AWS::Cognito::UserPoolIdentityProvider - Amazon CloudFormation
SyntaxPropertiesReturn valuesExamples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::Cognito::UserPoolIdentityProvider

The AWS::Cognito::UserPoolIdentityProvider resource creates an identity provider for a user pool.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::Cognito::UserPoolIdentityProvider",
  "Properties" : {
      "AttributeMapping" : Json,
      "IdpIdentifiers" : List,
      "ProviderDetails" : Json,
      "ProviderName" : String,
      "ProviderType" : String,
      "UserPoolId" : String
    }
}

YAML

Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
  AttributeMapping: Json
  IdpIdentifiers: List
  ProviderDetails: Json
  ProviderName: String
  ProviderType: String
  UserPoolId: String

Properties

AttributeMapping

A mapping of IdP attributes to standard and custom user pool attributes.

Required: No

Type: Json

Update requires: No interruption

IdpIdentifiers

A list of IdP identifiers.

Required: No

Type: List of String

Maximum: 50

Update requires: No interruption

ProviderDetails

The IdP details. The following list describes the provider detail keys for each IdP type.

  • For Google and Login with Amazon:

    • client_id

    • client_secret

    • authorize_scopes

  • For Facebook:

    • client_id

    • client_secret

    • authorize_scopes

    • api_version

  • For Sign in with Apple:

    • client_id

    • team_id

    • key_id

    • private_key

    • authorize_scopes

  • For OpenID Connect (OIDC) providers:

    • client_id

    • client_secret

    • attributes_request_method

    • oidc_issuer

    • authorize_scopes

    • The following keys are only present if Amazon Cognito didn't discover them at the oidc_issuer URL.

      • authorize_url

      • token_url

      • attributes_url

      • jwks_uri

    • Amazon Cognito sets the value of the following keys automatically. They are read-only.

      • attributes_url_add_attributes

  • For SAML providers:

    • MetadataFile or MetadataURL

    • IDPSignout optional

Required: No

Type: Json

Update requires: No interruption

ProviderName

The IdP name.

Required: Yes

Type: String

Minimum: 1

Maximum: 32

Pattern: [^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+

Update requires: Replacement

ProviderType

The IdP type.

Required: Yes

Type: String

Allowed values: Facebook | Google | LoginWithAmazon | OIDC | SAML | SignInWithApple

Update requires: Replacement

UserPoolId

The user pool ID.

Required: Yes

Type: String

Minimum: 1

Maximum: 55

Pattern: [\w-]+_[0-9a-zA-Z]+

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns physicalResourceId, which is “ProviderName". For example:

{ "Ref": "testProvider" }

For the Amazon Cognito identity provider testProvider, Ref returns the name of the identity provider.

For more information about using the Ref function, see Ref.

Examples

Creating a new Login with Amazon identity provider

The following example creates a Login with Amazon identity provider in the referenced user pool.

JSON

{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "LoginWithAmazon",
      "ProviderDetails": {
        "client_id": "YourLoginWithAmazonAppId",
        "client_secret": "YourLoginWithAmazonAppSecret",
        "authorize_scopes": "profile postal_code"
      },
      "ProviderType": "LoginWithAmazon",
      "AttributeMapping": {
        "email": "email"
      }
    }
  }
}

YAML

UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "LoginWithAmazon"
    ProviderDetails:
      client_id: "YourLoginWithAmazonAppId"
      client_secret: "YourLoginWithAmazonAppSecret"
      authorize_scopes: "profile postal_code"
    ProviderType: "LoginWithAmazon"
    AttributeMapping:
      email: "email"

Creating a new Google identity provider

The following example creates a Google identity provider in the referenced user pool.

