-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
193 lines (178 loc) · 5.79 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
Amazon Cognito User Pool with Passwordless E-Mail Auth configured
Metadata:
AWS::ServerlessRepo::Application:
Name: amazon-cognito-passwordless-email-auth
Description: >
An Amazon Cognito user pool, pre-configured with AWS Lambda triggers to implement passwordless e-mail auth
Author: AWS Samples
SpdxLicenseId: MIT-0
LicenseUrl: LICENSE
ReadmeUrl: README.md
Labels: ["cognito", "passwordless", "authentication", "auth", "sample"]
HomepageUrl: https://github.com/aws-samples/amazon-cognito-passwordless-email-auth/tree/master/cognito
SemanticVersion: 1.0.3
SourceCodeUrl: https://github.com/aws-samples/amazon-cognito-passwordless-email-auth/tree/master/cognito
Globals:
Function:
Timeout: 3
Parameters:
UserPoolName:
Type: String
Description: The name you want the User Pool to be created with
SESFromAddress:
Type: String
Description: The e-mail address to send the secret login code from
Resources:
DefineAuthChallenge:
Type: AWS::Serverless::Function
Properties:
CodeUri: lambda-triggers/define-auth-challenge/
Handler: define-auth-challenge.handler
Runtime: nodejs12.x
CreateAuthChallenge:
Type: AWS::Serverless::Function
Properties:
CodeUri: lambda-triggers/create-auth-challenge/
Handler: create-auth-challenge.handler
Runtime: nodejs12.x
Environment:
Variables:
SES_FROM_ADDRESS: !Ref SESFromAddress
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ses:SendEmail
Resource: "*"
VerifyAuthChallengeResponse:
Type: AWS::Serverless::Function
Properties:
CodeUri: lambda-triggers/verify-auth-challenge-response/
Handler: verify-auth-challenge-response.handler
Runtime: nodejs12.x
PreSignUp:
Type: AWS::Serverless::Function
Properties:
CodeUri: lambda-triggers/pre-sign-up/
Handler: pre-sign-up.handler
Runtime: nodejs12.x
PostAuthentication:
Type: AWS::Serverless::Function
Properties:
CodeUri: lambda-triggers/post-authentication/
Handler: post-authentication.handler
Runtime: nodejs12.x
Role: !GetAtt PostAuthenticationRole.Arn
PostAuthenticationRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
SetUserAttributesPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: allow-set-user-attributes
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cognito-idp:AdminUpdateUserAttributes
Resource:
- !GetAtt UserPool.Arn
Roles:
- !Ref PostAuthenticationRole
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Ref UserPoolName
Schema:
- Name: name
AttributeDataType: String
Mutable: true
Required: true
- Name: email
AttributeDataType: String
Mutable: true
Required: true
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
UsernameAttributes:
- email
MfaConfiguration: "OFF"
LambdaConfig:
CreateAuthChallenge: !GetAtt CreateAuthChallenge.Arn
DefineAuthChallenge: !GetAtt DefineAuthChallenge.Arn
PreSignUp: !GetAtt PreSignUp.Arn
VerifyAuthChallengeResponse: !GetAtt VerifyAuthChallengeResponse.Arn
PostAuthentication: !GetAtt PostAuthentication.Arn
DefineAuthChallengeInvocationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt DefineAuthChallenge.Arn
Principal: cognito-idp.amazonaws.com
SourceArn: !GetAtt UserPool.Arn
CreateAuthChallengeInvocationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt CreateAuthChallenge.Arn
Principal: cognito-idp.amazonaws.com
SourceArn: !GetAtt UserPool.Arn
VerifyAuthChallengeResponseInvocationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt VerifyAuthChallengeResponse.Arn
Principal: cognito-idp.amazonaws.com
SourceArn: !GetAtt UserPool.Arn
PreSignUpInvocationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt PreSignUp.Arn
Principal: cognito-idp.amazonaws.com
SourceArn: !GetAtt UserPool.Arn
PostAuthenticationInvocationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt PostAuthentication.Arn
Principal: cognito-idp.amazonaws.com
SourceArn: !GetAtt UserPool.Arn
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: email-auth-client
GenerateSecret: false
UserPoolId: !Ref UserPool
ExplicitAuthFlows:
- CUSTOM_AUTH_FLOW_ONLY
Outputs:
UserPoolId:
Description: ID of the User Pool
Value: !Ref UserPool
UserPoolClientId:
Description: ID of the User Pool Client
Value: !Ref UserPoolClient