This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).

# AWS::Cognito::IdentityPoolRoleAttachment
<a name="aws-resource-cognito-identitypoolroleattachment"></a>

The `AWS::Cognito::IdentityPoolRoleAttachment` resource manages the role configuration for an Amazon Cognito identity pool.

## Syntax
<a name="aws-resource-cognito-identitypoolroleattachment-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-cognito-identitypoolroleattachment-syntax.json"></a>

```
{
  "Type" : "AWS::Cognito::IdentityPoolRoleAttachment",
  "Properties" : {
      "[IdentityPoolId](#cfn-cognito-identitypoolroleattachment-identitypoolid)" : String,
      "[RoleMappings](#cfn-cognito-identitypoolroleattachment-rolemappings)" : RoleMapping,
      "[Roles](#cfn-cognito-identitypoolroleattachment-roles)" : String
    }
}
```

### YAML
<a name="aws-resource-cognito-identitypoolroleattachment-syntax.yaml"></a>

```
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
  [IdentityPoolId](#cfn-cognito-identitypoolroleattachment-identitypoolid): String
  [RoleMappings](#cfn-cognito-identitypoolroleattachment-rolemappings): 
    RoleMapping
  [Roles](#cfn-cognito-identitypoolroleattachment-roles): String
```

## Properties
<a name="aws-resource-cognito-identitypoolroleattachment-properties"></a>

`IdentityPoolId`  <a name="cfn-cognito-identitypoolroleattachment-identitypoolid"></a>
An identity pool ID in the format `REGION:GUID`.  
*Required*: Yes  
*Type*: String  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`RoleMappings`  <a name="cfn-cognito-identitypoolroleattachment-rolemappings"></a>
How users for a specific identity provider are mapped to roles. This is a string to the `RoleMapping` object map. The string identifies the identity provider. For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id`.  
If the `IdentityProvider` field isn't provided in this object, the string is used as the identity provider name.  
For more information, see the [RoleMapping property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html).  
*Required*: No  
*Type*: [RoleMapping](aws-properties-cognito-identitypoolroleattachment-rolemapping.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Roles`  <a name="cfn-cognito-identitypoolroleattachment-roles"></a>
The map of the roles associated with this pool. For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN.  
*Required*: No  
*Type*: String  
*Pattern*: `^.+$`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-cognito-identitypoolroleattachment-return-values"></a>

### Ref
<a name="aws-resource-cognito-identitypoolroleattachment-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `IdentityPoolId`, such as `us-east-2:0d01f4d7-1305-4408-b437-12345EXAMPLE`.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-cognito-identitypoolroleattachment-return-values-fn--getatt"></a>

The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).

#### 
<a name="aws-resource-cognito-identitypoolroleattachment-return-values-fn--getatt-fn--getatt"></a>

`Id`  <a name="Id-fn::getatt"></a>
The resource ID.

## Examples
<a name="aws-resource-cognito-identitypoolroleattachment--examples"></a>



### Setting the roles for an identity pool
<a name="aws-resource-cognito-identitypoolroleattachment--examples--Setting_the_roles_for_an_identity_pool"></a>

The following example sets roles for an identity pool. It sets “authenticated” and “unauthenticated” roles and maps two identity providers to them. The first identity provider is “graph.facebook.com”. The second is using a reference to set the identity provider name.

#### JSON
<a name="aws-resource-cognito-identitypoolroleattachment--examples--Setting_the_roles_for_an_identity_pool--json"></a>

```
{
   "IdentityPoolRoleAttachment":{
      "Type":"AWS::Cognito::IdentityPoolRoleAttachment",
      "Properties":{
         "IdentityPoolId":{
            "Ref":"IdentityPool"
         },
         "Roles":{
            "authenticated":{
               "Fn::GetAtt":[
                  "AuthenticatedRole",
                  "Arn"
               ]
            },
            "unauthenticated":{
               "Fn::GetAtt":[
                  "UnAuthenticatedRole",
                  "Arn"
               ]
            }
         },
         "RoleMappings":{
            "graph.facebook.com":{
               "IdentityProvider":"graph.facebook.com",
               "AmbiguousRoleResolution":"Deny",
               "Type":"Rules",
               "RulesConfiguration":{
                  "Rules":[
                     {
                        "Claim":"sub",
                        "MatchType":"Equals",
                        "RoleARN":{
                           "Fn::GetAtt":[
                              "AuthenticatedRole",
                              "Arn"
                           ]
                        },
                        "Value":"goodvalue"
                     }
                  ]
               }
            },
            "userpool1":{
               "IdentityProvider":{
                  "Ref":"CognitoUserPool"
               },
               "AmbiguousRoleResolution":"Deny",
               "Type":"Rules",
               "RulesConfiguration":{
                  "Rules":[
                     {
                        "Claim":"sub",
                        "MatchType":"Equals",
                        "RoleARN":{
                           "Fn::GetAtt":[
                              "AuthenticatedRole",
                              "Arn"
                           ]
                        },
                        "Value":"goodvalue"
                     }
                  ]
               }
            }
         }
      }
   }
}
```