JSON

{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "Google",
      "ProviderDetails": {
        "client_id": "YourGoogleAppId",
        "client_secret": "YourGoogleAppSecret",
        "authorize_scopes": "profile email openid"
      },
      "ProviderType": "Google",
      "AttributeMapping": {
        "email": "email"
      }
    }
  }
}

YAML

UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "Google"
    ProviderDetails:
      client_id: "YourGoogleAppId"
      client_secret: "YourGoogleAppSecret"
      authorize_scopes: "profile email openid"
    ProviderType: "Google"
    AttributeMapping:
      email: "email"

Creating a new Facebook identity provider

The following example creates a Facebook identity provider in the referenced user pool.

JSON

{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "Facebook",
      "ProviderDetails": {
        "client_id": "YourFacebookAppId",
        "client_secret": "YourFacebookAppSecret",
        "authorize_scopes": "public_profile,email"
      },
      "ProviderType": "Facebook",
      "AttributeMapping": {
        "email": "email"
      }
    }
  }
}

YAML

UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "Facebook"
    ProviderDetails:
      client_id: "YourFacebookAppId"
      client_secret: "YourFacebookAppSecret"
      authorize_scopes: "public_profile,email"
    ProviderType: "Facebook"
    AttributeMapping:
      email: "email"

Creating a new Sign in with Apple identity provider

The following example creates a Sign in with Apple identity provider in the referenced user pool.

JSON

{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "SignInWithApple",
      "ProviderDetails": {
        "client_id": "YourAppleServicesId",
        "team_id": "YourAppleTeamId",
        "key_id": "YourApplePrivateKeyID",
        "private_key": "YourApplePrivateKey",
        "authorize_scopes": "public_profile,email"
      },
      "ProviderType": "SignInWithApple",
      "AttributeMapping": {
        "email": "email"
      }
    }
  }
}

YAML

UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "SignInWithApple"
    ProviderDetails:
      client_id: "YourSign"
      team_id: "YourAppleTeamId"
      key_id: "YourApplePrivateKeyID"
      private_key: "YourApplePrivateKey"
      authorize_scopes: "public_profile,email"
    ProviderType: "SignInWithApple"
    AttributeMapping:
      email: "email"

Creating a new OIDC identity provider

The following example creates the OIDC identity provider "YourOIDCProviderName" in the referenced user pool.

JSON

{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "YourOIDCProviderName",
      "ProviderDetails": {
        "client_id": "YourOIDCClientId",
        "client_secret": "YourOIDCClientSecret",
        "attributes_request_method": "GET",
        "oidc_issuer": "YourOIDCIssuerURL",
        "authorize_scopes": "email profile openid"
      },
      "ProviderType": "OIDC",
      "AttributeMapping": {
        "email": "email"
      },
      "IdpIdentifiers": [
        "IdpIdentifier"
      ]
    }
  }
}

YAML

UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "YourOIDCProviderName"
    ProviderDetails:
      client_id: "YourOIDCClientId"
      client_secret: "YourOIDCClientSecret"
      attributes_request_method: "GET"
      oidc_issuer: "YourOIDCIssuerURL"
      authorize_scopes: "email profile openid"
    ProviderType: "OIDC"
    AttributeMapping:
      email: "email"
    IdpIdentifiers:
      - "IdpIdentifier"

Creating a new SAML identity provider

The following example creates a SAML identity provider "YourProviderName" in the referenced user pool.

JSON

{
   "UserPoolIdentityProvider": {
      "Type": "AWS::Cognito::UserPoolIdentityProvider",
      "Properties": {
         "UserPoolId": {"Ref": "UserPool"},
         "ProviderName": "YourProviderName",
         "ProviderDetails": {
            "MetadataURL": "YourMetadataURL"
         },
         "ProviderType": "SAML",
         "AttributeMapping": {
            "email": "Attribute"
         },
         "IdpIdentifiers": [
            "IdpIdentifier"
         ]
      }
   }
}

YAML

UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "YourProviderName"
    ProviderDetails:
      MetadataURL: "YourMetadataURL"
    ProviderType: "SAML"
    AttributeMapping:
      email: "Attribute"
    IdpIdentifiers:
      - "IdpIdentifier"