By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Creating and Managing Cognito UserPool from within CodePipeline with Cloudformation Template

1

Hi all, I am currently facing a weird issue with my cloudformation template execution in my codepipeline.

Goal: I want to create and "manage" a Cognito UserPool

Precondition: For executing my cloudformation template with the Cognito UserPool Stuff inside I have added the respective permission to the corresponding role which executes the pipeline/template step (This role is of course NOT inside of the template I want to execute).

  CFNRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName:
        Fn::Sub: CloudFormationRole-${AWS::StackName}
      AssumeRolePolicyDocument:
        Statement:
        - Action: ['sts:AssumeRole']
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com]
        Version: '2012-10-17'
      Path: /
      Policies:
        - PolicyName: CloudFormationRole
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            [...]
              -
                Effect: "Allow"
                Action:
                  - "cognito-idp:CreateUserPool"
                  - "cognito-idp:*"
                Resource:
                  - "arn:aws:cognito-idp:*:*:userpool/*"

When I run my template I know receive the following error:

User: arn:aws:sts::*******:assumed-role/CloudFormationRole-*****/AWSCloudFormation is not authorized to perform: cognito-idp:CreateUserPool on resource: * because no identity-based policy allows the cognito-idp:CreateUserPool action

What can I do to grant the corresponding permission to my Pipeline/Cloudformation Role?

Thanks in advance, best

Topics
Security, Identity, & ComplianceManagement & GovernanceDevOps
Tags
AWS Identity and Access ManagementAWS CloudFormationAmazon CognitoDevOpsIAM Policies
Language
English
lasse
asked a year ago598 views
1 Answer
1

Your PolicyDocument looks correct to me, but IAM permissions are sometimes a real PITA to get right. Looking more closely at the error, it seems to indicate that it's complaining about the resource not being "*". Maybe Cognito doesn't support resource-level permissions and you have to use the wildcard; I looked in the Cognito docs but I can't find a clear answer.

Suggestion: change

Resource:
   - "arn:aws:cognito-idp:*:*:userpool/*"

to

Resource:
   - "*"
profile picture
RNHurt
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content