I'm new to aws cloudformation and the cdk. I'm trying to create a sample stack just to try things out and I keep getting this error: "Invalid Cognito Identity Provider (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: InvalidParameterException; Request ID: 7db28b4b-373b-4808-9c8d-1d197b0be542; Proxy: null)"
My code:
const cdk = require('aws-cdk-lib');
const ec2 = require('aws-cdk-lib/aws-ec2');
const apigateway = require('aws-cdk-lib/aws-apigateway');
const cognito = require('aws-cdk-lib/aws-cognito');
const iam = require('aws-cdk-lib/aws-iam');
const { Stack } = require('aws-cdk-lib');
class MyCdkStack extends Stack {
/**
*
* @param {Construct} scope
* @param {string} id
* @param {StackProps=} props
*/
constructor(scope, id, props) {
super(scope, id, props);
// Create a VPC for the EC2 instance
const vpc = new ec2.Vpc(this, 'MyVPC', {
maxAzs: 2 // Use 2 availability zones
});
const sg = new ec2.SecurityGroup(this, 'MySSHSecurityGroup', {
vpc,
description: 'Allow Outbound SSH access',
securityGroupName: 'My SSH Security Group',
allowAllOutbound: true // Allow all outbound traffic
});
// Allow SSH access from a specific IP range
sg.addIngressRule(ec2.Peer.ipv4('anipaddress/32'), ec2.Port.tcp(22), 'Allow inbound SSH access from here');
sg.addIngressRule(ec2.Peer.ipv4('anipaddress/32'), ec2.Port.tcp(22), 'Allow inbound SSH access from here 2');
/////////////////////
// Create a Cognito user pool
const userPool = new cognito.UserPool(this, 'MyUserPool', {
userPoolName: 'My User Pool',
selfSignUpEnabled: true,
autoVerify: { email: true },
signInAliases: { email: true },
passwordPolicy: {
minLength: 8,
requireDigits: true,
requireLowercase: true,
requireUppercase: true,
requireSymbols: true
}
});
const userPoolClient = new cognito.CfnUserPoolClient(this, "MyUserPoolClient", {
userPoolId: userPool.ref,
explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
generateSecret: false,
readAttributes: [
"preferred_username",
"website",
"email",
"name",
"zoneinfo",
"phone_number",
"phone_number_verified",
"email_verified",
],
writeAttributes: ["name", "zoneinfo", "phone_number"],
});
// Create a Cognito identity pool
const identityPool = new cognito.CfnIdentityPool(this, 'MyIdentityPool', {
identityPoolName: 'My Identity Pool',
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [{
clientId: userPoolClient.ref,
providerName: userPool.userPoolProviderName,
}]
});
// Create an API Gateway REST API
const restApi = new apigateway.RestApi(this, 'MyRestApi', {
restApiName: 'My Rest API',
deployOptions: {
stageName: 'prod'
}
});
const sg2 = new ec2.SecurityGroup(this, 'MyAPIGatewaySecurityGroup', {
vpc,
description: 'Allow port 80 traffic from the API Gateway',
securityGroupName: 'My API Gateway Security Group',
allowAllOutbound: true // Allow all outbound traffic
});
// Allow port 80 traffic from the API Gateway
sg2.addIngressRule(
ec2.Peer.ipv4(`${restApi.restApiId}.execute-api.${cdk.Stack.of(this).region}.amazonaws.com/32`),
ec2.Port.tcp(80),
'Allow port 80 traffic from the API Gateway'
);
const keyName = 'my-key-pair';
// Create an EC2 key pair for SSH access
const key = new ec2.CfnKeyPair(this, 'MyKeyPair', {
keyName,
});
// Associate the key pair with the EC2 instance
const instance = new ec2.Instance(this, 'MyEC2Instance', {
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
machineImage: new ec2.AmazonLinuxImage(),
vpc,
securityGroup: sg2,
key,
userData: ec2.UserData.custom(`
#!/bin/bash
echo "Hello, world!" > /var/www/html/index.html
`)
});
// Create a Cognito authorizer
const authorizer = new apigateway.CfnAuthorizer(this, 'MyCognitoAuthorizer', {
name: 'My-Cognito-Authorizer',
identitySource: 'method.request.header.Authorization',
restApiId: restApi.restApiId,
type: apigateway.AuthorizationType.COGNITO,
providerArns: [userPool.userPoolArn]
});
// Create a resource and method for the API Gateway and Add the Cognito authorizer to the method
const resource = restApi.root.addResource('my-resource');
const method = resource.addMethod('GET', new apigateway.HttpIntegration(`http://${instance.instancePublicIp}`),
{
authorizationType: apigateway.AuthorizationType.COGNITO, authorizer: authorizer
});
// Create an IAM role for authenticated users
const authenticatedRole = new iam.Role(this, 'MyAuthenticatedRole', {
assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
StringEquals: { 'cognito-identity.amazonaws.com:aud': identityPool.ref },
'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'authenticated' }
}, 'sts:AssumeRoleWithWebIdentity')
});
// Create an IAM role for unauthenticated users
const unauthenticatedRole = new iam.Role(this, 'MyUnauthenticatedRole', {
assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
StringEquals: { 'cognito-identity.amazonaws.com:aud': identityPool.ref },
'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'unauthenticated' }
}, 'sts:AssumeRoleWithWebIdentity')
});
// Grant permissions to the authenticated role
authenticatedRole.addToPolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'execute-api:Invoke'
],
resources: [
method.methodArn
]
}));
// Grant permissions to the unauthenticated role
unauthenticatedRole.addToPolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'cognito-identity:GetId',
'cognito-identity:GetOpenIdToken'
],
resources: [
`arn:aws:cognito-identity:${this.region}:${this.account}:identitypool/${identityPool.ref}`
]
}));
// Set the roles for authenticated and unauthenticated users
new cognito.CfnIdentityPoolRoleAttachment(this, 'MyIdentityPoolRoles', {
identityPoolId: identityPool.ref,
roles: {
authenticated: authenticatedRole.roleArn,
unauthenticated: unauthenticatedRole.roleArn
}
});
}
}
module.exports = { MyCdkStack }
// const app = new cdk.App();
// new MyStack(app, 'MyStack');
Use a more up-to-date example. Perhaps:
const userPoolWebClient = new cognito.UserPoolClient(
this,
'userPoolWebClient',
{
userPool: userPool,
generateSecret: false,
preventUserExistenceErrors: true,
authFlows: {
userPassword: true,
userSrp: true,
},
oAuth: {
flows: {
authorizationCodeGrant: false,
implicitCodeGrant: true,
},
},
},
);
new core.CfnOutput(this, 'UserPoolWebClientId', {
value: userPoolWebClient.userPoolClientId,
});
const identityPool = new cognito.CfnIdentityPool(
this,
'DashboardIdentityPool',
{
cognitoIdentityProviders: [
{
clientId: userPoolWebClient.userPoolClientId,
providerName: `cognito-idp.${this.region}.amazonaws.com/${userPool.userPoolId}`,
},
],
allowUnauthenticatedIdentities: true,
},
);