I followed the Pulumi Cognito.IdentityPool docs but could not link the Identity Pool with the Role using an attachment. This should be very easy: create Identity Pool, create Role, attach Role to Identity Pool. Simple. Unfortunately the code in the Pulumi docs does not reach this end, there is something missing. Here is my code:
import * as aws from '@pulumi/aws'
import { Stack, cognito, region } from '../../config'
const userPool = cognito.userPools[REDACTED]
const providerName: string = `cognito-idp.${region}.amazonaws.com/${userPool.poolId}`
export const swimmingPool = new aws.cognito.IdentityPool(REDACTED, {
identityPoolName: 'stuff!',
allowUnauthenticatedIdentities: false,
allowClassicFlow: false,
cognitoIdentityProviders: [{
providerName,
clientId: userPool.clientId,
serverSideTokenCheck: false,
}],
})
export const role = new aws.iam.Role(REDACTED, {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal(
{ Federated: 'cognito-identity.amazonaws.com' },
),
})
export const policy = new aws.iam.RolePolicy(REDACTED, {
role: role.id,
policy: {
Version: '2012-10-17',
Statement: [
{
Action: [
'cognito-sync:*',
'cognito-identity:*',
's3:PutObject',
's3:GetObject',
],
Effect: 'Allow',
Resource: '*',
},
],
},
})
export const roleAttachment = new aws.cognito.IdentityPoolRoleAttachment(REDACTED, {
identityPoolId: swimmingPool.id,
roles: { authenticated: role.arn },
roleMappings: [{
identityProvider: `cognito-idp.${region}.amazonaws.com/${userPool.poolId}:${userPool.clientId}`,
ambiguousRoleResolution: 'AuthenticatedRole',
type: 'Rules',
mappingRules: [{
claim: 'isAdmin',
matchType: 'Equals',
roleArn: role.arn,
value: 'paid',
}],
}],
})
I was expecting to see the Role to be attached in the AWS Console when I view the Identity Pool, but You have not specified roles for this identity pool. Click here to fix it. appears instead. What has to be done to attach the attachment that I attached?
