Syntax Properties Return values Examples

AWS::Cognito::UserPoolIdentityProvider

The AWS::Cognito::UserPoolIdentityProvider resource creates an identity provider for a user pool.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::Cognito::UserPoolIdentityProvider",
  "Properties" : {
      "AttributeMapping" : {Key: Value, ...},
      "IdpIdentifiers" : [ String, ... ],
      "ProviderDetails" : {Key: Value, ...},
      "ProviderName" : String,
      "ProviderType" : String,
      "UserPoolId" : String
    }
}

YAML


Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
  AttributeMapping: 
    Key: Value
  IdpIdentifiers: 
    - String
  ProviderDetails: 
    Key: Value
  ProviderName: String
  ProviderType: String
  UserPoolId: String

Properties

AttributeMapping

A mapping of IdP attributes to standard and custom user pool attributes.

Required: No

Type: Object of String

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Update requires: No interruption

IdpIdentifiers

A list of IdP identifiers.

Required: No

Type: Array of String

Minimum: 0

Maximum: 50

Update requires: No interruption

ProviderDetails

The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP authorize_scopes values must match the values listed here.

OpenID Connect (OIDC)

Amazon Cognito accepts the following elements when it can't discover endpoint URLs from oidc_issuer: attributes_url, authorize_url, jwks_uri, token_url.

Create or update request: "ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }

Describe response: "ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }

SAML

Create or update request with Metadata URL: "ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }

Create or update request with Metadata file: "ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }

The value of MetadataFile must be the plaintext metadata document with all quote (") characters escaped by backslashes.

Describe response: "ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }

LoginWithAmazon

Create or update request: "ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"

Describe response: "ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }

Google

Create or update request: "ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }

Describe response: "ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }

SignInWithApple

Create or update request: "ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }

Describe response: "ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }

Facebook

Create or update request: "ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }

Describe response: "ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }

Required: Yes

Type: Object of String

Pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$

Update requires: No interruption

ProviderName

The IdP name.

Required: Yes

Type: String

Pattern: [^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+

Minimum: 1

Maximum: 32

Update requires: Replacement

ProviderType

The IdP type.

Required: Yes

Type: String

Update requires: Replacement

UserPoolId

The user pool ID.

Required: Yes

Type: String

Pattern: [\w-]+_[0-9a-zA-Z]+

Minimum: 1

Maximum: 55

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns physicalResourceId, which is “ProviderName". For example:

{ "Ref": "testProvider" }

For the Amazon Cognito identity provider testProvider, Ref returns the name of the identity provider.

For more information about using the Ref function, see Ref.

Examples

Creating a new Login with Amazon identity provider
Creating a new Google identity provider
Creating a new Facebook identity provider
Creating a new Sign in with Apple identity provider
Creating a new OIDC identity provider
Creating a new SAML identity provider

Creating a new Login with Amazon identity provider

The following example creates a Login with Amazon identity provider in the referenced user pool.

JSON


{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "LoginWithAmazon",
      "ProviderDetails": {
        "client_id": "YourLoginWithAmazonAppId",
        "client_secret": "YourLoginWithAmazonAppSecret",
        "authorize_scopes": "profile postal_code"
      },
      "ProviderType": "LoginWithAmazon",
      "AttributeMapping": {
        "email": "email"
      }
    }
  }
}

YAML


UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "LoginWithAmazon"
    ProviderDetails:
      client_id: "YourLoginWithAmazonAppId"
      client_secret: "YourLoginWithAmazonAppSecret"
      authorize_scopes: "profile postal_code"
    ProviderType: "LoginWithAmazon"
    AttributeMapping:
      email: "email"

Creating a new Google identity provider

The following example creates a Google identity provider in the referenced user pool.

JSON


{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "Google",
      "ProviderDetails": {
        "client_id": "YourGoogleAppId",
        "client_secret": "YourGoogleAppSecret",
        "authorize_scopes": "profile email openid"
      },
      "ProviderType": "Google",
      "AttributeMapping": {
        "email": "email"
      }
    }
  }
}

YAML


UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "Google"
    ProviderDetails:
      client_id: "YourGoogleAppId"
      client_secret: "YourGoogleAppSecret"
      authorize_scopes: "profile email openid"
    ProviderType: "Google"
    AttributeMapping:
      email: "email"

Creating a new Facebook identity provider

The following example creates a Facebook identity provider in the referenced user pool.