#### YAML
<a name="aws-resource-cognito-identitypoolroleattachment--examples--Setting_the_roles_for_an_identity_pool--yaml"></a>

```
IdentityPoolRoleAttachment: 
  Type: AWS::Cognito::IdentityPoolRoleAttachment 
  Properties: 
    IdentityPoolId: !Ref IdentityPool
    Roles: 
      "authenticated": !GetAtt AuthenticatedRole.Arn 
      "unauthenticated": !GetAtt UnAuthenticatedRole.Arn 
    RoleMappings:  
      "graph.facebook.com":
        IdentityProvider: "graph.facebook.com" 
        AmbiguousRoleResolution: Deny 
        Type: Rules 
        RulesConfiguration: 
          Rules: 
            - Claim: "sub" 
              MatchType: "Equals" 
              RoleARN: !GetAtt AuthenticatedRole.Arn 
              Value: "goodvalue"
      "userpool1": 
        IdentityProvider: !Ref CognitoUserPool 
        AmbiguousRoleResolution: Deny 
        Type: Rules 
        RulesConfiguration: 
          Rules: 
            - Claim: "sub" 
              MatchType: "Equals" 
              RoleARN: !GetAtt AuthenticatedRole.Arn 
              Value: "goodvalue"
```

# AWS::Cognito::IdentityPoolRoleAttachment MappingRule
<a name="aws-properties-cognito-identitypoolroleattachment-mappingrule"></a>

Defines how to map a claim to a role ARN.

## Syntax
<a name="aws-properties-cognito-identitypoolroleattachment-mappingrule-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-cognito-identitypoolroleattachment-mappingrule-syntax.json"></a>

```
{
  "[Claim](#cfn-cognito-identitypoolroleattachment-mappingrule-claim)" : String,
  "[MatchType](#cfn-cognito-identitypoolroleattachment-mappingrule-matchtype)" : String,
  "[RoleARN](#cfn-cognito-identitypoolroleattachment-mappingrule-rolearn)" : String,
  "[Value](#cfn-cognito-identitypoolroleattachment-mappingrule-value)" : String
}
```

### YAML
<a name="aws-properties-cognito-identitypoolroleattachment-mappingrule-syntax.yaml"></a>

```
  [Claim](#cfn-cognito-identitypoolroleattachment-mappingrule-claim): String
  [MatchType](#cfn-cognito-identitypoolroleattachment-mappingrule-matchtype): String
  [RoleARN](#cfn-cognito-identitypoolroleattachment-mappingrule-rolearn): String
  [Value](#cfn-cognito-identitypoolroleattachment-mappingrule-value): String
```

## Properties
<a name="aws-properties-cognito-identitypoolroleattachment-mappingrule-properties"></a>

`Claim`  <a name="cfn-cognito-identitypoolroleattachment-mappingrule-claim"></a>
The claim name that must be present in the token. For example: "isAdmin" or "paid".  
*Required*: Yes  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`MatchType`  <a name="cfn-cognito-identitypoolroleattachment-mappingrule-matchtype"></a>
The match condition that specifies how closely the claim value in the IdP token must match `Value`.  
Valid values are: `Equals`, `Contains`, `StartsWith`, and `NotEqual`.  
*Required*: Yes  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`RoleARN`  <a name="cfn-cognito-identitypoolroleattachment-mappingrule-rolearn"></a>
The Amazon Resource Name (ARN) of the role.  
*Required*: Yes  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-cognito-identitypoolroleattachment-mappingrule-value"></a>
A brief string that the claim must match. For example, "paid" or "yes".  
*Required*: Yes  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::Cognito::IdentityPoolRoleAttachment RoleMapping
<a name="aws-properties-cognito-identitypoolroleattachment-rolemapping"></a>

One of a set of `RoleMappings`, a property of the [AWS::Cognito::IdentityPoolRoleAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html) resource that defines the role-mapping attributes of an Amazon Cognito identity pool.

