(cognito-idp): cannot use Cognito identity pool for role mappings

[michaeljfazio]

Description

The following role mapping will fail:

 const identityPool = new IdentityPool(this, "IdentityPool", {
      roleMappings: [
        {
          providerUrl: IdentityPoolProviderUrl.custom(userPool.userPoolProviderUrl),
          resolveAmbiguousRoles: false,
          useToken: true
        }
      ]
    })

The reason it will fail is because the internal logic is to map the provided URL as the corresponding key value, which is performed here.

The same function is achieved in Cloudformation by specifying the key separately from the provider url. See notes specified under the IdentityProvider field description.

Use Case

Referencing user pool from the same stack.

Proposed Solution

Allow the ability to optionally specify static key when creating a role mapping.

Other information

Possible (untested) workaround is to create role attachment with Cfn resource and manually assign an arbitrary key.

    const identityPool = new IdentityPool(this, "IdentityPool", {
      allowUnauthenticatedIdentities: false
    })

    new CfnIdentityPoolRoleAttachment(this, "RoleAttachment2", {
      identityPoolId: identityPool.identityPoolId,
      roleMappings: {
        cognito: { // 👈 manually specified key of "cognito"
          type: "Token",
          ambiguousRoleResolution: "Deny",
          identityProvider: userPool.userPoolProviderUrl
        }
      }
    }).node.addDependency(identityPool)

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[rix0rrr]

It looks like this is because there is no Cognito provider type in this enum:

aws-cdk/packages/@aws-cdk/aws-cognito-identitypool/lib/identitypool.ts

Lines 103 to 124 in 4eac4de

	export enum IdentityPoolProviderType {
	/** Facebook Provider type */
	FACEBOOK = 'Facebook',
	/** Google Provider Type */
	GOOGLE = 'Google',
	/** Amazon Provider Type */
	AMAZON = 'Amazon',
	/** Apple Provider Type */
	APPLE = 'Apple',
	/** Twitter Provider Type */
	TWITTER = 'Twitter',
	/** Digits Provider Type */
	DIGITS = 'Digits',
	/** Open Id Provider Type */
	OPEN_ID = 'OpenId',
	/** Saml Provider Type */
	SAML = 'Saml',
	/** User Pool Provider Type */
	USER_POOL = 'UserPool',
	/** Custom Provider Type */
	CUSTOM = 'Custom',
	}

Feel free to submit it.

[SamStephens]

@rix0rrr said:

It looks like this is because there is no Cognito provider type in this enum:

aws-cdk/packages/@aws-cdk/aws-cognito-identitypool/lib/identitypool.ts

Lines 103 to 124 in 4eac4de

	export enum IdentityPoolProviderType {
	/** Facebook Provider type */
	FACEBOOK = 'Facebook',
	/** Google Provider Type */
	GOOGLE = 'Google',
	/** Amazon Provider Type */
	AMAZON = 'Amazon',
	/** Apple Provider Type */
	APPLE = 'Apple',
	/** Twitter Provider Type */
	TWITTER = 'Twitter',
	/** Digits Provider Type */
	DIGITS = 'Digits',
	/** Open Id Provider Type */
	OPEN_ID = 'OpenId',
	/** Saml Provider Type */
	SAML = 'Saml',
	/** User Pool Provider Type */
	USER_POOL = 'UserPool',
	/** Custom Provider Type */
	CUSTOM = 'Custom',
	}

I don't think it's as simple as that.

IdentityPoolProviderType provides the USER_POOL constant, which I believe is for Cognito User Pools. IdentityPoolProviderUrl provides a userPool method that uses this constant. The documentation includes an example of IdentityPoolProviderUrl.userPool being used with a Cognito user pool provider URL.

I'm using the IdentityPoolProviderUrl.userPool method, and getting the same results.

 const identityPool = new IdentityPool(this, "IdentityPool", {
      roleMappings: [
        {
          providerUrl: IdentityPoolProviderUrl.userPool(userPool.userPoolProviderUrl),
          resolveAmbiguousRoles: false,
          useToken: true
        }
      ]
    })

(or more accurately, the Python equivalent, as I use Python). userPool is of course an earlier instantated aws_cognito.UserPool construct.

The specific error message we're getting is similar to

Error: Resolution error: Resolution error: "${Token[TOKEN.209]}" is used as the key in a map so must resolve to a string, but it resolves to: {"Fn::GetAtt":["UserPool6BA7E5F2","ProviderURL"]}. Consider using "CfnJson" to delay resolution to deployment-time..

The problem being that as @michaeljfazio points out, the provider URL is used as the key of a map. However map keys do not allow for Tokens, only for string constants.

As @michaeljfazio also points out, the solution is to stop providing the identity provider using the role mapping keys, and instead use the IdentityProvider attribute of the role mapping object. The existing code already sets the attribute. So all that is needed is to stop using the provider URL as the map key.

What the map key should be instead of the provider URL is an open question. Maybe it could be an optional parameter to IdentityPoolRoleMapping that you are required to provide if the providerUrl is a Token.

[SamStephens]

FYI, the issue is currently incorrectly labelled @aws-cdk/aws-iam.

[SamStephens]

The possible workaround that @michaeljfazio provides does not work, because an IdentityPool creates a DefaultRoleAttachment, and the CfnIdentityPoolRoleAttachment suggested conflicts with the existing DefaultRoleAttachment.

[alukach]

@SamStephens Thanks for your comments. I have been hitting my head against this (also using Python). Your description of the issue is inline with my thinking.

However, I get a bit lost when you describe the solution.

stop providing the identity provider using the role mapping keys, and instead use the IdentityProvider attribute of the role mapping object. The existing code already sets the attribute. So all that is needed is to stop using the provider URL as the map key.

What the map key should be instead of the provider URL is an open question.

Are you suggesting a change to CDK, or is this a change to CloudFormation itself? Reading through the AWS::Cognito::IdentityPoolRoleAttachment docs, I see:

RoleMappings
How users for a specific identity provider are mapped to roles. This is a string to the RoleMapping object map. The string identifies the identity provider. For example: graph.facebook.com or cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id.

At the end of the day, CDK will need to populate the RoleMappings on the CloudFormation Template. To create the Cognito IDP key, CDK is going to need to resolve the tokens at time of synthesis due to the fact that it's a CloudFormation restriction that keys can't be composed of tokens, correct?

As a workaround, I was trying to apply some ideas from #12988 (i.e. leaning on CfnIdentityPoolRoleAttachment) but ran into some other issues. I'll report back here if I make any progress. Please do let me know if you find a path forward.