identityPool: identityPool,
// the properties below are optional
authenticatedRole: role,
roleMappings: []identityPoolRoleMapping{
&identityPoolRoleMapping{
providerUrl: identityPoolProviderUrl,
// the properties below are optional
resolveAmbiguousRoles: jsii.Boolean(false),
rules: []roleMappingRule{
&roleMappingRule{
claim: jsii.String("claim"),
claimValue: jsii.String("claimValue"),
mappedRole: role,
// the properties below are optional
matchType: awscdk.*Aws_cognito_identitypool.roleMappingMatchType_EQUALS,
},
},
useToken: jsii.Boolean(false),
},
},
unauthenticatedRole: role,
})
Experimental.
func NewIdentityPoolRoleAttachment ¶
func NewIdentityPoolRoleAttachment(scope constructs.Construct, id *string, props *IdentityPoolRoleAttachmentProps) IdentityPoolRoleAttachment
Experimental.
type IdentityPoolRoleAttachmentProps ¶
type IdentityPoolRoleAttachmentProps struct {
// Id of the Attachments Underlying Identity Pool.
// Experimental.
IdentityPool IIdentityPool `field:"required" json:"identityPool" yaml:"identityPool"`
// Default Authenticated (User) Role.
// Experimental.
AuthenticatedRole awsiam.IRole `field:"optional" json:"authenticatedRole" yaml:"authenticatedRole"`
// Rules for mapping roles to users.
// Experimental.
RoleMappings *[]*IdentityPoolRoleMapping `field:"optional" json:"roleMappings" yaml:"roleMappings"`
// Default Unauthenticated (Guest) Role.
// Experimental.
UnauthenticatedRole awsiam.IRole `field:"optional" json:"unauthenticatedRole" yaml:"unauthenticatedRole"`
}
Props for an Identity Pool Role Attachment.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
var identityPool identityPool
var identityPoolProviderUrl identityPoolProviderUrl
var role role
identityPoolRoleAttachmentProps := &identityPoolRoleAttachmentProps{
identityPool: identityPool,
// the properties below are optional
authenticatedRole: role,
roleMappings: []identityPoolRoleMapping{
&identityPoolRoleMapping{
providerUrl: identityPoolProviderUrl,
// the properties below are optional
resolveAmbiguousRoles: jsii.Boolean(false),
rules: []roleMappingRule{
&roleMappingRule{
claim: jsii.String("claim"),
claimValue: jsii.String("claimValue"),
mappedRole: role,
// the properties below are optional
matchType: awscdk.Aws_cognito_identitypool.roleMappingMatchType_EQUALS,
},
},
useToken: jsii.Boolean(false),
},
},
unauthenticatedRole: role,
}
Experimental.
type IdentityPoolRoleMapping ¶
type IdentityPoolRoleMapping struct {
// The url of the provider of for which the role is mapped.
// Experimental.
ProviderUrl IdentityPoolProviderUrl `field:"required" json:"providerUrl" yaml:"providerUrl"`
// Allow for role assumption when results of role mapping are ambiguous.
// Experimental.
ResolveAmbiguousRoles *bool `field:"optional" json:"resolveAmbiguousRoles" yaml:"resolveAmbiguousRoles"`
// The claim and value that must be matched in order to assume the role.
//
// Required if useToken is false.
// Experimental.
Rules *[]*RoleMappingRule `field:"optional" json:"rules" yaml:"rules"`
// If true then mapped roles must be passed through the cognito:roles or cognito:preferred_role claims from identity provider.
// See: https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users
//
// Experimental.
UseToken *bool `field:"optional" json:"useToken" yaml:"useToken"`
}
Map roles to users in the identity pool based on claims from the Identity Provider.
Example:
import "github.com/aws/aws-cdk-go/awscdk" var identityPool identityPool var myAddedRoleMapping1 identityPoolRoleMapping var myAddedRoleMapping2 identityPoolRoleMapping var myAddedRoleMapping3 identityPoolRoleMapping identityPool.addRoleMappings(myAddedRoleMapping1, myAddedRoleMapping2, myAddedRoleMapping3)
Experimental.
type IdentityPoolTwitterLoginProvider ¶
type IdentityPoolTwitterLoginProvider struct {
// App Id for Twitter Identity Federation.
// Experimental.
ConsumerKey *string `field:"required" json:"consumerKey" yaml:"consumerKey"`
// App Secret for Twitter Identity Federation.
// Experimental.
ConsumerSecret *string `field:"required" json:"consumerSecret" yaml:"consumerSecret"`
}
Login Provider for Identity Federation using Twitter Credentials.
Example:
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
authenticationProviders: &identityPoolAuthenticationProviders{
amazon: &identityPoolAmazonLoginProvider{
appId: jsii.String("amzn1.application.12312k3j234j13rjiwuenf"),
},
facebook: &identityPoolFacebookLoginProvider{
appId: jsii.String("1234567890123"),
},
google: &identityPoolGoogleLoginProvider{
clientId: jsii.String("12345678012.apps.googleusercontent.com"),
},
apple: &identityPoolAppleLoginProvider{
servicesId: jsii.String("com.myappleapp.auth"),
},
twitter: &identityPoolTwitterLoginProvider{
consumerKey: jsii.String("my-twitter-id"),
consumerSecret: jsii.String("my-twitter-secret"),
},
},
})
Experimental.
