Search code examples
amazon-web-servicesaws-cloudformationaws-cdk

How to create AWS Cognito stack using AWS CDK


I'm new to aws cloudformation and the cdk. I'm trying to create a sample stack just to try things out and I keep getting this error: "Invalid Cognito Identity Provider (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: InvalidParameterException; Request ID: 7db28b4b-373b-4808-9c8d-1d197b0be542; Proxy: null)"

My code:

const cdk = require('aws-cdk-lib');
const ec2 = require('aws-cdk-lib/aws-ec2');
const apigateway = require('aws-cdk-lib/aws-apigateway');
const cognito = require('aws-cdk-lib/aws-cognito');
const iam = require('aws-cdk-lib/aws-iam');
const { Stack } = require('aws-cdk-lib');

class MyCdkStack extends Stack {
  /**
   *
   * @param {Construct} scope
   * @param {string} id
   * @param {StackProps=} props
   */
  constructor(scope, id, props) {
    super(scope, id, props);

    // Create a VPC for the EC2 instance
    const vpc = new ec2.Vpc(this, 'MyVPC', {
      maxAzs: 2 // Use 2 availability zones
    });

    const sg = new ec2.SecurityGroup(this, 'MySSHSecurityGroup', {
      vpc,
      description: 'Allow Outbound SSH access',
      securityGroupName: 'My SSH Security Group',
      allowAllOutbound: true // Allow all outbound traffic
    });

    // Allow SSH access from a specific IP range
    sg.addIngressRule(ec2.Peer.ipv4('anipaddress/32'), ec2.Port.tcp(22), 'Allow inbound SSH access from here');
    sg.addIngressRule(ec2.Peer.ipv4('anipaddress/32'), ec2.Port.tcp(22), 'Allow inbound SSH access from here 2');

    /////////////////////

    // Create a Cognito user pool
    const userPool = new cognito.UserPool(this, 'MyUserPool', {
      userPoolName: 'My User Pool',
      selfSignUpEnabled: true,
      autoVerify: { email: true },
      signInAliases: { email: true },
      passwordPolicy: {
        minLength: 8,
        requireDigits: true,
        requireLowercase: true,
        requireUppercase: true,
        requireSymbols: true
      }
    });

    const userPoolClient = new cognito.CfnUserPoolClient(this, "MyUserPoolClient", {
      userPoolId: userPool.ref,
      explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
      generateSecret: false,
      readAttributes: [
        "preferred_username",
        "website",
        "email",
        "name",
        "zoneinfo",
        "phone_number",
        "phone_number_verified",
        "email_verified",
      ],
      writeAttributes: ["name", "zoneinfo", "phone_number"],
    });

    // Create a Cognito identity pool
    const identityPool = new cognito.CfnIdentityPool(this, 'MyIdentityPool', {
      identityPoolName: 'My Identity Pool',
      allowUnauthenticatedIdentities: false,
      cognitoIdentityProviders: [{
        clientId: userPoolClient.ref,
        providerName: userPool.userPoolProviderName,
      }]
    });

    // Create an API Gateway REST API
    const restApi = new apigateway.RestApi(this, 'MyRestApi', {
      restApiName: 'My Rest API',
      deployOptions: {
        stageName: 'prod'
      }
    });

    const sg2 = new ec2.SecurityGroup(this, 'MyAPIGatewaySecurityGroup', {
      vpc,
      description: 'Allow port 80 traffic from the API Gateway',
      securityGroupName: 'My API Gateway Security Group',
      allowAllOutbound: true // Allow all outbound traffic
    });

    // Allow port 80 traffic from the API Gateway
    sg2.addIngressRule(
      ec2.Peer.ipv4(`${restApi.restApiId}.execute-api.${cdk.Stack.of(this).region}.amazonaws.com/32`),
      ec2.Port.tcp(80),
      'Allow port 80 traffic from the API Gateway'
    );

    const keyName = 'my-key-pair';

