I create Cloudformation script which creates AWS Cognito and deploys a set of AWS Lambda. Cloudformation yaml looks like below:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${EnvPrefix}-smartshoesuserpool
Policies:
PasswordPolicy:
MinimumLength: 8
RequireUppercase: true
RequireLowercase: true
RequireNumbers: true
RequireSymbols: true
TemporaryPasswordValidityDays: 7
AutoVerifiedAttributes:
- email
AliasAttributes:
- email
EmailVerificationMessage: 'Your verification code is {####}. '
EmailVerificationSubject: Your verification code
VerificationMessageTemplate:
EmailMessage: 'Your verification code is {####}. '
EmailSubject: Your verification code
DefaultEmailOption: CONFIRM_WITH_CODE
MfaConfiguration: 'OFF'
EmailConfiguration:
EmailSendingAccount: COGNITO_DEFAULT
AdminCreateUserConfig:
AllowAdminCreateUserOnly: false
InviteMessageTemplate:
SMSMessage: 'Your username is {username} and temporary password is {####}. '
EmailMessage: 'Your username is {username} and temporary password is {####}. '
EmailSubject: Your temporary password
UsernameConfiguration:
CaseSensitive: false
AccountRecoverySetting:
RecoveryMechanisms:
- Priority: 1
Name: verified_email
- Priority: 2
Name: verified_phone_number
UserPoolTags:
Creator: !Ref CreatorUsername
Environment: !Ref EnvPrefix
# User Pool client
# eksport z uzyciem: aws cognito-idp describe-user-pool-client --user-pool-id eu-central-1_E5ZQHWb1N --client-id 7oasfnq1cld9sh4jajjap2g80p
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
UserPoolId: !Ref UserPool
ClientName: !Sub ${EnvPrefix}-smartshoesuserpoolclient
RefreshTokenValidity: 30
ReadAttributes:
- email
- email_verified
WriteAttributes:
- email
ExplicitAuthFlows:
- ALLOW_ADMIN_USER_PASSWORD_AUTH
- ALLOW_CUSTOM_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
- ALLOW_USER_PASSWORD_AUTH
- ALLOW_USER_SRP_AUTH
AllowedOAuthFlowsUserPoolClient: false
PreventUserExistenceErrors: ENABLED
Simply it create UserPool and UserPoolClient. But I have a problem because in Lambda function I have to know UserPoolId, UserClientId and ClientSecret and I have not found method to get this values inside Clorudformation yaml. I can write short Python program using Boto3 that search UserPool and other values but I cannot execute it inside yaml. How do you get theses parameters and 'inject' to Lambda function during deployment phase?
.....
def initiate_auth(client, username, password):
secret_hash = get_secret_hash(username)
try:
resp = client.admin_initiate_auth(
UserPoolId=USER_POOL_ID,
ClientId=CLIENT_ID,
AuthFlow='ADMIN_NO_SRP_AUTH',
AuthParameters={
'USERNAME': username,
'SECRET_HASH': secret_hash,
'PASSWORD': password,
},
ClientMetadata={
'username': username,
'password': password,
})
....