Hi all,
I am currently facing a weird issue with my cloudformation template execution in my codepipeline.
Goal:
I want to create and "manage" a Cognito UserPool
Precondition:
For executing my cloudformation template with the Cognito UserPool Stuff inside I have added the respective permission to the corresponding role which executes the pipeline/template step (This role is of course NOT inside of the template I want to execute).
CFNRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: CloudFormationRole-${AWS::StackName}
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com]
Version: '2012-10-17'
Path: /
Policies:
- PolicyName: CloudFormationRole
PolicyDocument:
Version: '2012-10-17'
Statement:
[...]
-
Effect: "Allow"
Action:
- "cognito-idp:CreateUserPool"
- "cognito-idp:*"
Resource:
- "arn:aws:cognito-idp:*:*:userpool/*"
When I run my template I know receive the following error:
User: arn:aws:sts::*******:assumed-role/CloudFormationRole-*****/AWSCloudFormation is not authorized to perform: cognito-idp:CreateUserPool on resource: * because no identity-based policy allows the cognito-idp:CreateUserPool action
What can I do to grant the corresponding permission to my Pipeline/Cloudformation Role?
Thanks in advance,
best
"Actions defined by Amazon Cognito User Pools" documented at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html where the row for "CreateUserPool" indicates no value in Resource types column, meaning you must specify all resources ("*") in the Resource element of your policy statement.