I'm getting this strange error
Access to Role 'cognito role' is forbidden.
while creating a cloud formation stack here is my cloud formation file in yaml format.
I'm basically creating a s3 bucket and a cognito identity to facilate client side access to my bucket the whole thing is working fine except this error
Access to Role 'phototest-cognitoRole-1AMKUVXUXAJ5H' is forbidden. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException
AWSTemplateFormatVersion: 2010-09-09
Resources:
photoBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: it-academy-photos-bucket
CorsConfiguration:
CorsRules:
- AllowedHeaders: ['*']
AllowedMethods: [GET,POST,PUT]
AllowedOrigins: ['*']
Id: myrules
cognitoRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- sts:AssumeRoleWithWebIdentity
Policies:
-
PolicyName: "photo_client_policy"
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Sid: VisualEditor1
Effect: Allow
Action:
- s3:PutObject
- s3:GetObjectAcl
- s3:GetObject
- s3:GetObjectTorrent
- s3:GetObjectVersionAcl
- s3:PutObjectVersionTagging
- s3:GetObjectTagging
- s3:PutObjectTagging
- s3:PutBucketCORS
- s3:PutObjectAcl
- s3:GetObjectVersion
Resource: "*"
cognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: "photo_bucket"
AllowUnauthenticatedIdentities: true
cognitoIdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref cognitoIdentityPool
Roles:
unauthenticated: !Ref cognitoRole
I was having the same problem and figured out the unauthenticated role needs the Arn and not the logical ID. This should fix the issue:
cognitoIdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref cognitoIdentityPool
Roles:
unauthenticated: !GetAtt cognitoRole.Arn
Related
I'm attempting to update my AWS SAM template with additional permissions for an s3 bucket policy. I need the following additions: 's3:ListBucket', 's3:PutObject' and 's3:DeleteObject'
However im getting an invalid policy message when i deploy the updated template:
error message from github actions:
Policy has invalid resource (Service:Amazon S3; Status Code: 400; Error Code: MalformedPolicy;
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyWebsite
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
Sid: PublicRead
Effect: Allow
Principal: "*"
Action:
- 's3:ListBucket'
- 's3:GetObject'
- 's3:PutObject'
- 's3:DeleteObject'
Resource:
- "arn:aws:s3:::my-resume-wesite123456/*"
- "arn:aws:s3:::my-resume-wesite123456/"
I thought i may have a typo in the resource name but the bucket was created successfully with the code below.
Resources:
MyWebsite:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
BucketName: my-resume-wesite123456
Any advice greatly appreciated.
You can directly reference the bucket making your life a lot easier:
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyWebsite
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
Sid: PublicRead
Effect: Allow
Principal: "*"
Action:
- 's3:ListBucket'
- 's3:GetObject'
- 's3:PutObject'
- 's3:DeleteObject'
Resource:
- !Sub ${MyWebsite.Arn}/*
- !Sub ${MyWebsite.Arn}
for days I have not been able to figure out why one AWS role is not authorized to perform AssumeRole on another. In this case I have a dev-account with AWS CodeCommit on it, and a tools account with CodePipeline. I am trying to allow CodePipeline (in tools) to access CodeCommit (in dev), but am always told that the role in tools is not authorized to do so.
Here is my CloudFormation template to create a role in dev:
AWSTemplateFormatVersion: "2010-09-09"
Description: Cross Account Role to Allow Access to CodePipeline in Tools Account
Parameters:
ToolsAccount:
Description: AWS AccountNumber for tools account
Type: Number
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: access-codecommit-in-dev
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref ToolsAccount
Action:
- sts:AssumeRole
Path: /
Policy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub ToolsAcctCodePipelineCodeCommitPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- codecommit:BatchGetRepositories
- codecommit:Get*
- codecommit:GitPull
- codecommit:List*
- codecommit:CancelUploadArchive
- codecommit:UploadArchive
- s3:*
Resource: "*"
Roles:
- !Ref Role
Here is the CloudFormation template that creates CodePipeline:
Description: "Code pipeline to deploy frontend"
Parameters:
DevAccount:
Description: AWS AccountNumber for dev
Type: Number
TestAccount:
Description: AWS AccountNumber for test
Type: Number
Resources:
BuildProjectRole:
Type: AWS::IAM::Role
Properties:
RoleName: codebuild-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
BuildProjectPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: codebuild-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetBucketPolicy
- s3:GetObject
- s3:ListBucket
Resource:
- "bucketNameHere"
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
Roles:
- !Ref BuildProjectRole
PipeLineRole:
Type: AWS::IAM::Role
Properties:
