366 lines
12 KiB
TypeScript
366 lines
12 KiB
TypeScript
import type { Construct } from 'constructs';
|
|
import type { IUserPoolAuthenticationProvider } from './identitypool-user-pool-authentication-provider';
|
|
import type { IdentityPoolReference, IIdentityPoolRef, IUserPool, IUserPoolClient } from '../../aws-cognito';
|
|
import { CfnIdentityPoolRoleAttachment } from '../../aws-cognito';
|
|
import type { IRole, IOIDCProviderRef, ISAMLProviderRef } from '../../aws-iam';
|
|
import type { IResource } from '../../core';
|
|
import { Resource } from '../../core';
|
|
/**
|
|
* Represents a Cognito Identity Pool
|
|
*/
|
|
export interface IIdentityPool extends IResource, IIdentityPoolRef {
|
|
/**
|
|
* The ID of the Identity Pool in the format REGION:GUID
|
|
* @attribute
|
|
*/
|
|
readonly identityPoolId: string;
|
|
/**
|
|
* The ARN of the Identity Pool
|
|
* @attribute
|
|
*/
|
|
readonly identityPoolArn: string;
|
|
/**
|
|
* Name of the Identity Pool
|
|
* @attribute
|
|
*/
|
|
readonly identityPoolName: string;
|
|
}
|
|
/**
|
|
* Props for the Identity Pool construct
|
|
*/
|
|
export interface IdentityPoolProps {
|
|
/**
|
|
* The name of the Identity Pool
|
|
* @default - Automatically generated name by CloudFormation at deploy time
|
|
*/
|
|
readonly identityPoolName?: string;
|
|
/**
|
|
* The default Role to be assumed by authenticated users
|
|
* @default - A default authenticated Role will be added
|
|
*/
|
|
readonly authenticatedRole?: IRole;
|
|
/**
|
|
* The default Role to be assumed by unauthenticated users
|
|
* @default - A default unauthenticated Role will be added
|
|
*/
|
|
readonly unauthenticatedRole?: IRole;
|
|
/**
|
|
* Whether the Identity Pool supports unauthenticated logins
|
|
* @default - false
|
|
*/
|
|
readonly allowUnauthenticatedIdentities?: boolean;
|
|
/**
|
|
* Rules for mapping roles to users
|
|
* @default - no role mappings
|
|
*/
|
|
readonly roleMappings?: IdentityPoolRoleMapping[];
|
|
/**
|
|
* Enables the Basic (Classic) authentication flow
|
|
* @default - Classic Flow not allowed
|
|
*/
|
|
readonly allowClassicFlow?: boolean;
|
|
/**
|
|
* Authentication Providers for using in Identity Pool
|
|
* @default - No Authentication Providers passed directly to Identity Pool
|
|
*/
|
|
readonly authenticationProviders?: IdentityPoolAuthenticationProviders;
|
|
}
|
|
/**
|
|
* Types of Identity Pool Login Providers
|
|
*/
|
|
export declare enum IdentityPoolProviderType {
|
|
/** Facebook provider type */
|
|
FACEBOOK = "Facebook",
|
|
/** Google provider type */
|
|
GOOGLE = "Google",
|
|
/** Amazon provider type */
|
|
AMAZON = "Amazon",
|
|
/** Apple provider type */
|
|
APPLE = "Apple",
|
|
/** Twitter provider type */
|
|
TWITTER = "Twitter",
|
|
/** Open Id provider type */
|
|
OPEN_ID = "OpenId",
|
|
/** Saml provider type */
|
|
SAML = "Saml",
|
|
/** User Pool provider type */
|
|
USER_POOL = "UserPool",
|
|
/** Custom provider type */
|
|
CUSTOM = "Custom"
|
|
}
|
|
/**
|
|
* Keys for Login Providers - each correspond to the client IDs of their respective federation Identity Providers
|
|
*/
|
|
export declare class IdentityPoolProviderUrl {
|
|
/**
|
|
* The type of Identity Pool Provider
|
|
*/
|
|
readonly type: IdentityPoolProviderType;
|
|
/**
|
|
* The value of the Identity Pool Provider
|
|
*/
|
|
readonly value: string;
|
|
/** Facebook Provider url */
|
|
static readonly FACEBOOK: IdentityPoolProviderUrl;
|
|
/** Google Provider url */
|
|
static readonly GOOGLE: IdentityPoolProviderUrl;
|
|
/** Amazon Provider url */
|
|
static readonly AMAZON: IdentityPoolProviderUrl;
|
|
/** Apple Provider url */
|
|
static readonly APPLE: IdentityPoolProviderUrl;
|
|
/** Twitter Provider url */
|
|
static readonly TWITTER: IdentityPoolProviderUrl;
|
|
/** OpenId Provider url */
|
|
static openId(url: string): IdentityPoolProviderUrl;
|
|
/** Saml Provider url */
|
|
static saml(url: string): IdentityPoolProviderUrl;
|
|
/** User Pool Provider Url */
|
|
static userPool(userPool: IUserPool, userPoolClient: IUserPoolClient): IdentityPoolProviderUrl;
|
|
/** Custom Provider url */
|
|