type RoleMappingMatchType ¶
type RoleMappingMatchType string
Types of matches allowed for Role Mapping.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
var adminRole role
var nonAdminRole role
awscdk.NewIdentityPool(this, jsii.String("myidentitypool"), &identityPoolProps{
identityPoolName: jsii.String("myidentitypool"),
// Assign specific roles to users based on whether or not the custom admin claim is passed from the identity provider
roleMappings: []identityPoolRoleMapping{
&identityPoolRoleMapping{
providerUrl: awscdk.IdentityPoolProviderUrl_AMAZON(),
rules: []roleMappingRule{
&roleMappingRule{
claim: jsii.String("custom:admin"),
claimValue: jsii.String("admin"),
mappedRole: adminRole,
},
&roleMappingRule{
claim: jsii.String("custom:admin"),
claimValue: jsii.String("admin"),
matchType: awscdk.RoleMappingMatchType_NOTEQUAL,
mappedRole: nonAdminRole,
},
},
},
},
})
Experimental.
const ( // The Claim from the token must equal the given value in order for a match. // Experimental. RoleMappingMatchType_EQUALS RoleMappingMatchType = "EQUALS" // The Claim from the token must contain the given value in order for a match. // Experimental. RoleMappingMatchType_CONTAINS RoleMappingMatchType = "CONTAINS" // The Claim from the token must start with the given value in order for a match. // Experimental. RoleMappingMatchType_STARTS_WITH RoleMappingMatchType = "STARTS_WITH" // The Claim from the token must not equal the given value in order for a match. // Experimental. RoleMappingMatchType_NOTEQUAL RoleMappingMatchType = "NOTEQUAL" )
type RoleMappingRule ¶
type RoleMappingRule struct {
// The key sent in the token by the federated identity provider.
// Experimental.
Claim *string `field:"required" json:"claim" yaml:"claim"`
// The value of the claim that must be matched.
// Experimental.
ClaimValue *string `field:"required" json:"claimValue" yaml:"claimValue"`
// The Role to be assumed when Claim Value is matched.
// Experimental.
MappedRole awsiam.IRole `field:"required" json:"mappedRole" yaml:"mappedRole"`
// How to match with the Claim value.
// Experimental.
MatchType RoleMappingMatchType `field:"optional" json:"matchType" yaml:"matchType"`
}
Represents an Identity Pool Role Attachment Role Mapping Rule.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
var role role
roleMappingRule := &roleMappingRule{
claim: jsii.String("claim"),
claimValue: jsii.String("claimValue"),
mappedRole: role,
// the properties below are optional
matchType: awscdk.Aws_cognito_identitypool.roleMappingMatchType_EQUALS,
}
Experimental.
type UserPoolAuthenticationProvider ¶
type UserPoolAuthenticationProvider interface {
IUserPoolAuthenticationProvider
// The method called when a given User Pool Authentication Provider is added (for the first time) to an Identity Pool.
// Experimental.
Bind(scope constructs.Construct, identityPool IIdentityPool, _options *UserPoolAuthenticationProviderBindOptions) *UserPoolAuthenticationProviderBindConfig
}
Defines a User Pool Authentication Provider.
Example:
var identityPool identityPool
userPool := cognito.NewUserPool(this, jsii.String("Pool"))
identityPool.addUserPoolAuthentication(awscdk.NewUserPoolAuthenticationProvider(&userPoolAuthenticationProviderProps{
userPool: userPool,
disableServerSideTokenCheck: jsii.Boolean(true),
}))
Experimental.
func NewUserPoolAuthenticationProvider ¶
func NewUserPoolAuthenticationProvider(props *UserPoolAuthenticationProviderProps) UserPoolAuthenticationProvider
Experimental.
type UserPoolAuthenticationProviderBindConfig ¶
type UserPoolAuthenticationProviderBindConfig struct {
// Client Id of the Associated User Pool Client.
// Experimental.
ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
// The identity providers associated with the UserPool.
// Experimental.
ProviderName *string `field:"required" json:"providerName" yaml:"providerName"`
// Whether to enable the identity pool's server side token check.
// Experimental.
ServerSideTokenCheck *bool `field:"required" json:"serverSideTokenCheck" yaml:"serverSideTokenCheck"`
}
Represents a UserPoolAuthenticationProvider Bind Configuration.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
userPoolAuthenticationProviderBindConfig := &userPoolAuthenticationProviderBindConfig{
clientId: jsii.String("clientId"),
providerName: jsii.String("providerName"),
serverSideTokenCheck: jsii.Boolean(false),
}
Experimental.
type UserPoolAuthenticationProviderBindOptions ¶
type UserPoolAuthenticationProviderBindOptions struct {
}
Represents UserPoolAuthenticationProvider Bind Options.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
userPoolAuthenticationProviderBindOptions := &userPoolAuthenticationProviderBindOptions{
}
Experimental.
type UserPoolAuthenticationProviderProps ¶
type UserPoolAuthenticationProviderProps struct {
// The User Pool of the Associated Identity Providers.
// Experimental.
UserPool awscognito.IUserPool `field:"required" json:"userPool" yaml:"userPool"`
// Setting this to true turns off identity pool checks for this user pool to make sure the user has not been globally signed out or deleted before the identity pool provides an OIDC token or AWS credentials for the user.
// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html
//
// Experimental.
DisableServerSideTokenCheck *bool `field:"optional" json:"disableServerSideTokenCheck" yaml:"disableServerSideTokenCheck"`
// The User Pool Client for the provided User Pool.
// Experimental.
UserPoolClient awscognito.IUserPoolClient `field:"optional" json:"userPoolClient" yaml:"userPoolClient"`
}
Props for the User Pool Authentication Provider.
Example:
var identityPool identityPool
userPool := cognito.NewUserPool(this, jsii.String("Pool"))
identityPool.addUserPoolAuthentication(awscdk.NewUserPoolAuthenticationProvider(&userPoolAuthenticationProviderProps{
userPool: userPool,
disableServerSideTokenCheck: jsii.Boolean(true),
}))
Experimental.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.