@ttoss/cloud-auth
It's a library for creating AWS Cognito resources. It creates an user pool, identity pool, a client application, and others resources.
Installation
pnpm add @ttoss/cloud-auth
Quickstart
Create a cloudformation.ts
file in your project and export the template:
import { createAuthTemplate } from '@ttoss/cloud-auth';
const template = createAuthTemplate();
export default template;
Usage
Identity Pool
Create an basic identity pool
const template = createAuthTemplate({
identityPool: {
enabled: true, // false by default
name: 'MyIdentityPool',
allowUnauthenticatedIdentities: false, // false by default
},
});
Create an identity pool with external roles
const template = createAuthTemplate({
identityPool: {
enabled: true,
authenticatedRoleArn:
'arn:aws:iam::123456789012:role/MyIdentityPool_AuthenticatedRole',
unauthenticatedRoleArn:
'arn:aws:iam::123456789012:role/MyIdentityPool_UnauthenticatedRole',
},
});
Create an identity pool with defined policies
const template = createAuthTemplate({
identityPool: {
enabled: true,
authenticatedPolicies: [
{
policyName: 'MyIdentityPool_AuthenticatedPolicy',
policyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
Resource: ['*'],
},
],
},
},
],
unauthenticatedPolicies: [
{
policyName: 'MyIdentityPool_UnauthenticatedPolicy',
policyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Deny',
Action: ['*'],
Resource: ['*'],
},
],
},
},
],
},
});
Using attributes for access control
When you enable the identity pool, it maps the following principal tags to handle access control by default:
PrincipalTags:
appClientId: 'aud'
userId: 'sub'
This way you can use the appClientId
and userId
tags in your IAM policies by controlling access for IAM principals. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::*-${aws:PrincipalTag/userId}/*"
}
]
}
You can change the default tags by passing the principalTags
property and other tokens:
const template = createAuthTemplate({
identityPool: {
enabled: true,
principalTags: {
appId: 'aud',
username: 'sub',
name: 'name',
},
},
});
If you want to disable the principal tags, you can pass the principalTags
property with false
value:
const template = createAuthTemplate({
identityPool: {
enabled: true,
principalTags: false,
},
});