You must be logged in to view saved presets
AWS Cognito Identity Pool with Role Attachments
This template sets up an AWS Cognito Identity Pool with specific roles for authenticated users, including a role mapping for Facebook login.
Terraform Template
data "aws_iam_policy_document" "authenticated" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
values = [aws_cognito_identity_pool.main.id]
variable = "cognito-identity.amazonaws.com:aud"
}
condition {
test = "ForAnyValue:StringLike"
values = ["authenticated"]
variable = "cognito-identity.amazonaws.com:amr"
}
effect = "Allow"
principals {
identifiers = ["cognito-identity.amazonaws.com"]
type = "Federated"
}
}
}
data "aws_iam_policy_document" "authenticated_role_policy" {
statement {
actions = ["mobileanalytics:PutEvents", "cognito-sync:*", "cognito-identity:*"]
effect = "Allow"
resources = [*]
}
}
resource "aws_cognito_identity_pool" "main" {
allow_unauthenticated_identities = false
identity_pool_name = "identity pool"
supported_login_providers = {
graph.facebook.com = "7346241598935555"
graph = "[object Object]"
}
}
resource "aws_cognito_identity_pool_roles_attachment" "main" {
identity_pool_id = aws_cognito_identity_pool.main.id
role_mapping = ["AuthenticatedRole", "graph.facebook.com", "isAdmin", "Equals", aws_iam_role.authenticated.arn, "paid", "Rules"]
roles = {
authenticated = aws_iam_role.authenticated.arn
}
}
resource "aws_iam_role" "authenticated" {
assume_role_policy = data.aws_iam_policy_document.authenticated.json
name = "cognito_authenticated"
}
resource "aws_iam_role_policy" "authenticated" {
name = "authenticated_policy"
policy = data.aws_iam_policy_document.authenticated_role_policy.json
role = aws_iam_role.authenticated.id
}
© 2025 asecurecloud. All rights reserved.