Skip to main content

@ttoss/cloud-auth

It's a library for creating AWS Cognito resources. It creates an user pool, identity pool, a client application, and others resources.

Installation

pnpm add @ttoss/cloud-auth

Quickstart

Create a cloudformation.ts file in your project and export the template:

import { createAuthTemplate } from '@ttoss/cloud-auth';

const template = createAuthTemplate();

export default template;

Usage

Identity Pool

Create an basic identity pool

const template = createAuthTemplate({
identityPool: {
enabled: true, // false by default
name: 'MyIdentityPool',
allowUnauthenticatedIdentities: false, // false by default
},
});

Create an identity pool with external roles

const template = createAuthTemplate({
identityPool: {
enabled: true,
authenticatedRoleArn:
'arn:aws:iam::123456789012:role/MyIdentityPool_AuthenticatedRole',
unauthenticatedRoleArn:
'arn:aws:iam::123456789012:role/MyIdentityPool_UnauthenticatedRole',
},
});

Create an identity pool with defined policies

const template = createAuthTemplate({
identityPool: {
enabled: true,
authenticatedPolicies: [
{
policyName: 'MyIdentityPool_AuthenticatedPolicy',
policyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
Resource: ['*'],
},
],
},
},
],
unauthenticatedPolicies: [
{
policyName: 'MyIdentityPool_UnauthenticatedPolicy',
policyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Deny',
Action: ['*'],
Resource: ['*'],
},
],
},
},
],
},
});

Using attributes for access control

When you enable the identity pool, it maps the following principal tags to handle access control by default:

PrincipalTags:
appClientId: 'aud'
userId: 'sub'

This way you can use the appClientId and userId tags in your IAM policies by controlling access for IAM principals. For example:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::*-${aws:PrincipalTag/userId}/*"
}
]
}

You can change the default tags by passing the principalTags property and other tokens:

const template = createAuthTemplate({
identityPool: {
enabled: true,
principalTags: {
appId: 'aud',
username: 'sub',
name: 'name',
},
},
});

If you want to disable the principal tags, you can pass the principalTags property with false value:

const template = createAuthTemplate({
identityPool: {
enabled: true,
principalTags: false,
},
});