I have been trying to add a User Pool using AWS cloud formation template but it fails on the Deploy executechange set stage.
CognitoUsers:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: MoreLinksUsers-pool
UsernameConfiguration:
CaseSensitive: false
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireSymbols: true
RequireUppercase: true
TemporaryPasswordValidityDays: 1
UsernameAttributes:
- email
MfaConfiguration: "OFF"
Schema:
- AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Name: email
ClientAppClient:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref CognitoUsers
ClientName: ClientApp
GenerateSecret: false
RefreshTokenValidity: 30
AllowedOAuthFlows:
- code
- implicit
ExplicitAuthFlows:
- ALLOW_USER_SRP_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
# CallbackURLs: !Ref AllowedCallbacks
AllowedOAuthScopes:
- email
- openid
- profile
- aws.cognito.signin.user.admin
AllowedOAuthFlowsUserPoolClient: true
PreventUserExistenceErrors: ENABLED
SupportedIdentityProviders:
- COGNITO
Any attribute that I'm missing? Any advice would be greatly appreciated. Thanks.
Related
I have this SAM template:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
Passwordless SMS authentication backend using Amazon Cognito User Pools CUSTOM AUTH challenge flow w/ AWS Lambda triggers and Amazon SNS for sending SMS TOTP
Metadata:
AWS::ServerlessRepo::Application:
Name: passwordless-sms-email-auth
Description: >
Passwordless SMS authentication backend using Amazon Cognito User Pools CUSTOM AUTH challenge flow w/ AWS Lambda triggers and Amazon SNS for sending SMS TOTP
SpdxLicenseId: MIT
LicenseUrl: LICENSE
Labels: ['passwordless', 'authentication', 'cognito', 'auth', 'sms', 'iOS', 'mobile', 'pinpoint', 'serverless', 'amplify']
SemanticVersion: 1.14.20
Globals:
Function:
Timeout: 3
Parameters:
UserPoolName:
Type: String
Description: The name you want the User Pool to be created with
Default: rafaelTest
Resources:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Ref UserPoolName
Schema:
- Name: name
AttributeDataType: String
Mutable: true
Required: true
- Name: phone_number
AttributeDataType: String
Mutable: true
Required: false
- Name: email
AttributeDataType: String
Mutable: true
Required: false
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
UsernameAttributes:
- phone_number
- email
MfaConfiguration: "OFF"
LambdaConfig:
CreateAuthChallenge: !GetAtt CreateAuthChallenge.Arn
DefineAuthChallenge: !GetAtt DefineAuthChallenge.Arn
PreSignUp: !GetAtt PreSignUp.Arn
VerifyAuthChallengeResponse: !GetAtt VerifyAuthChallengeResponse.Arn
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: sms-auth-client
GenerateSecret: false
UserPoolId: !Ref UserPool
ExplicitAuthFlows:
- CUSTOM_AUTH_FLOW_ONLY
Outputs:
UserPoolId:
Description: ID of the User Pool
Value: !Ref UserPool
UserPoolClientId:
Description: ID of the User Pool Client
Value: !Ref UserPoolClient
When creating the userpool, I wanted users to be able to use either just their email or just their phone as their username.
This way it is done, I always need to send both email and phone number.
Does anyone know how I solve this?
I want users to be able to log in by putting one of the following information:
email + name
phone number + name
Anyone help me?
Users can login with their email or phone number, using this SAM template and use a random uuid as username when sign up.
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Ref UserPoolName
Schema:
- Name: phone_number
AttributeDataType: String
Mutable: true
- Name: email
AttributeDataType: String
Mutable: true
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
AliasAttributes:
- email
- phone_number
MfaConfiguration: "OFF"
But now I need to know with alias users use on sign in, anyone know how?
i'm doing a passwordless flow with cognito and the event on create-auth-lambda triggers is always the same.
I'm trying to setup simple authorizer based on this doc. Also using serverless plugin serverless-pseudo-parameters.
