This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::Cognito::IdentityPoolRoleAttachment The `AWS::Cognito::IdentityPoolRoleAttachment` resource manages the role configuration for an Amazon Cognito identity pool. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Cognito::IdentityPoolRoleAttachment", "Properties" : { "[IdentityPoolId](#cfn-cognito-identitypoolroleattachment-identitypoolid)" : {{String}}, "[RoleMappings](#cfn-cognito-identitypoolroleattachment-rolemappings)" : {{RoleMapping}}, "[Roles](#cfn-cognito-identitypoolroleattachment-roles)" : {{String}} } } ``` ### YAML ``` Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: [IdentityPoolId](#cfn-cognito-identitypoolroleattachment-identitypoolid): {{String}} [RoleMappings](#cfn-cognito-identitypoolroleattachment-rolemappings): {{ RoleMapping}} [Roles](#cfn-cognito-identitypoolroleattachment-roles): {{String}} ``` ## Properties `IdentityPoolId` An identity pool ID in the format `REGION:GUID`. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RoleMappings` How users for a specific identity provider are mapped to roles. This is a string to the `RoleMapping` object map. The string identifies the identity provider. For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id`. If the `IdentityProvider` field isn't provided in this object, the string is used as the identity provider name. For more information, see the [RoleMapping property](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html). *Required*: No *Type*: [RoleMapping](aws-properties-cognito-identitypoolroleattachment-rolemapping.md) *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Roles` The map of the roles associated with this pool. For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN. *Required*: No *Type*: String *Pattern*: `^.+$` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `IdentityPoolId`, such as `us-east-2:0d01f4d7-1305-4408-b437-12345EXAMPLE`. For more information about using the `Ref` function, see [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The resource ID. ## Examples ### Setting the roles for an identity pool The following example sets roles for an identity pool. It sets “authenticated” and “unauthenticated” roles and maps two identity providers to them. The first identity provider is “graph.facebook.com”. The second is using a reference to set the identity provider name. #### JSON ``` { "IdentityPoolRoleAttachment":{ "Type":"AWS::Cognito::IdentityPoolRoleAttachment", "Properties":{ "IdentityPoolId":{ "Ref":"IdentityPool" }, "Roles":{ "authenticated":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "unauthenticated":{ "Fn::GetAtt":[ "UnAuthenticatedRole", "Arn" ] } }, "RoleMappings":{ "graph.facebook.com":{ "IdentityProvider":"graph.facebook.com", "AmbiguousRoleResolution":"Deny", "Type":"Rules", "RulesConfiguration":{ "Rules":[ { "Claim":"sub", "MatchType":"Equals", "RoleARN":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "Value":"goodvalue" } ] } }, "userpool1":{ "IdentityProvider":{ "Ref":"CognitoUserPool" }, "AmbiguousRoleResolution":"Deny", "Type":"Rules", "RulesConfiguration":{ "Rules":[ { "Claim":"sub", "MatchType":"Equals", "RoleARN":{ "Fn::GetAtt":[ "AuthenticatedRole", "Arn" ] }, "Value":"goodvalue" } ] } } } } } } ``` #### YAML ``` IdentityPoolRoleAttachment: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref IdentityPool Roles: "authenticated": !GetAtt AuthenticatedRole.Arn "unauthenticated": !GetAtt UnAuthenticatedRole.Arn RoleMappings: "graph.facebook.com": IdentityProvider: "graph.facebook.com" AmbiguousRoleResolution: Deny Type: Rules RulesConfiguration: Rules: - Claim: "sub" MatchType: "Equals" RoleARN: !GetAtt AuthenticatedRole.Arn Value: "goodvalue" "userpool1": IdentityProvider: !Ref CognitoUserPool AmbiguousRoleResolution: Deny Type: Rules RulesConfiguration: Rules: - Claim: "sub" MatchType: "Equals" RoleARN: !GetAtt AuthenticatedRole.Arn Value: "goodvalue" ```