static custom(url: string): IdentityPoolProviderUrl;
|
|
constructor(
|
|
/**
|
|
* The type of Identity Pool Provider
|
|
*/
|
|
type: IdentityPoolProviderType,
|
|
/**
|
|
* The value of the Identity Pool Provider
|
|
*/
|
|
value: string);
|
|
}
|
|
/**
|
|
* Login Provider for identity federation using Amazon credentials
|
|
*/
|
|
export interface IdentityPoolAmazonLoginProvider {
|
|
/**
|
|
* App ID for Amazon identity federation
|
|
*/
|
|
readonly appId: string;
|
|
}
|
|
/**
|
|
* Login Provider for identity federation using Facebook credentials
|
|
*/
|
|
export interface IdentityPoolFacebookLoginProvider {
|
|
/**
|
|
* App ID for Facebook identity federation
|
|
*/
|
|
readonly appId: string;
|
|
}
|
|
/**
|
|
* Login Provider for identity federation using Apple credentials
|
|
*/
|
|
export interface IdentityPoolAppleLoginProvider {
|
|
/**
|
|
* Services ID for Apple identity federation
|
|
*/
|
|
readonly servicesId: string;
|
|
}
|
|
/**
|
|
* Login Provider for identity federation using Google credentials
|
|
*/
|
|
export interface IdentityPoolGoogleLoginProvider {
|
|
/**
|
|
* Client ID for Google identity federation
|
|
*/
|
|
readonly clientId: string;
|
|
}
|
|
/**
|
|
* Login Provider for identity federation using Twitter credentials
|
|
*/
|
|
export interface IdentityPoolTwitterLoginProvider {
|
|
/**
|
|
* Consumer key for Twitter identity federation
|
|
*/
|
|
readonly consumerKey: string;
|
|
/**
|
|
* Consumer secret for identity federation
|
|
*/
|
|
readonly consumerSecret: string;
|
|
}
|
|
/**
|
|
* External Authentication Providers for usage in Identity Pool.
|
|
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html
|
|
*/
|
|
export interface IdentityPoolAuthenticationProviders {
|
|
/**
|
|
* The Facebook Authentication Provider associated with this Identity Pool
|
|
* @default - No Facebook Authentication Provider used without OpenIdConnect or a User Pool
|
|
*/
|
|
readonly facebook?: IdentityPoolFacebookLoginProvider;
|
|
/**
|
|
* The Google Authentication Provider associated with this Identity Pool
|
|
* @default - No Google Authentication Provider used without OpenIdConnect or a User Pool
|
|
*/
|
|
readonly google?: IdentityPoolGoogleLoginProvider;
|
|
/**
|
|
* The Amazon Authentication Provider associated with this Identity Pool
|
|
* @default - No Amazon Authentication Provider used without OpenIdConnect or a User Pool
|
|
*/
|
|
readonly amazon?: IdentityPoolAmazonLoginProvider;
|
|
/**
|
|
* The Apple Authentication Provider associated with this Identity Pool
|
|
* @default - No Apple Authentication Provider used without OpenIdConnect or a User Pool
|
|
*/
|
|
readonly apple?: IdentityPoolAppleLoginProvider;
|
|
/**
|
|
* The Twitter Authentication Provider associated with this Identity Pool
|
|
* @default - No Twitter Authentication Provider used without OpenIdConnect or a User Pool
|
|
*/
|
|
readonly twitter?: IdentityPoolTwitterLoginProvider;
|
|
/**
|
|
* The User Pool Authentication Providers associated with this Identity Pool
|
|
* @default - no User Pools associated
|
|
*/
|
|
readonly userPools?: IUserPoolAuthenticationProvider[];
|
|
/**
|
|
* The OpenIdConnect Provider associated with this Identity Pool
|
|
* @default - no OpenIdConnectProvider
|
|
*/
|
|
readonly openIdConnectProviders?: IOIDCProviderRef[];
|
|
/**
|
|
* The Security Assertion Markup Language provider associated with this Identity Pool
|
|
* @default - no SamlProvider
|
|
*/
|
|
readonly samlProviders?: ISAMLProviderRef[];
|
|
/**
|
|
* The developer provider name to associate with this Identity Pool
|
|
* @default - no custom provider
|
|
*/
|
|
readonly customProvider?: string;
|
|
}
|
|
/**
|
|
* Map roles to users in the Identity Pool based on claims from the Identity Provider
|
|
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
|
|
*/
|
|
export interface IdentityPoolRoleMapping {
|
|
/**
|
|
* The url of the Provider for which the role is mapped
|
|
*/
|
|
readonly providerUrl: IdentityPoolProviderUrl;
|
|
/**
|
|
* The key used for the role mapping in the role mapping hash. Required if the providerUrl is a token.