My serverless configuration for authorizer:
provider:
...
logs:
httpApi: true
httpApi:
cors: true
authorizers:
simpleAuthorizer:
identitySource: $request.header.Authorization
issuerUrl:
- Fn::Join:
- '/'
- - https://cognito-idp.#{AWS::Region}.amazonaws.com
- "#{CognitoUserPool}"
audience:
- "#CognitoUserPoolClient"
My configuration for simple lambda:
functions:
ping:
name: ${self:provider.stage}-ping
handler: test.handler
events:
- httpApi:
method: GET
path: /test
authorizer:
name: simpleAuthorizer
My configuration of user pool and user pool client:
resources:
Resources:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: ${self:service}-${self:provider.stage}-user
UsernameAttributes:
- email
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: False
RequireNumbers: True
RequireSymbols: False
RequireUppercase: True
Schema:
- Name: email
Required: false
DeveloperOnlyAttribute: false
Mutable: true
AttributeDataType: String
CognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: cognito-example-client
GenerateSecret: False
UserPoolId: "#{CognitoUserPool}"
User pool, user pool client, HTTP API, lambda successfully created, but I can't see a authorizer at the AWS console of API Gateway service.
So, the problem has simple solution: just update your serverless (I used 1.63.0 which gave me this problem).
I am new to AWS and I am trying to create a new user-pool in that i want to achieve the below highlighted settings to be done using Cloud Formation. can you point me in the right direction to achieve this?
Please based on this one to change a bit for you. This is I'm using which is very close to your requirement already.
AWSTemplateFormatVersion: 2010-09-09
Description: >
AWS CloudFormation template to create core infrastructure
Parameters:
Product:
Type: String
Default: "your-product-name"
Resources:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Join ["-", [!Ref Product, "user-pool"]]
AutoVerifiedAttributes:
- email
Schema:
- AttributeDataType: "String"
Mutable: true
Name: "email"
Required: true
- AttributeDataType: "String"
Mutable: true
Name: "family_name"
Required: true
- AttributeDataType: "String"
Mutable: true
Name: "given_name"
Required: true
UsernameAttributes:
- email
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_email
Priority: 1
AdminCreateUserConfig:
AllowAdminCreateUserOnly: False
UsernameConfiguration:
CaseSensitive: false
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
TemporaryPasswordValidityDays: 30
DeviceConfiguration:
ChallengeRequiredOnNewDevice: false
DeviceOnlyRememberedOnUserPrompt: false
VerificationMessageTemplate:
DefaultEmailOption: CONFIRM_WITH_LINK
UserPoolTags:
product: !Ref Product
If you need more than that, please comment more.
To set phone number as a username:
UsernameAttributes:
- phone_number
and to set phone number as a required attribute:
Schema:
- Name: email
AttributeDataType: String
Required: true
Mutable: true
You can refer https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html to get the detailed information.
I created a user like:
SuperAdminUser:
Type: AWS::Cognito::UserPoolUser
Properties:
DesiredDeliveryMediums:
- EMAIL
Username: !Ref SuperAdminEmail
UserAttributes:
- Name: email
Value: !Ref SuperAdminEmail
UserPoolId:
Fn::ImportValue:
!Sub ${BaseStack}-Cognito
And the user pool is defined:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
AdminCreateUserConfig:
AllowAdminCreateUserOnly: false
UnusedAccountValidityDays: 3
LambdaConfig:
PreSignUp: !GetAtt CognitoPreSignUpHook.Arn
Policies:
PasswordPolicy:
MinimumLength: 8
RequireNumbers: true
UsernameAttributes:
- email
I noticed that it fails to find the user because username looks like: 9f8aecc2-530d-411d-8d73-c3b775da1893 while !Ref gives the email of the user in this case. I notice this started failing when I added
UsernameAttributes:
- email
How can I resolve this? I noticed User resource does not allow me to get the Sub of the user ...
I think I tried all properties here:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
couldn't get this box checked:
My config currently:
CognitoUserPoolGeneral:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: general
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
Schema:
- AttributeDataType: String
Name: preferredLocale
DeveloperOnlyAttribute: false
Mutable: true
Required: false
EmailVerificationMessage: "Here's your verification code: {####}. Please provide it inside the application."
EmailVerificationSubject: "subject"
You can add
AutoVerifiedAttributes:
- email
To your Properties key, like so:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${AuthName}-user-pool
AutoVerifiedAttributes:
- email
Policies:.....
For an excellent example of a CloudFormation template that creates Cognito resources, see:
https://gist.github.com/singledigit/2c4d7232fa96d9e98a3de89cf6ebe7a5