Reuse Cognito UserPool
Sample backend file for reusing an existing user pool, but creating a new client, identity pool, and role pair.
System: OS: macOS 14.7 CPU: (10) arm64 Apple M1 Pro Memory: 148.55 MB / 32.00 GB Shell: /opt/homebrew/bin/fishBinaries: Node: 22.8.0 - ~/.local/state/fnm_multishells/43849_1730131892294/bin/node Yarn: undefined - undefined npm: 10.8.2 - ~/.local/state/fnm_multishells/43849_1730131892294/bin/npm pnpm: 9.12.0 - ~/.local/state/fnm_multishells/43849_1730131892294/bin/pnpmNPM Packages: @aws-amplify/auth-construct: Not Found @aws-amplify/backend: 1.5.1 @aws-amplify/backend-auth: Not Found @aws-amplify/backend-cli: 1.3.0 @aws-amplify/backend-data: Not Found @aws-amplify/backend-deployer: Not Found @aws-amplify/backend-function: Not Found @aws-amplify/backend-output-schemas: Not Found @aws-amplify/backend-output-storage: Not Found @aws-amplify/backend-secret: Not Found @aws-amplify/backend-storage: Not Found @aws-amplify/cli-core: Not Found @aws-amplify/client-config: Not Found @aws-amplify/deployed-backend-client: Not Found @aws-amplify/form-generator: Not Found @aws-amplify/model-generator: Not Found @aws-amplify/platform-core: Not Found @aws-amplify/plugin-types: Not Found @aws-amplify/sandbox: Not Found @aws-amplify/schema-generator: Not Found aws-amplify: 6.6.7 aws-cdk: 2.164.1 aws-cdk-lib: 2.164.1 typescript: 5.6.3AWS environment variables: AWS_PROFILE = josef AWS_REGION = us-east-1 AWS_STS_REGIONAL_ENDPOINTS = regional AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1 AWS_SDK_LOAD_CONFIG = 1No CDK environment variablesimport { defineBackend } from "@aws-amplify/backend"import { UserPool, UserPoolClient, CfnIdentityPool, CfnIdentityPoolRoleAttachment,} from "aws-cdk-lib/aws-cognito"import { FederatedPrincipal, Role } from "aws-cdk-lib/aws-iam"import outputs from "backend-one/outputs"
const backend = defineBackend({})const stack = backend.createStack("Auth")
// reference existing user poolconst userPool = UserPool.fromUserPoolId( stack, "UserPool", outputs.auth.user_pool_id)
// but create a new user pool clientconst userPoolClient = new UserPoolClient(stack, "UserPoolClient", { userPool,})
// and create a new identity pool with new rolesconst identityPool = new CfnIdentityPool(stack, "IdentityPool", { allowUnauthenticatedIdentities: true, cognitoIdentityProviders: [ { clientId: userPoolClient.userPoolClientId, providerName: `cognito-idp.${stack.region}.amazonaws.com/${userPool.userPoolId}`, }, ],})
// then attach some new roles specific to this appconst authenticatedRole = new Role(stack, "AuthenticatedRole", { assumedBy: new FederatedPrincipal( "cognito-identity.amazonaws.com", { StringEquals: { "cognito-identity.amazonaws.com:aud": identityPool.attrId, }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated", }, }, "sts:AssumeRoleWithWebIdentity" ),})const unauthenticatedRole = new Role(stack, "UnauthenticatedRole", { assumedBy: new FederatedPrincipal( "cognito-identity.amazonaws.com", { StringEquals: { "cognito-identity.amazonaws.com:aud": identityPool.attrId, }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated", }, }, "sts:AssumeRoleWithWebIdentity" ),})
// attach roles to the newly-created identity poolnew CfnIdentityPoolRoleAttachment(stack, "IdentityPoolRoleAttachment", { identityPoolId: identityPool.attrId, roles: { authenticated: authenticatedRole.roleArn, unauthenticated: unauthenticatedRole.roleArn, }, roleMappings: { UserPoolWebClientRoleMapping: { type: "Token", ambiguousRoleResolution: "AuthenticatedRole", identityProvider: `cognito-idp.${stack.region}.amazonaws.com/${userPool.userPoolId}:${userPoolClient.userPoolClientId}`, }, },})
backend.addOutput({ // @ts-expect-error no narrow types from json auth: { ...outputs.auth, user_pool_id: userPool.userPoolId, user_pool_client_id: userPoolClient.userPoolClientId, identity_pool_id: identityPool.attrId, },})