AWS::VerifiedPermissions::IdentitySource - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Creates or updates a reference to Amazon Cognito as an external identity provider.

If you are creating a new identity source, then you must specify a Configuration. If you are updating an existing identity source, then you must specify an UpdateConfiguration.

After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine the attributes that are available to access in the Cedar principal from your policies.

Amazon Cognito Identity is not available in all of the same Amazon Web Services Regions as Amazon Verified Permissions. Because of this, the AWS::VerifiedPermissions::IdentitySource type is not available to create from Amazon CloudFormation in Regions where Amazon Cognito Identity is not currently available. Users can still create AWS::VerifiedPermissions::IdentitySource in those Regions, but only from the Amazon CLI, Amazon Verified Permissions SDK, or from the Amazon console.


To reference a user from this identity source in your Cedar policies, use the following syntax.


Where IdentityType is the string that you provide to the PrincipalEntityType parameter for this operation. The CognitoUserPoolId and CognitoClientId are defined by the Amazon Cognito user pool.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::VerifiedPermissions::IdentitySource", "Properties" : { "Configuration" : IdentitySourceConfiguration, "PolicyStoreId" : String, "PrincipalEntityType" : String } }


Type: AWS::VerifiedPermissions::IdentitySource Properties: Configuration: IdentitySourceConfiguration PolicyStoreId: String PrincipalEntityType: String



Contains configuration information used when creating a new identity source.

Required: Yes

Type: IdentitySourceConfiguration

Update requires: No interruption


Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9-]*$

Minimum: 1

Maximum: 200

Update requires: Replacement


Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.

Required: No

Type: String

Pattern: ^.*$

Minimum: 1

Maximum: 200

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the unique id of the new identity source. For example:

{ "Ref": "ISEXAMPLEabcdefg111111" }

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The unique ID of the new or updated identity store.


Creating an identity source for a Amazon Cognito user pool

The following example creates an identity source in the specified policy store that points to a Amazon Cognito user pool using the specified client ID. The new identity source returns objects of the specified data type.


{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon CloudFormation sample template for creating an identity source for Verified Permissions.", "Parameters": { "PolicyStoreId": { "Type": "String" }, "UserPoolArn": { "Type": "String" }, "ClientIds": { "Type": "List<String>" }, "PrincipalEntityType": { "Type": "String" } }, "Resources": { "IdentitySource": { "Type": "AWS::VerifiedPermissions::IdentitySource", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Configuration": { "CognitoUserPoolConfiguration": { "UserPoolArn": { "Ref": "UserPoolArn" }, "ClientIds": { "Ref": "ClientIds" } } }, "PrincipalEntityType": { "Ref": "PrincipalEntityType" } } } }, "Outputs": { "IdentitySourceId": { "Value": { "Fn::GetAtt": [ "IdentitySource", "IdentitySourceId" ] } } } }


AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "Amazon CloudFormation sample template for creating an identity source for Verified Permissions Parameters: PolicyStoreId: Type: String UserPoolArn: Type: String ClientIds: Type: List<String> PrincipalEntityType: Type: String Resources: IdentitySource: Type: AWS::VerifiedPermissions::IdentitySource Properties: PolicyStoreId: !Ref PolicyStoreId Configuration: CognitoUserPoolConfiguration: UserPoolArn: !Ref UserPoolArn ClientIds: !Ref ClientIds PrincipalEntityType: !Ref PrincipalEntityType Outputs: IdentitySourceId: Value: !GetAtt IdentitySource.IdentitySourceId