RoleName: codepipeline-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Action:
- sts:AssumeRole
PipelinePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: codepipeline-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- codepipeline:*
- iam:ListRoles
- cloudformation:Describe*
- cloudFormation:List*
- codecommit:List*
- codecommit:Get*
- codecommit:GitPull
- codecommit:UploadArchive
- codecommit:CancelUploadArchive
- codebuild:BatchGetBuilds
- codebuild:StartBuild
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:UpdateStack
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:SetStackPolicy
- cloudformation:ValidateTemplate
- iam:PassRole
- s3:ListAllMyBuckets
- s3:GetBucketLocation
Resource:
- "*"
- Effect: Allow
Action:
- s3:PutObject
- s3:GetBucketPolicy
- s3:GetObject
- s3:ListBucket
Resource:
- "bucketName"
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access
Roles:
- !Ref PipeLineRole
FrontEndPipeline:
Type: "AWS::CodePipeline::Pipeline"
Properties:
ArtifactStore:
Type: "S3"
Location: "bucketName"
Name: "frontend-deploy"
RoleArn: !GetAtt PipeLineRole.Arn
Stages:
- Name: "Code-Fetch"
Actions:
- Name: "stage-source"
ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeCommit
Version: 1
OutputArtifacts:
- Name: SourceCode
Configuration:
PollForSourceChanges: true
BranchName: develop
RepositoryName: "nameHere"
RunOrder: 1
RoleArn: !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access
- Name: Build
Actions:
- Name: "Build-Source"
ActionTypeId:
Category: Build
Owner: AWS
Version: "1"
Provider: CodeBuild
InputArtifacts:
- Name: SourceCode
OutputArtifacts:
- Name: DeployOutput
Configuration:
ProjectName: "CodeBuild"
RunOrder: 1
- Name: Deploy
Actions:
- Name: deploy
ActionTypeId:
Category: Deploy
Owner: AWS
Version: "1"
Provider: S3
InputArtifacts:
- Name: DeployOutput
Configuration:
BucketName: "bucketNameHere"
Extract: true
#RoleArn: !Sub arn:aws:iam::${TestAccount}:role/cloudformationdeployer-role
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: "CodeBuild"
ServiceRole: !GetAtt BuildProjectRole.Arn
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Type: LINUX_CONTAINER
Image: node:13
Source:
Type: CODEPIPELINE
What could possibly be generating this error:
arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role is not authorized to perform AssumeRole on role arn:aws:iam::{DevAcciybt}:role/access-codecommit-in-dev (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: (ID here))
Does the role
arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role have permission to assume the role in dev account something like below:
{
"Sid": "AssumeCrossAccountRole"
"Effect": "Allow",
"Actions": "sts:AssumeRole",
"Resource": "ARN of dev account role"
}
else
Try out with passing ARN arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role in the AWS principal instead of account number for the role which you are creating in dev account
I am trying to:
Create a CMK
Create a new bucket that requires/enforces use of that
CMK
Code is from here
AWSTemplateFormatVersion: 2010-09-09
Description: Example template with Customer Master Key and S3 bucket
Resources:
Bucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
SSEAlgorithm: "aws:kms"
CMKAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: "alias/test/cmk"
TargetKeyId: !Ref CMK
CMK:
Type: "AWS::KMS::Key"
Properties:
Description: "My CMK"
Enabled: True
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"
Outputs:
CMKId:
Value: !Ref CMK
CMKArn:
Value: !GetAtt CMK.Arn
CMKAliasArn:
Value: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
Bucket:
Value: !Ref Bucket
The errors are:
The following resource(s) failed to create: [CMK]. . Rollback requested by user.
Policy contains a statement with one or more invalid principals.
(Service: AWSKMS; Status Code: 400;
Error Code: MalformedPolicyDocumentException;
Request ID: zzzzzz-zzzzz-zzzzz)
I believe the issue is with this line:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
I see from intrinsic-function-reference-sub that !Sub is a function to replace values, and I see from pseudo-parameter-reference that ${AWS::AccountId} is a valid pseudo parameter, so I do not understand why that line is failing.
I see from how-to-generate-the-aws-root-account-arn-in-cloudformation that this is considered a valid way in YAML:
!Sub arn:aws:iam::${AWS::AccountId}:root
Your indents are not correct.
Try it as the following:
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"
I am having trouble creating a stack with my CloudFormation template. When it reaches the IdentityPoolRoleAttachment I get the error:
Access to Role 'CognitoIdentityUnauthenticated' is forbidden. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException; Request ID: 0866b3a1-15ab-11e9-82dd-1b30dc4a6a4d)
I've matched everything to what was created through the console and cannot figure out the problem. Can anyone see what I might be missing?
