Я использовал следующую CloudFormation для создания стека.
Resources:
MyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: 'true'
CognitoRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- 'cognito-identity.amazonaws.com'
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- 'authenticated'
CognitoRole2:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- 'cognito-identity.amazonaws.com'
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- 'unauthenticated'
RoleAttachment:
DependsOn: MyIdentityPool
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId:
Ref: MyPinpointIdentityPool
Roles:
unauthenticated:
Fn::GetAtt: CognitoRole2.Arn
AccessPolicy:
Type: 'AWS::IAM::Policy'
Properties:
...
Roles:
- Ref: CognitoGeneralRole
Создание стека прошло успешно, однако, когда я обновил стек, изменив IdentityPoolRoleAttachment на
RoleAttachment:
DependsOn: MyIdentityPool
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId:
Ref: MyPinpointIdentityPool
Roles:
unauthenticated:
Fn::GetAtt: CognitoRole2.Arn
authenticated:
Fn::GetAtt: CognitoRole.Arn
, я получил AWS::Cognito::IdentityPoolRoleAttachment Resource cannot be updated.
Что может быть причиной этого?