使用 CDK 添加 AWS Cognito 用户池角色

Question

使用 CDK 添加 AWS Cognito 用户池角色

khi*_*ter 5 amazon-web-services aws-elasticsearch aws-cdk

我已将https://github.com/aws-samples/amazon-elasticsearch-service-with-cognito部署到我的堆栈中，并尝试master按照https://docs.aws.amazon.com/elasticsearch添加一个组-service/latest/developerguide/fgac.html#fgac-walkthrough-iam

所以我添加了以下https://github.com/aws-samples/amazon-elasticsearch-service-with-cognito/blob/master/lib/search-stack.ts#L50

diff --git a/lib/search-stack.ts b/lib/search-stack.ts
index 85de0c0..2493c92 100644
--- a/lib/search-stack.ts
+++ b/lib/search-stack.ts
@@ -3,7 +3,7 @@

 import { Fn, Stack, Construct, StackProps, CfnParameter, CfnOutput } from '@aws-cdk/core';
 import { CfnDomain } from '@aws-cdk/aws-elasticsearch';
-import { UserPoolAttribute, CfnUserPoolDomain, CfnIdentityPool, CfnIdentityPoolRoleAttachment, CfnUserPool } from '@aws-cdk/aws-cognito';
+import { UserPoolAttribute, CfnUserPoolDomain, CfnIdentityPool, CfnIdentityPoolRoleAttachment, CfnUserPool, CfnUserPoolGroup } from '@aws-cdk/aws-cognito';
 import { Role, ManagedPolicy, ServicePrincipal, FederatedPrincipal } from '@aws-cdk/aws-iam';
 import { CustomResource } from '@aws-cdk/aws-cloudformation';

@@ -55,6 +55,19 @@ export class SearchStack extends Stack {
       }, "sts:AssumeRoleWithWebIdentity")
     });

+    // create two groups, one for admins one for users
+
+    new CfnUserPoolGroup(this, "AdminsGroup", {
+      groupName: "master-user-group",
+      userPoolId: idPool.ref,
+
+    });
+
+    new CfnUserPoolGroup(this, "UsersGroup", {
+      groupName: "limited-user-group",
+      userPoolId: idPool.ref,
+    });
+
     const esRole = new Role(this, "esRole", {
       assumedBy: new ServicePrincipal('es.amazonaws.com'),
       managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName("AmazonESCognitoAccess")]
~

Run Code Online (Sandbox Code Playgroud)

但是在重新部署角色后没有被创建！

非常感谢任何建议。

Answer 1

Ari*_*sta 7

从 AWS CDK v1.91.0 开始，使用userPoolId代替ref：

import * as cognito from '@aws-cdk/aws-cognito';

//...

const userPool = new cognito.UserPool(this, 'UserPool', {
  //...
});

new cognito.CfnUserPoolGroup(this, "ManagerGroup", {
  groupName: "manager",
  userPoolId: userPool.userPoolId
});

Run Code Online (Sandbox Code Playgroud)

Answer 2

khi*_*ter 6

好的，我需要使用：


    new CfnUserPoolGroup(this, "AdminsGroup", {
      groupName: "master-user-group",
      userPoolId: userPool.ref
    });

    new CfnUserPoolGroup(this, "UsersGroup", {
      groupName: "limited-user-group",
      userPoolId: userPool.ref
    });

Run Code Online (Sandbox Code Playgroud)

代替idPool.ref

Answer 3

小智 1

从版本 1.1.1 开始，amazon-elasticsearch-service-with-cognito 代码包含细粒度访问控制的配置，包括名为“es-admins”的 Amazon Cognito 组以及所需的角色解析。

归档时间：	5 年，4 月前
查看次数：	1001 次
最近记录：	4 年，7 月前