## Syntax
<a name="aws-properties-cognito-identitypoolroleattachment-rolemapping-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-cognito-identitypoolroleattachment-rolemapping-syntax.json"></a>

```
{
  "[AmbiguousRoleResolution](#cfn-cognito-identitypoolroleattachment-rolemapping-ambiguousroleresolution)" : String,
  "[IdentityProvider](#cfn-cognito-identitypoolroleattachment-rolemapping-identityprovider)" : String,
  "[RulesConfiguration](#cfn-cognito-identitypoolroleattachment-rolemapping-rulesconfiguration)" : RulesConfigurationType,
  "[Type](#cfn-cognito-identitypoolroleattachment-rolemapping-type)" : String
}
```

### YAML
<a name="aws-properties-cognito-identitypoolroleattachment-rolemapping-syntax.yaml"></a>

```
  [AmbiguousRoleResolution](#cfn-cognito-identitypoolroleattachment-rolemapping-ambiguousroleresolution): String
  [IdentityProvider](#cfn-cognito-identitypoolroleattachment-rolemapping-identityprovider): String
  [RulesConfiguration](#cfn-cognito-identitypoolroleattachment-rolemapping-rulesconfiguration): 
    RulesConfigurationType
  [Type](#cfn-cognito-identitypoolroleattachment-rolemapping-type): String
```

## Properties
<a name="aws-properties-cognito-identitypoolroleattachment-rolemapping-properties"></a>

`AmbiguousRoleResolution`  <a name="cfn-cognito-identitypoolroleattachment-rolemapping-ambiguousroleresolution"></a>
If you specify Token or Rules as the `Type`, `AmbiguousRoleResolution` is required.  
Specifies the action to be taken if either no rules match the claim value for the `Rules` type, or there is no `cognito:preferred_role` claim and there are multiple `cognito:roles` matches for the `Token` type.  
*Required*: No  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`IdentityProvider`  <a name="cfn-cognito-identitypoolroleattachment-rolemapping-identityprovider"></a>
Identifier for the identity provider for which the role is mapped. For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id (http://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id)`. This is the identity provider that is used by the user for authentication.  
If the identity provider property isn't provided, the key of the entry in the `RoleMappings` map is used as the identity provider.  
*Required*: No  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`RulesConfiguration`  <a name="cfn-cognito-identitypoolroleattachment-rolemapping-rulesconfiguration"></a>
The rules to be used for mapping users to roles. If you specify "Rules" as the role-mapping type, RulesConfiguration is required.  
*Required*: No  
*Type*: [RulesConfigurationType](aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Type`  <a name="cfn-cognito-identitypoolroleattachment-rolemapping-type"></a>
The role mapping type. Token will use `cognito:roles` and `cognito:preferred_role` claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.  
*Required*: Yes  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::Cognito::IdentityPoolRoleAttachment RulesConfigurationType
<a name="aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype"></a>

`RulesConfigurationType` is a subproperty of the [RoleMapping](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html) property that defines the rules to be used for mapping users to roles.

## Syntax
<a name="aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype-syntax.json"></a>

```
{
  "[Rules](#cfn-cognito-identitypoolroleattachment-rulesconfigurationtype-rules)" : [ MappingRule, ... ]
}
```

### YAML
<a name="aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype-syntax.yaml"></a>

```
  [Rules](#cfn-cognito-identitypoolroleattachment-rulesconfigurationtype-rules): 
    - MappingRule
```

## Properties
<a name="aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype-properties"></a>

`Rules`  <a name="cfn-cognito-identitypoolroleattachment-rulesconfigurationtype-rules"></a>
The rules. You can specify up to 25 rules per identity provider.  
*Required*: Yes  
*Type*: Array of [MappingRule](aws-properties-cognito-identitypoolroleattachment-mappingrule.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)