This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::VerifiedPermissions::IdentitySource Creates or updates a reference to Amazon Cognito as an external identity provider. If you are creating a new identity source, then you must specify a `Configuration`. If you are updating an existing identity source, then you must specify an `UpdateConfiguration`. After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the [IsAuthorizedWithToken](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_IsAuthorizedWithToken.html) operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine the attributes that are available to access in the Cedar principal from your policies. Amazon Cognito Identity is not available in all of the same AWS Regions as Amazon Verified Permissions. Because of this, the `AWS::VerifiedPermissions::IdentitySource` type is not available to create from CloudFormation in Regions where Amazon Cognito Identity is not currently available. Users can still create `AWS::VerifiedPermissions::IdentitySource` in those Regions, but only from the AWS CLI, Amazon Verified Permissions SDK, or from the AWS console. **Note** To reference a user from this identity source in your Cedar policies, use the following syntax. *IdentityType::"\$1* Where `IdentityType` is the string that you provide to the `PrincipalEntityType` parameter for this operation. The `CognitoUserPoolId` and `CognitoClientId` are defined by the Amazon Cognito user pool. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::VerifiedPermissions::IdentitySource", "Properties" : { "[Configuration](#cfn-verifiedpermissions-identitysource-configuration)" : IdentitySourceConfiguration, "[PolicyStoreId](#cfn-verifiedpermissions-identitysource-policystoreid)" : String, "[PrincipalEntityType](#cfn-verifiedpermissions-identitysource-principalentitytype)" : String } } ``` ### YAML ``` Type: AWS::VerifiedPermissions::IdentitySource Properties: [Configuration](#cfn-verifiedpermissions-identitysource-configuration): IdentitySourceConfiguration [PolicyStoreId](#cfn-verifiedpermissions-identitysource-policystoreid): String [PrincipalEntityType](#cfn-verifiedpermissions-identitysource-principalentitytype): String ``` ## Properties `Configuration` Contains configuration information used when creating a new identity source. *Required*: Yes *Type*: [IdentitySourceConfiguration](aws-properties-verifiedpermissions-identitysource-identitysourceconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyStoreId` Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source. To specify a policy store, use its ID or alias name. When using an alias name, prefix it with `policy-store-alias/`. For example: + ID: `PSEXAMPLEabcdefg111111` + Alias name: `policy-store-alias/example-policy-store` To view aliases, use [ListPolicyStoreAliases](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListPolicyStoreAliases.html). *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PrincipalEntityType` Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source. *Required*: No *Type*: String *Pattern*: `^.*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique id of the new identity source. For example: `{ "Ref": "ISEXAMPLEabcdefg111111" }` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `IdentitySourceId` The unique ID of the new or updated identity store. ## Examples ### Creating an identity source for a Amazon Cognito user pool The following example creates an identity source in the specified policy store that points to a Amazon Cognito user pool using the specified client ID. The new identity source returns objects of the specified data type. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation sample template for creating an identity source for Verified Permissions.", "Parameters": { "PolicyStoreId": { "Type": "String" }, "UserPoolArn": { "Type": "String" }, "ClientIds": { "Type": "List" }, "PrincipalEntityType": { "Type": "String" } }, "Resources": { "IdentitySource": { "Type": "AWS::VerifiedPermissions::IdentitySource", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Configuration": { "CognitoUserPoolConfiguration": { "UserPoolArn": { "Ref": "UserPoolArn" }, "ClientIds": { "Ref": "ClientIds" } } }, "PrincipalEntityType": { "Ref": "PrincipalEntityType" } } } }, "Outputs": { "IdentitySourceId": { "Value": { "Fn::GetAtt": [ "IdentitySource", "IdentitySourceId" ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "AWS CloudFormation sample template for creating an identity source for Verified Permissions Parameters: PolicyStoreId: Type: String UserPoolArn: Type: String ClientIds: Type: List PrincipalEntityType: Type: String Resources: IdentitySource: Type: AWS::VerifiedPermissions::IdentitySource Properties: PolicyStoreId: !Ref PolicyStoreId Configuration: CognitoUserPoolConfiguration: UserPoolArn: !Ref UserPoolArn ClientIds: !Ref ClientIds PrincipalEntityType: !Ref PrincipalEntityType Outputs: IdentitySourceId: Value: !GetAtt IdentitySource.IdentitySourceId ``` # AWS::VerifiedPermissions::IdentitySource CognitoGroupConfiguration The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[GroupEntityType](#cfn-verifiedpermissions-identitysource-cognitogroupconfiguration-groupentitytype)" : String } ``` ### YAML ``` [GroupEntityType](#cfn-verifiedpermissions-identitysource-cognitogroupconfiguration-groupentitytype): String ``` ## Properties `GroupEntityType` The name of the schema entity type that's mapped to the user pool group. Defaults to `AWS::CognitoGroup`. *Required*: Yes *Type*: String *Pattern*: `^([_a-zA-Z][_a-zA-Z0-9]*::)*[_a-zA-Z][_a-zA-Z0-9]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource CognitoUserPoolConfiguration A structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientIds](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-clientids)" : [ String, ... ], "[GroupConfiguration](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-groupconfiguration)" : CognitoGroupConfiguration, "[UserPoolArn](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-userpoolarn)" : String } ``` ### YAML ``` [ClientIds](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-clientids): - String [GroupConfiguration](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-groupconfiguration): CognitoGroupConfiguration [UserPoolArn](#cfn-verifiedpermissions-identitysource-cognitouserpoolconfiguration-userpoolarn): String ``` ## Properties `ClientIds` The unique application client IDs that are associated with the specified Amazon Cognito user pool. Example: `"ClientIds": ["&ExampleCogClientId;"]` *Required*: No *Type*: Array of String *Minimum*: `1 | 0` *Maximum*: `255 | 1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupConfiguration` The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source. *Required*: No *Type*: [CognitoGroupConfiguration](aws-properties-verifiedpermissions-identitysource-cognitogroupconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserPoolArn` The [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the Amazon Cognito user pool that contains the identities to be authorized. *Required*: Yes *Type*: String *Pattern*: `^arn:[a-zA-Z0-9-]+:cognito-idp:(([a-zA-Z0-9-]+:\d{12}:userpool/[\w-]+_[0-9a-zA-Z]+))$` *Minimum*: `1` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource IdentitySourceConfiguration A structure that contains configuration information used when creating or updating a new identity source. **Note** At this time, the only valid member of this structure is a Amazon Cognito user pool configuration. You must specify a `userPoolArn`, and optionally, a `ClientId`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CognitoUserPoolConfiguration](#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-cognitouserpoolconfiguration)" : CognitoUserPoolConfiguration, "[OpenIdConnectConfiguration](#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-openidconnectconfiguration)" : OpenIdConnectConfiguration } ``` ### YAML ``` [CognitoUserPoolConfiguration](#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-cognitouserpoolconfiguration): CognitoUserPoolConfiguration [OpenIdConnectConfiguration](#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-openidconnectconfiguration): OpenIdConnectConfiguration ``` ## Properties `CognitoUserPoolConfiguration` A structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions. *Required*: No *Type*: [CognitoUserPoolConfiguration](aws-properties-verifiedpermissions-identitysource-cognitouserpoolconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OpenIdConnectConfiguration` Property description not available. *Required*: No *Type*: [OpenIdConnectConfiguration](aws-properties-verifiedpermissions-identitysource-openidconnectconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectAccessTokenConfiguration The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept. This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Audiences](#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-audiences)" : [ String, ... ], "[PrincipalIdClaim](#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-principalidclaim)" : String } ``` ### YAML ``` [Audiences](#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-audiences): - String [PrincipalIdClaim](#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-principalidclaim): String ``` ## Properties `Audiences` The access token `aud` claim values that you want to accept in your policy store. For example, `https://myapp.example.com, https://myapp2.example.com`. *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `255 | 255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrincipalIdClaim` The claim that determines the principal in OIDC access tokens. For example, `sub`. *Required*: No *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectConfiguration Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details. This data type is part of a [Configuration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html) structure, which is a parameter to [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EntityIdPrefix](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-entityidprefix)" : String, "[GroupConfiguration](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-groupconfiguration)" : OpenIdConnectGroupConfiguration, "[Issuer](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-issuer)" : String, "[TokenSelection](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-tokenselection)" : OpenIdConnectTokenSelection } ``` ### YAML ``` [EntityIdPrefix](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-entityidprefix): String [GroupConfiguration](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-groupconfiguration): OpenIdConnectGroupConfiguration [Issuer](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-issuer): String [TokenSelection](#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-tokenselection): OpenIdConnectTokenSelection ``` ## Properties `EntityIdPrefix` A descriptive string that you want to prefix to user entities from your OIDC identity provider. For example, if you set an `entityIdPrefix` of `MyOIDCProvider`, you can reference principals in your policies in the format `MyCorp::User::MyOIDCProvider|Carlos`. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupConfiguration` The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a `groups` claim to `MyCorp::UserGroup`. *Required*: No *Type*: [OpenIdConnectGroupConfiguration](aws-properties-verifiedpermissions-identitysource-openidconnectgroupconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Issuer` The issuer URL of an OIDC identity provider. This URL must have an OIDC discovery endpoint at the path `.well-known/openid-configuration`. *Required*: Yes *Type*: String *Pattern*: `^https://.*$` *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TokenSelection` The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. *Required*: Yes *Type*: [OpenIdConnectTokenSelection](aws-properties-verifiedpermissions-identitysource-openidconnecttokenselection.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectGroupConfiguration The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a `groups` claim to `MyCorp::UserGroup`. This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[GroupClaim](#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupclaim)" : String, "[GroupEntityType](#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupentitytype)" : String } ``` ### YAML ``` [GroupClaim](#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupclaim): String [GroupEntityType](#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupentitytype): String ``` ## Properties `GroupClaim` The token claim that you want Verified Permissions to interpret as group membership. For example, `groups`. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupEntityType` The policy store entity type that you want to map your users' group claim to. For example, `MyCorp::UserGroup`. A group entity type is an entity that can have a user entity type as a member. *Required*: Yes *Type*: String *Pattern*: `^([_a-zA-Z][_a-zA-Z0-9]*::)*[_a-zA-Z][_a-zA-Z0-9]*$` *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectIdentityTokenConfiguration The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept. This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientIds](#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-clientids)" : [ String, ... ], "[PrincipalIdClaim](#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-principalidclaim)" : String } ``` ### YAML ``` [ClientIds](#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-clientids): - String [PrincipalIdClaim](#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-principalidclaim): String ``` ## Properties `ClientIds` The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC identity provider. For example, `1example23456789, 2example10111213`. *Required*: No *Type*: Array of String *Minimum*: `1 | 0` *Maximum*: `255 | 1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrincipalIdClaim` The claim that determines the principal in OIDC access tokens. For example, `sub`. *Required*: No *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::VerifiedPermissions::IdentitySource OpenIdConnectTokenSelection The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccessTokenOnly](#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-accesstokenonly)" : OpenIdConnectAccessTokenConfiguration, "[IdentityTokenOnly](#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-identitytokenonly)" : OpenIdConnectIdentityTokenConfiguration } ``` ### YAML ``` [AccessTokenOnly](#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-accesstokenonly): OpenIdConnectAccessTokenConfiguration [IdentityTokenOnly](#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-identitytokenonly): OpenIdConnectIdentityTokenConfiguration ``` ## Properties `AccessTokenOnly` The OIDC configuration for processing access tokens. Contains allowed audience claims, for example `https://auth.example.com`, and the claim that you want to map to the principal, for example `sub`. *Required*: No *Type*: [OpenIdConnectAccessTokenConfiguration](aws-properties-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IdentityTokenOnly` The OIDC configuration for processing identity (ID) tokens. Contains allowed client ID claims, for example `1example23456789`, and the claim that you want to map to the principal, for example `sub`. *Required*: No *Type*: [OpenIdConnectIdentityTokenConfiguration](aws-properties-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)