in cli/aws_orbit/remote_files/cdk/env.py [0:0]
def _create_identity_pool(self) -> cognito.CfnIdentityPool:
provider_name = (
self.user_pool.user_pool_provider_name
if hasattr(self.user_pool, "user_pool_provider_name")
else f"cognito-idp.{self.context.region}.amazonaws.com/{self.context.user_pool_id}"
)
pool = cognito.CfnIdentityPool(
scope=self,
id="identity-pool",
identity_pool_name=self.id.replace("-", "_"),
allow_unauthenticated_identities=False,
allow_classic_flow=False,
cognito_identity_providers=[
cognito.CfnIdentityPool.CognitoIdentityProviderProperty(
provider_name=provider_name,
client_id=self.user_pool_client.user_pool_client_id,
)
],
)
name = f"{self.id}-{self.context.region}-cognito-auth-identity-role"
authenticated_role = iam.Role(
scope=self,
id=name,
role_name=name,
assumed_by=cast(
iam.IPrincipal,
iam.FederatedPrincipal(
federated="cognito-identity.amazonaws.com",
conditions={
"StringEquals": {"cognito-identity.amazonaws.com:aud": pool.ref},
"ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated"},
},
assume_role_action="sts:AssumeRoleWithWebIdentity",
),
),
inline_policies={
"cognito-default": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=[
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*",
],
resources=["*"],
)
]
),
"team-context-parameter": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=["ssm:DescribeParameters", "ssm:GetParameters"],
resources=[
f"arn:aws:ssm:{self.context.region}:{self.context.account_id}:"
f"parameter/orbit/{self.context.name}/teams/*"
],
)
]
),
},
)
name = f"{self.id}-{self.context.region}-cognito-unauth-identity-role"
unauthenticated_role = iam.Role(
scope=self,
id=name,
role_name=name,
assumed_by=cast(
iam.IPrincipal,
iam.FederatedPrincipal(
federated="cognito-identity.amazonaws.com",
conditions={
"StringEquals": {"cognito-identity.amazonaws.com:aud": pool.ref},
"ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated"},
},
assume_role_action="sts:AssumeRoleWithWebIdentity",
),
),
inline_policies={
"cognito-default": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=[
"mobileanalytics:PutEvents",
"cognito-sync:*",
],
resources=["*"],
)
]
)
},
)
cognito.CfnIdentityPoolRoleAttachment(
scope=self,
id=f"{self.id}-role-attachment",
identity_pool_id=pool.ref,
roles={
"authenticated": authenticated_role.role_arn,
"unauthenticated": unauthenticated_role.role_arn,
},
)
return pool