|
|
* @default - The provided providerUrl
|
|
*/
|
|
readonly mappingKey?: string;
|
|
/**
|
|
* If true then mapped roles must be passed through the cognito:roles or cognito:preferred_role claims from Identity Provider.
|
|
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users
|
|
*
|
|
* @default false
|
|
*/
|
|
readonly useToken?: boolean;
|
|
/**
|
|
* Allow for role assumption when results of role mapping are ambiguous
|
|
* @default false - Ambiguous role resolutions will lead to requester being denied
|
|
*/
|
|
readonly resolveAmbiguousRoles?: boolean;
|
|
/**
|
|
* The claim and value that must be matched in order to assume the role. Required if useToken is false
|
|
* @default - No role mapping rule
|
|
*/
|
|
readonly rules?: RoleMappingRule[];
|
|
}
|
|
/**
|
|
* Types of matches allowed for role mapping
|
|
*/
|
|
export declare enum RoleMappingMatchType {
|
|
/**
|
|
* The claim from the token must equal the given value in order for a match
|
|
*/
|
|
EQUALS = "Equals",
|
|
/**
|
|
* The claim from the token must contain the given value in order for a match
|
|
*/
|
|
CONTAINS = "Contains",
|
|
/**
|
|
* The claim from the token must start with the given value in order for a match
|
|
*/
|
|
STARTS_WITH = "StartsWith",
|
|
/**
|
|
* The claim from the token must not equal the given value in order for a match
|
|
*/
|
|
NOTEQUAL = "NotEqual"
|
|
}
|
|
/**
|
|
* Represents an Identity Pool Role Attachment role mapping rule
|
|
*/
|
|
export interface RoleMappingRule {
|
|
/**
|
|
* The key sent in the token by the federated Identity Provider
|
|
*/
|
|
readonly claim: string;
|
|
/**
|
|
* The role to be assumed when the claim value is matched
|
|
*/
|
|
readonly mappedRole: IRole;
|
|
/**
|
|
* The value of the claim that must be matched
|
|
*/
|
|
readonly claimValue: string;
|
|
/**
|
|
* How to match with the claim value
|
|
*
|
|
* @default RoleMappingMatchType.EQUALS
|
|
*/
|
|
readonly matchType?: RoleMappingMatchType;
|
|
}
|
|
/**
|
|
* Define a Cognito Identity Pool
|
|
*
|
|
* @resource AWS::Cognito::IdentityPool
|
|
*/
|
|
export declare class IdentityPool extends Resource implements IIdentityPool {
|
|
/** Uniquely identifies this class. */
|
|
static readonly PROPERTY_INJECTION_ID: string;
|
|
/**
|
|
* Import an existing Identity Pool from its ID
|
|
*/
|
|
static fromIdentityPoolId(scope: Construct, id: string, identityPoolId: string): IIdentityPool;
|
|
/**
|
|
* Import an existing Identity Pool from its ARN
|
|
*/
|
|
static fromIdentityPoolArn(scope: Construct, id: string, identityPoolArn: string): IIdentityPool;
|
|
/**
|
|
* The ID of the Identity Pool in the format REGION:GUID
|
|
* @attribute
|
|
*/
|
|
readonly identityPoolId: string;
|
|
/**
|
|
* The ARN of the Identity Pool
|
|
* @attribute
|
|
*/
|
|
readonly identityPoolArn: string;
|
|
/**
|
|
* The name of the Identity Pool
|
|
* @attribute
|
|
*/
|
|
readonly identityPoolName: string;
|
|
/**
|
|
* Default Role for authenticated users
|
|
*/
|
|
readonly authenticatedRole: IRole;
|
|
/**
|
|
* Default Role for unauthenticated users
|
|
*/
|
|
readonly unauthenticatedRole: IRole;
|
|
/**
|
|
* Role Provider for the default Role for authenticated users
|
|
*/
|
|
readonly roleAttachment: CfnIdentityPoolRoleAttachment;
|
|
/**
|
|
* List of Identity Providers added in constructor for use with property overrides
|
|
*/
|
|
private readonly _cognitoIdentityProviders;
|
|
constructor(scope: Construct, id: string, props?: IdentityPoolProps);
|
|
/**
|
|
* Add a User Pool to the Identity Pool and configure the User Pool client to handle identities
|
|
*/
|
|
addUserPoolAuthentication(userPool: IUserPoolAuthenticationProvider): void;
|
|
/**
|
|
* Configure default Roles for Identity Pool
|
|
*/
|
|
private configureDefaultRole;
|
|
private configureDefaultGrantPrincipal;
|
|
get identityPoolRef(): IdentityPoolReference;
|
|
}
|