How to tighten up CDK identity pool trust policies

[wz2b]

This says you can assign the authenticated and unauthenticated roles this way:

const stack = new Stack();
const authenticatedRole = new iam.Role(this, 'authRole', {
  assumedBy: new iam.ServicePrincipal('service.amazonaws.com'),
});
const unauthenticatedRole = new iam.Role(this, 'unauthRole', {
  assumedBy: new iam.ServicePrincipal('service.amazonaws.com'),
});
const identityPool = new IdentityPool(this, 'TestIdentityPoolActions', {
  authenticatedRole,
  unauthenticatedRole,
});

but I'm having a little trouble with this. I don't understand why it would be service.amazonaws.com with no restrictions. What I really want to do is this:

        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:myidentitypoolid"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "unauthenticated"
                }
            }
        }

where I only allow cognito-identity to assume the role, and only for my identity pool, not any random identity pool on AWS. The problem seems to be that to do that I need the roles to have a reference to the federated identity pool, and the federated identity pool to have a reference to the roles. It's a circular dependency that i don't know how to break.

What do I do?

[wz2b]

i'm still really stuck on this but I'm working on it. I discovered that there's a way to attach roles later:

const idPool = new IdentityPool(stack, "xxx-cognito-id-pool", {
    /* DOES NOT WORK - you have to specify the roles! */
    identityPoolName: "rocnrebel-id-pool",
    allowUnauthenticatedIdentities: false,
    authenticationProviders: {
        userPools: [new UserPoolAuthenticationProvider({userPool: userPool})]
    }
})

/* create authenticated and unauthenticated roles */

const roleAttachment = new IdentityPoolRoleAttachment(stack,
    "xxx-id-pool-attachment",
    {
        identityPool: idPool,
        authenticatedRole: authenticatedRole,
        unauthenticatedRole: unauthenticatedRole
    })

but this doesn't actually work, because authenticatedRole and unauthenticatedRole are required by IdentityPoolProps. That's a problem, because I want to do this:

StringEquals: {
    /*
     * aud is the audience - it needs to be the identity pool
     */
    'cognito-identity.amazonaws.com:aud': `${stack.region}:${idPool.identityPoolId}`,
},

That's the circular reference ... I can't create the role with that condition until I have the idPool, but I can't create the idPool until I have the role. I can't find a solution to this.

UPDATE: looks like these fields became optional some time recently, updating dependencies.

[e-g-hategan]

I've run into the same problem but eventually worked around it as below:

At least in java / kotlin, as of version software.amazon.awscdk:cognito-identitypool-alpha:2.66.1-alpha.0 when an identity pool is created, roles get created automatically and they include the relevant trust relationship.

What I'm doing next is altering these roles with my relevant inline policies:
identityPool.authenticatedRole.attachInlinePolicy(...)
and respectively
identityPool.unauthenticatedRole.attachInlinePolicy(...)

[myahal]

I also encountered the same problem, but it is now working fine with the following code.
I use typescript and "@aws-cdk/aws-cognito-identitypool-alpha": "^2.86.0-alpha.0".

const idPool = new IdentityPool(this, 'identityPool', {...})
const s3Statement = new iam.PolicyStatement({
      actions: [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      resources: [
        bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*"
      ],
      effect: iam.Effect.ALLOW
 })
  const cognitoStatement = new iam.PolicyStatement({
    actions: [
      "cognito-identity:GetCredentialsForIdentity"
    ],
    resources: [
      "*"
    ],
    effect: iam.Effect.ALLOW
  })
  const authenticatedPolicy = new iam.Policy(this, 'authenticatedPolicy', {
    policyName: 'authenticatedPolicy',
    statements: [cognitoStatement,s3Statement]
  })
  idPool.authenticatedRole.attachInlinePolicy(authenticatedPolicy)