JSON


{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "Facebook",
      "ProviderDetails": {
        "client_id": "YourFacebookAppId",
        "client_secret": "YourFacebookAppSecret",
        "authorize_scopes": "public_profile,email"
      },
      "ProviderType": "Facebook",
      "AttributeMapping": {
        "email": "email"
      }
    }
  }
}

YAML


UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "Facebook"
    ProviderDetails:
      client_id: "YourFacebookAppId"
      client_secret: "YourFacebookAppSecret"
      authorize_scopes: "public_profile,email"
    ProviderType: "Facebook"
    AttributeMapping:
      email: "email"

Creating a new Sign in with Apple identity provider

The following example creates a Sign in with Apple identity provider in the referenced user pool.

JSON


{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "SignInWithApple",
      "ProviderDetails": {
        "client_id": "YourAppleServicesId",
        "team_id": "YourAppleTeamId",
        "key_id": "YourApplePrivateKeyID",
        "private_key": "YourApplePrivateKey",
        "authorize_scopes": "public_profile,email"
      },
      "ProviderType": "SignInWithApple",
      "AttributeMapping": {
        "email": "email"
      }
    }
  }
}

YAML


UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "SignInWithApple"
    ProviderDetails:
      client_id: "YourSign"
      team_id: "YourAppleTeamId"
      key_id: "YourApplePrivateKeyID"
      private_key: "YourApplePrivateKey"
      authorize_scopes: "public_profile,email"
    ProviderType: "SignInWithApple"
    AttributeMapping:
      email: "email"

Creating a new OIDC identity provider

The following example creates the OIDC identity provider "YourOIDCProviderName" in the referenced user pool.

JSON


{
  "UserPoolIdentityProvider": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
      "UserPoolId": {
        "Ref": "UserPool"
      },
      "ProviderName": "YourOIDCProviderName",
      "ProviderDetails": {
        "client_id": "YourOIDCClientId",
        "client_secret": "YourOIDCClientSecret",
        "attributes_request_method": "GET",
        "oidc_issuer": "YourOIDCIssuerURL",
        "authorize_scopes": "email profile openid"
      },
      "ProviderType": "OIDC",
      "AttributeMapping": {
        "email": "email"
      },
      "IdpIdentifiers": [
        "IdpIdentifier"
      ]
    }
  }
}

YAML


UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "YourOIDCProviderName"
    ProviderDetails:
      client_id: "YourOIDCClientId"
      client_secret: "YourOIDCClientSecret"
      attributes_request_method: "GET"
      oidc_issuer: "YourOIDCIssuerURL"
      authorize_scopes: "email profile openid"
    ProviderType: "OIDC"
    AttributeMapping:
      email: "email"
    IdpIdentifiers:
      - "IdpIdentifier"

Creating a new SAML identity provider

The following example creates a SAML identity provider "YourProviderName" in the referenced user pool.

JSON


{
   "UserPoolIdentityProvider": {
      "Type": "AWS::Cognito::UserPoolIdentityProvider",
      "Properties": {
         "UserPoolId": {"Ref": "UserPool"},
         "ProviderName": "YourProviderName",
         "ProviderDetails": {
            "MetadataURL": "YourMetadataURL"
         },
         "ProviderType": "SAML",
         "AttributeMapping": {
            "email": "Attribute"
         },
         "IdpIdentifiers": [
            "IdpIdentifier"
         ]
      }
   }
}

YAML


UserPoolIdentityProvider:
  Type: AWS::Cognito::UserPoolIdentityProvider
  Properties:
    UserPoolId: !Ref UserPool
    ProviderName: "YourProviderName"
    ProviderDetails:
      MetadataURL: "YourMetadataURL"
    ProviderType: "SAML"
    AttributeMapping:
      email: "Attribute"
    IdpIdentifiers:
      - "IdpIdentifier"

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS::Cognito::UserPoolGroup

AWS::Cognito::UserPoolResourceServer