AWS::Cognito::UserPoolIdentityProvider - AWS CloudFormation
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS::Cognito::UserPoolIdentityProvider

AWS::Cognito::UserPoolIdentityProvider 资源为用户池创建身份提供商。

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

{ "Type" : "AWS::Cognito::UserPoolIdentityProvider", "Properties" : { "AttributeMapping" : Json, "IdpIdentifiers" : [ String, ... ], "ProviderDetails" : Json, "ProviderName" : String, "ProviderType" : String, "UserPoolId" : String } }

YAML

Type: AWS::Cognito::UserPoolIdentityProvider Properties: AttributeMapping: Json IdpIdentifiers: - String ProviderDetails: Json ProviderName: String ProviderType: String UserPoolId: String

属性

AttributeMapping

身份提供商属性与标准和自定义用户池属性的映射。

必需:否

类型:Json

Update requires: No interruption

IdpIdentifiers

身份提供商标识符列表。

必需:否

类型:字符串列表

最高50

Update requires: No interruption

ProviderDetails

身份提供商详细信息。以下列表描述了每个身份提供商类型的详细的提供商键。

  • 对于 Google 和 Login with Amazon:

    • client_id

    • client_secret

    • authorize_scopes

  • 对于 Facebook:

    • client_id

    • client_secret

    • authorize_scopes

    • api_version

  • 对于 Sign in with Apple:

    • client_id

    • team_id

    • key_id

    • private_key

    • authorize_scopes

  • 对于 OIDC 提供商:

    • client_id

    • client_secret

    • attributes_request_method

    • oidc_issuer

    • authorize_scopes

    • authorize_url(如果从 oidc_issuer 键指定的发现 URL 不可用)

    • token_url(如果从 oidc_issuer 键指定的发现 URL 不可用)

    • attributes_url(如果从 oidc_issuer 键指定的发现 URL 不可用)

    • jwks_uri(如果从 oidc_issuer 键指定的发现 URL 不可用)

  • 对于 SAML 提供商:

    • MetadataFile 或 MetadataURL

    • IDPSignout(可选)

必需:否

类型:Json

Update requires: No interruption

ProviderName

身份提供商名称。

必需:是

类型:字符串

最低1

最高32

模式[^_][\p{L}\p{M}\p{S}\p{N}\p{P}][^_]+

Update requires: Replacement

ProviderType

身份提供商类型。

必需:是

类型:字符串

允许的值Facebook | Google | LoginWithAmazon | OIDC | SAML | SignInWithApple

Update requires: Replacement

UserPoolId

用户池 ID。

必需:是

类型:字符串

最低1

最高55

模式[\w-]+_[0-9a-zA-Z]+

Update requires: Replacement

返回值

Ref

在将此资源的逻辑 ID 传递给内部 Ref 函数时,Ref 返回 physicalResourceId,即“ProviderName”。例如:

{ "Ref": "testProvider" }

对于 Amazon Cognito 身份提供商 testProvider,Ref 将返回身份提供商的名称。

For more information about using the Ref function, see Ref.

示例

创建新的 Login with Amazon 身份提供商

以下示例在引用的用户池中创建 Login with Amazon 身份提供商。

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "LoginWithAmazon", "ProviderDetails": { "client_id": "YourLoginWithAmazonAppId", "client_secret": "YourLoginWithAmazonAppSecret", "authorize_scopes": "profile postal_code" }, "ProviderType": "LoginWithAmazon", "AttributeMapping": { "email": "email" } } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "LoginWithAmazon" ProviderDetails: client_id: "YourLoginWithAmazonAppId" client_secret: "YourLoginWithAmazonAppSecret" authorize_scopes: "profile postal_code" ProviderType: "LoginWithAmazon" AttributeMapping: email: "email"

创建新的 Google 身份提供商

以下示例在引用的用户池中创建 Google 身份提供商。

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "Google", "ProviderDetails": { "client_id": "YourGoogleAppId", "client_secret": "YourGoogleAppSecret", "authorize_scopes": "profile email openid" }, "ProviderType": "Google", "AttributeMapping": { "email": "email" } } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "Google" ProviderDetails: client_id: "YourGoogleAppId" client_secret: "YourGoogleAppSecret" authorize_scopes: "profile email openid" ProviderType: "Google" AttributeMapping: email: "email"

创建新的 Facebook 身份提供商

以下示例在引用的用户池中创建 Facebook 身份提供商。

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "Facebook", "ProviderDetails": { "client_id": "YourFacebookAppId", "client_secret": "YourFacebookAppSecret", "authorize_scopes": "public_profile,email" }, "ProviderType": "Facebook", "AttributeMapping": { "email": "email" } } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "Facebook" ProviderDetails: client_id: "YourFacebookAppId" client_secret: "YourFacebookAppSecret" authorize_scopes: "public_profile,email" ProviderType: "Facebook" AttributeMapping: email: "email"

创建新的 Sign in with Apple 身份提供商

以下示例在引用的用户池中创建 Sign in with Apple 身份提供商。

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "SignInWithApple", "ProviderDetails": { "client_id": "YourAppleServicesId", "team_id": "YourAppleTeamId", "key_id": "YourApplePrivateKeyID", "private_key": "YourApplePrivateKey", "authorize_scopes": "public_profile,email" }, "ProviderType": "SignInWithApple", "AttributeMapping": { "email": "email" } } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "SignInWithApple" ProviderDetails: client_id: "YourSign" team_id: "YourAppleTeamId", key_id: "YourApplePrivateKeyID", private_key: "YourApplePrivateKey", authorize_scopes: "public_profile,email" ProviderType: "Facebook" AttributeMapping: email: "email"

创建新的 OIDC 身份提供商

以下示例在引用的用户池中创建 OIDC 身份提供商“YourOIDCProviderName”。

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ProviderName": "YourOIDCProviderName", "ProviderDetails": { "client_id": "YourOIDCClientId", "client_secret": "YourOIDCClientSecret", "attributes_request_method": "GET", "oidc_issuer": "YourOIDCIssuerURL", "authorize_scopes": "email profile openid" }, "ProviderType": "OIDC", "AttributeMapping": { "email": "email" }, "IdpIdentifiers": [ "IdpIdentifier" ] } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "YourOIDCProviderName" ProviderDetails: client_id: "YourOIDCClientId" client_secret: "YourOIDCClientSecret" attributes_request_method: "GET" oidc_issuer: "YourOIDCIssuerURL" authorize_scopes: "email profile openid" ProviderType: "OIDC" AttributeMapping: email: "email" IdpIdentifiers: - "IdpIdentifier"

创建新的 SAML 身份提供商

以下示例在引用的用户池中创建 SAML 身份提供商“YourProviderName”。

JSON

{ "UserPoolIdentityProvider": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { "UserPoolId": {"Ref": "UserPool"}, "ProviderName": "YourProviderName", "ProviderDetails": { "MetadataURL": "YourMetadataURL" }, "ProviderType": "SAML", "AttributeMapping": { "email": "Attribute" }, "IdpIdentifiers": [ "IdpIdentifier" ] } } }

YAML

UserPoolIdentityProvider: Type: AWS::Cognito::UserPoolIdentityProvider Properties: UserPoolId: !Ref UserPool ProviderName: "YourProviderName" ProviderDetails: MetadataURL: "YourMetadataURL" ProviderType: "SAML" AttributeMapping: email: "Attribute" IdpIdentifiers: - "IdpIdentifier"