bsm-identity-pool.yaml

AWSTemplateFormatVersion: "2010-09-09"
Description: An Amazon Cognito Identity Pool for BSM
Parameters:
  IdentityPoolName:
      Type: String
      Default: 'BSM Users'
  DeveloperProviderName:
      Type: String
      Default: 'login.bsm.pub'
  BucketName:
        Type: String
        Default: 'bsm-user-media'

Resources:
  CognitoIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      AllowUnauthenticatedIdentities: false
      IdentityPoolName:
        Ref: IdentityPoolName
      DeveloperProviderName:
        Ref: DeveloperProviderName

  CognitoAuthenticatedRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals:
                cognito-identity.amazonaws.com:aud:
                  Ref: CognitoIdentityPool
              ForAnyValue:StringLike:
                cognito-identity.amazonaws.com:amr: authenticated
        Path: "/"
        Policies:
        - PolicyName: 'userBucketAccess'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            # Allow authenticated users to read files from main media bucket
            - Effect: Allow
              Action:
              - s3:ListBucket
              - s3:GetObject
              Resource:
              - Fn::Join:
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: BucketName
                  - '/*'
              - Fn::Join:
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: BucketName
            # Allow authenticated users to write to dedicated subdirectories
            - Effect: Allow
              Action:
              - s3:PutObject
              - s3:DeleteObject
              Resource:
              - Fn::Join:
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: BucketName
                  - '/${cognito-identity.amazonaws.com:sub}'
              - Fn::Join:
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: BucketName
                  - '/${cognito-identity.amazonaws.com:sub}/*'

  IdentityPoolManagerUser:
    Type: AWS::IAM::User
    Properties:
      Policies:
      - PolicyName: 'supportDeveloperAuthenticatedIdentities'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - cognito-identity:GetOpenIdTokenForDeveloperIdentity
            - cognito-identity:LookupDeveloperIdentity
            - cognito-identity:MergeDeveloperIdentities
            - cognito-identity:UnlinkDeveloperIdentity
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:cognito-identity:*:*:identitypool/'
                - Ref: CognitoIdentityPool

  IdentityPoolManagerUserKeys:
      Type: AWS::IAM::AccessKey
      Properties:
        UserName: !Ref IdentityPoolManagerUser

  IdentityPoolRoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
     IdentityPoolId: !Ref CognitoIdentityPool
     Roles: {"authenticated": !GetAtt CognitoAuthenticatedRole.Arn}

Outputs:
  AccessKey:
    Value: !Ref IdentityPoolManagerUserKeys
    Description: AWSAccessKeyId of new user
  SecretKey:
    Value: !GetAtt [IdentityPoolManagerUserKeys, SecretAccessKey]
    Description: AWSSecretAccessKey of new user