3

I have this role attachment resource that as is, deploys just fine:

CognitoIdentityPoolRoleAttachment:
  DependsOn: [ CognitoIdentityPool, CognitoIdentityPoolAuthRole, CognitoIdentityPoolUnauthRole ]
  Type: "AWS::Cognito::IdentityPoolRoleAttachment"
  Properties:
    IdentityPoolId: !Ref CognitoIdentityPool
    RoleMappings:
      'cognito-idp.us-west-2.amazonaws.com/us-west-2_naEXQTLxD:44rd7mu8dncna2kqimd74f7u98':
        Type: Token
        AmbiguousRoleResolution: AuthenticatedRole
    Roles:
      unauthenticated: !GetAtt CognitoIdentityPoolUnauthRole.Arn
      authenticated: !GetAtt CognitoIdentityPoolAuthRole.Arn

However, as you can see I have a RoleMappings property that is actually my CognitoUserPool ProviderName appended to my Cognito User Pool Client ID, so I need this property to have a dynamic name.

Looking over the docs, however, I can't find a way to actually use intrinsic functions on an object key. When I try this:

  RoleMappings:
    !Sub '${CognitoUserPool.ProviderName}:${CognitoUserPoolClient}':
      Type: Token
      AmbiguousRoleResolution: AuthenticatedRole

I get an invalid template error. Is there a special syntax I'm missing that allows you to define keys instead of properties? Or am I going to have to do this some other way?

Turner Houghton
  • 496
  • 6
  • 16
  • I think the simplest solution here would be to generate the template using an external script. You can also try creating a custom resource that generates the template and then create a stack from that template with `AWS::CloudFormation::Stack` and the result of that resource. – kichik Feb 26 '18 at 19:00
  • Duplicate of https://stackoverflow.com/questions/45107620/how-to-set-a-dynamic-rolemappings-key-for-a-indentitypoolroleattachment-in-cloud – spg Feb 26 '18 at 19:05

1 Answers1

4

There is no way to do this out of the box using CloudFormation. However, this thread suggests a workaround involving a Lambda-backed custom resource.

spg
  • 9,309
  • 4
  • 36
  • 41