Terraform-provider-aws: Cognito Identity Pool - Authentication Providers - Authenticated role selection missing
_This issue was originally opened by @Alexis2000 as hashicorp/terraform#19438. It was migrated here as a result of the provider split. The original body of the issue is below._
Terraform Version
Terraform v0.11.10
provider.aws v1.45.0
Terraform Configuration Files
resource "aws_cognito_identity_pool" "some_identity_pool" {
identity_pool_name = "Some Identity Pool"
allow_unauthenticated_identities = false
cognito_identity_providers {
client_id = "${aws_cognito_user_pool_client.app-client.id}"
provider_name = "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.some-user-pool.id}"
server_side_token_check = true
}
}
Expected Behaviour
I have to be able to set configuration options for Authenticated Role selection and in particular the settings for 'Choose role from token' and within that 'use default authentication role'.
Actual Behaviour
I can only define the user-pool-id and client-id and server_side_token_check here. The 'Choose role from token' and within that 'use default authentication role' seem to be entirely absent. These options are given to me in the AWS console but not in Terraform.
hashibot[bot]
All 3 comments
I've spent some more time on this and figured out that it can be configured within the aws_cognito_identity_pool_roles_attachment. Below is an example:
resource "aws_cognito_identity_pool_roles_attachment" "aws_cognito_identity_pool_roles_attachment" {
identity_pool_id = "${aws_cognito_identity_pool.your_identity_pool.id}"
role_mapping {
identity_provider = "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.your-user-pool.id}:${aws_cognito_user_pool_client.your_app_client.id}"
type = "Token"
ambiguous_role_resolution = "Deny"
}
roles {
"authenticated" = "${aws_iam_role.your_cognito_authenticated.arn}"
}
}
This can be closed I guess but it would be nice to add this and related cases to the Terraform documentation and examples.
Alexis2000
on 29 Nov 2018
I've spent some more time on this and figured out that it can be configured within the aws_cognito_identity_pool_roles_attachment. Below is an example:
resource "aws_cognito_identity_pool_roles_attachment" "aws_cognito_identity_pool_roles_attachment" { identity_pool_id = "${aws_cognito_identity_pool.your_identity_pool.id}" role_mapping { identity_provider = "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.your-user-pool.id}:${aws_cognito_user_pool_client.your_app_client.id}" type = "Token" ambiguous_role_resolution = "Deny" } roles { "authenticated" = "${aws_iam_role.your_cognito_authenticated.arn}" } }This can be closed I guess but it would be nice to add this and related cases to the Terraform documentation and examples.
I believe there's a typo above that will cause Terraform to error out with, "Argument names must be quoted."
Should be:
roles = {
"authenticated" = "${aws_iam_role.your_cognito_authenticated.arn}"
}
r1n9w0rm
on 4 Mar 2020
Thanks for adding this example. I did find it surprising that aws_cognito_identity_pool_roles_attachment requires roles.authenticated to be set. In my case I'm also setting ambiguous_role_resolution = "Deny" and the AWS Console lets me proceed without any authenticated role defined.
rprieto
on 26 May 2020
Related issues
hashibot
路
3Comments
EmmN
路
3Comments
modax
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
Most helpful comment
I've spent some more time on this and figured out that it can be configured within the aws_cognito_identity_pool_roles_attachment. Below is an example:
This can be closed I guess but it would be nice to add this and related cases to the Terraform documentation and examples.