-
Notifications
You must be signed in to change notification settings - Fork 192
Expand file tree
/
Copy pathCognitoStack.js
More file actions
66 lines (57 loc) · 2.1 KB
/
CognitoStack.js
File metadata and controls
66 lines (57 loc) · 2.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import { CfnOutput } from "@aws-cdk/core";
import * as iam from "@aws-cdk/aws-iam";
import * as cognito from "@aws-cdk/aws-cognito";
import * as sst from "@serverless-stack/resources";
import CognitoAuthRole from "./CognitoAuthRole";
export default class CognitoStack extends sst.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const { bucketArn } = props;
const app = this.node.root;
const userPool = new cognito.UserPool(this, "UserPool", {
selfSignUpEnabled: true, // Allow users to sign up
autoVerify: { email: true }, // Verify email addresses by sending a verification code
signInAliases: { email: true }, // Set email as an alias
});
const userPoolClient = new cognito.UserPoolClient(this, "UserPoolClient", {
userPool,
generateSecret: false, // Don't need to generate secret for web app running on browsers
});
const identityPool = new cognito.CfnIdentityPool(this, "IdentityPool", {
allowUnauthenticatedIdentities: false, // Don't allow unathenticated users
cognitoIdentityProviders: [
{
clientId: userPoolClient.userPoolClientId,
providerName: userPool.userPoolProviderName,
},
],
});
const authenticatedRole = new CognitoAuthRole(this, "CognitoAuthRole", {
identityPool,
});
authenticatedRole.role.addToPolicy(
// IAM policy granting users permission to a specific folder in the S3 bucket
new iam.PolicyStatement({
actions: ["s3:*"],
effect: iam.Effect.ALLOW,
resources: [
bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
],
})
);
// Export values
new CfnOutput(this, "UserPoolId", {
value: userPool.userPoolId,
});
new CfnOutput(this, "UserPoolClientId", {
value: userPoolClient.userPoolClientId,
});
new CfnOutput(this, "IdentityPoolId", {
value: identityPool.ref,
});
new CfnOutput(this, "AuthenticatedRoleName", {
value: authenticatedRole.role.roleName,
exportName: app.logicalPrefixedName("CognitoAuthRole"),
});
}
}