AWSTemplateFormatVersion: 2010-09-09
Description: AWS Script to create Cognito User and Identity pools
Resources:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: cognito-userpool
Schema:
- Name: email
AttributeDataType: String
Mutable: false
Required: true
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireUppercase: true
CognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: cognito-app-client
ExplicitAuthFlows:
- ADMIN_NO_SRP_AUTH
GenerateSecret: false
ReadAttributes:
- email
RefreshTokenValidity: 30
UserPoolId: !Ref CognitoUserPool
CognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: cognito_identity_pool
AllowUnauthenticatedIdentities: true
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClient
ProviderName:
Fn::GetAtt:
- CognitoUserPool
- ProviderName
CognitoIdentityAuthenticatedRole:
Type: AWS::IAM::Role
Properties:
RoleName: CognitoIdentityAuthenticated
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: cognito-identity.amazonaws.com
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
CognitoIdentityUnauthenticatedRole:
Type: AWS::IAM::Role
Properties:
RoleName: CognitoIdentityUnauthenticated
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: cognito-identity.amazonaws.com
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
# Create policy to allow authenticated user role to invode API lambda function
CognitoAuthInvokeLambdaPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CognitoAuthInvokeLambdaPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- mobileanalytics:PutEvents
- cognito-sync:*
- cognito-identity:*
Resource:
- "*"
- Effect: Allow
Action:
- execute-api:Invoke
Resource:
- "arn:aws:execute-api:us-east-1:*:xxxxxxxxxx/*"
- Effect: Allow
Action:
- "s3:*"
Resource:
- "*"
Roles:
- Ref: CognitoIdentityAuthenticatedRole
# Create policy to allow unauthenticated user role (currently only has access to Cognito - add additional resources if needed)
CognitoUnauthPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CognitoUnauthPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- mobileanalytics:PutEvents
- cognito-sync:*
- cognito-identity:*
Resource:
- "*"
Roles:
- Ref: CognitoIdentityUnauthenticatedRole
# Assigns the role to the Identity Pool
CognitoIdentityPoolRoleMapping:
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Ref CognitoIdentityPool
Roles:
authenticated: !Ref CognitoIdentityAuthenticatedRole
unauthenticated: !Ref CognitoIdentityUnauthenticatedRole
#Output IDs and ARNs
Outputs:
CognitoUserPoolID:
Value:
Ref: CognitoUserPool
Export:
Name: !Sub "${AWS::StackName}-CognitoUserPoolID"
CognitoUserPoolClientID:
Value:
Ref: CognitoUserPoolClient
Export:
Name: !Sub "${AWS::StackName}-CognitoUserPoolClientID"
CognitoIdentityPoolID:
Value:
Ref: CognitoIdentityPool
Export:
Name: !Sub "${AWS::StackName}-CognitoIdentityPoolID"
I see a similar question posted but no answer was provided: Access to Role 'cognito role' is forbidden
I figured it out. The unauthenticated role needs the Arn and not the logical ID.
CognitoIdentityPoolRoleMapping:
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Ref CognitoIdentityPool
Roles:
authenticated: !GetAtt CognitoIdentityAuthenticatedRole.Arn
unauthenticated: !GetAtt CognitoIdentityUnauthenticatedRole.Arn
I've created Cognito User Pool through AWS Console, but I want to automate creation of new Cognito User Pools through CloudFormation. Can I export my current User Pool configuration to CloudFormation template?
Its not possible to export. You would need the below 6 resources to automate the process.
Cognito Authenticated role
Cognito unAuthenticated role
User pool
User Pool Client
Identity Pool
Identity Pool Role attachment
You would need 3 outputs which you might need to use in your code. Below is the code for creating these
AWSTemplateFormatVersion: 2010-09-09
Parameters:
envParameter:
Type: String
Default: dev
AllowedValues: [ dev, test, qa, prod ]
Description: Suffix to be added for names.
Resources:
myApiUserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub myApiUserPool${envParameter}
myApiUserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: !Sub myApiUserPoolClient${envParameter},
GenerateSecret: False
RefreshTokenValidity: 30
UserPoolId: !Ref myApiUserPool
myApiIdentityPool:
Type: "AWS::Cognito::IdentityPool"
Properties:
IdentityPoolName: !Sub myApiIdentityPool${envParameter}
AllowUnauthenticatedIdentities: False
CognitoIdentityProviders:
- ClientId: !Ref myApiUserPoolClient
ProviderName: !GetAtt myApiUserPool.ProviderName
cognitoUnauthRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Unauth_Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: [ 'sts:AssumeRole' ]
Policies:
- PolicyName: cognitounauth
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- mobileanalytics:PutEvents
- cognito-sync:*
Resource:
- "*"
cognitoAuthRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Auth_Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: [ 'sts:AssumeRole' ]
Policies:
- PolicyName: cognitoauth
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- mobileanalytics:PutEvents
- cognito-sync:*
- execute-api:*
Resource:
- "*"
myApiIdentityPoolRoleAttachment:
DependsOn: [ myApiIdentityPool, cognitoUnauthRole, cognitoAuthRole ]
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Ref myApiIdentityPool
Roles:
authenticated: !GetAtt cognitoAuthRole.Arn
unauthenticated: !GetAtt cognitoUnauthRole.Arn
Outputs:
userPool:
Description: "User pool ID"
Value: !Ref myApiUserPool
identityPool:
Description: "Identity pool ID"
Value: !Ref myApiIdentityPool
ClientId:
Description: "Client id for the user pool appclient"
Value: !Ref myApiUserPoolClient
It's not currently possible to export existing user pools from Cognito. You can, however, create new user pools in AWS CloudFormation and then manage those pools from CloudFormation itself going forward, using AWS::Cognito::UserPool resource type.
I am going to use the describe-user-pool action and then build the cf template based on the output