    // Create an EC2 key pair for SSH access
    const key = new ec2.CfnKeyPair(this, 'MyKeyPair', {
      keyName,
    });

    // Associate the key pair with the EC2 instance
    const instance = new ec2.Instance(this, 'MyEC2Instance', {
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
      machineImage: new ec2.AmazonLinuxImage(),
      vpc,
      securityGroup: sg2,
      key,
      userData: ec2.UserData.custom(`
      #!/bin/bash
      echo "Hello, world!" > /var/www/html/index.html
      `)
    });

    // Create a Cognito authorizer
    const authorizer = new apigateway.CfnAuthorizer(this, 'MyCognitoAuthorizer', {
      name: 'My-Cognito-Authorizer',
      identitySource: 'method.request.header.Authorization',
      restApiId: restApi.restApiId,
      type: apigateway.AuthorizationType.COGNITO,
      providerArns: [userPool.userPoolArn]
    });

    // Create a resource and method for the API Gateway and Add the Cognito authorizer to the method
    const resource = restApi.root.addResource('my-resource');
    const method = resource.addMethod('GET', new apigateway.HttpIntegration(`http://${instance.instancePublicIp}`),
      {
        authorizationType: apigateway.AuthorizationType.COGNITO, authorizer: authorizer
      });

    // Create an IAM role for authenticated users
    const authenticatedRole = new iam.Role(this, 'MyAuthenticatedRole', {
      assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
        StringEquals: { 'cognito-identity.amazonaws.com:aud': identityPool.ref },
        'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'authenticated' }
      }, 'sts:AssumeRoleWithWebIdentity')
    });

    // Create an IAM role for unauthenticated users
    const unauthenticatedRole = new iam.Role(this, 'MyUnauthenticatedRole', {
      assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
        StringEquals: { 'cognito-identity.amazonaws.com:aud': identityPool.ref },
        'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'unauthenticated' }
      }, 'sts:AssumeRoleWithWebIdentity')
    });

    // Grant permissions to the authenticated role
    authenticatedRole.addToPolicy(new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: [
        'execute-api:Invoke'
      ],
      resources: [
        method.methodArn
      ]
    }));

    // Grant permissions to the unauthenticated role
    unauthenticatedRole.addToPolicy(new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: [
        'cognito-identity:GetId',
        'cognito-identity:GetOpenIdToken'
      ],
      resources: [
        `arn:aws:cognito-identity:${this.region}:${this.account}:identitypool/${identityPool.ref}`
      ]
    }));

    // Set the roles for authenticated and unauthenticated users
    new cognito.CfnIdentityPoolRoleAttachment(this, 'MyIdentityPoolRoles', {
      identityPoolId: identityPool.ref,
      roles: {
        authenticated: authenticatedRole.roleArn,
        unauthenticated: unauthenticatedRole.roleArn
      }
    });
  }
}

module.exports = { MyCdkStack }

// const app = new cdk.App();
// new MyStack(app, 'MyStack');

EDIT (Added screenshot):enter image description here


Solution

  • Use a more up-to-date example. Perhaps:

        const userPoolWebClient = new cognito.UserPoolClient(
      this,
      'userPoolWebClient',
      {
        userPool: userPool,
        generateSecret: false,
        preventUserExistenceErrors: true,
        authFlows: {
          userPassword: true,
          userSrp: true,
        },
        oAuth: {
          flows: {
            authorizationCodeGrant: false,
            implicitCodeGrant: true,
          },
        },
      },
    );
    
    new core.CfnOutput(this, 'UserPoolWebClientId', {
      value: userPoolWebClient.userPoolClientId,
    });
    
    const identityPool = new cognito.CfnIdentityPool(
      this,
      'DashboardIdentityPool',
      {
        cognitoIdentityProviders: [
          {
            clientId: userPoolWebClient.userPoolClientId,
            providerName: `cognito-idp.${this.region}.amazonaws.com/${userPool.userPoolId}`,
          },
        ],
        allowUnauthenticatedIdentities: true,
      },
    );