Class CfnIdentitySource
java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.verifiedpermissions.CfnIdentitySource
- All Implemented Interfaces:
IInspectable,IEnvironmentAware,IIdentitySourceRef,software.amazon.jsii.JsiiSerializable,software.constructs.IConstruct,software.constructs.IDependable
@Generated(value="jsii-pacmak/1.119.0 (build 1634eac)",
date="2025-12-01T16:02:31.274Z")
@Stability(Stable)
public class CfnIdentitySource
extends CfnResource
implements IInspectable, IIdentitySourceRef
Creates or updates a reference to Amazon Cognito as an external identity provider.
If you are creating a new identity source, then you must specify a Configuration . If you are updating an existing identity source, then you must specify an UpdateConfiguration .
After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine the attributes that are available to access in the Cedar principal from your policies.
Amazon Cognito Identity is not available in all of the same AWS Regions as . Because of this, the AWS::VerifiedPermissions::IdentitySource type is not available to create from CloudFormation in Regions where Amazon Cognito Identity is not currently available. Users can still create AWS::VerifiedPermissions::IdentitySource in those Regions, but only from the AWS CLI , SDK, or from the AWS console.
To reference a user from this identity source in your Cedar policies, use the following syntax.
IdentityType::"
| Where
IdentityTypeis the string that you provide to thePrincipalEntityTypeparameter for this operation. TheCognitoUserPoolIdandCognitoClientIdare defined by the Amazon Cognito user pool.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import software.amazon.awscdk.services.verifiedpermissions.*;
CfnIdentitySource cfnIdentitySource = CfnIdentitySource.Builder.create(this, "MyCfnIdentitySource")
.configuration(IdentitySourceConfigurationProperty.builder()
.cognitoUserPoolConfiguration(CognitoUserPoolConfigurationProperty.builder()
.userPoolArn("userPoolArn")
// the properties below are optional
.clientIds(List.of("clientIds"))
.groupConfiguration(CognitoGroupConfigurationProperty.builder()
.groupEntityType("groupEntityType")
.build())
.build())
.openIdConnectConfiguration(OpenIdConnectConfigurationProperty.builder()
.issuer("issuer")
.tokenSelection(OpenIdConnectTokenSelectionProperty.builder()
.accessTokenOnly(OpenIdConnectAccessTokenConfigurationProperty.builder()
.audiences(List.of("audiences"))
.principalIdClaim("principalIdClaim")
.build())
.identityTokenOnly(OpenIdConnectIdentityTokenConfigurationProperty.builder()
.clientIds(List.of("clientIds"))
.principalIdClaim("principalIdClaim")
.build())
.build())
// the properties below are optional
.entityIdPrefix("entityIdPrefix")
.groupConfiguration(OpenIdConnectGroupConfigurationProperty.builder()
.groupClaim("groupClaim")
.groupEntityType("groupEntityType")
.build())
.build())
.build())
.policyStoreId("policyStoreId")
// the properties below are optional
.principalEntityType("principalEntityType")
.build();
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic final classA fluent builder forCfnIdentitySource.static interfaceThe type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.static interfaceA structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions .static interfaceA structure that contains configuration information used when creating or updating a new identity source.static interfaceExample:static interfaceThe configuration of an OpenID Connect (OIDC) identity source for handling access token claims.static interfaceContains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities.static interfaceThe claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to.static interfaceThe configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims.static interfaceThe token type that you want to process from your OIDC identity provider.Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationModeNested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$DefaultNested classes/interfaces inherited from interface software.amazon.awscdk.interfaces.verifiedpermissions.IIdentitySourceRef
IIdentitySourceRef.Jsii$Default, IIdentitySourceRef.Jsii$ProxyNested classes/interfaces inherited from interface software.amazon.awscdk.IInspectable
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringThe CloudFormation resource type name for this resource class. -
Constructor Summary
ConstructorsModifierConstructorDescriptionprotectedCfnIdentitySource(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protectedCfnIdentitySource(software.amazon.jsii.JsiiObjectRef objRef) CfnIdentitySource(software.constructs.Construct scope, String id, CfnIdentitySourceProps props) Create a newAWS::VerifiedPermissions::IdentitySource. -
Method Summary
Modifier and TypeMethodDescriptionThe unique ID of the new or updated identity store.Contains configuration information used when creating a new identity source.A reference to a IdentitySource resource.Specifies the ID of the policy store in which you want to store this identity source.Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.voidinspect(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.static BooleanChecks whether the given object is a CfnIdentitySource.renderProperties(Map<String, Object> props) voidsetConfiguration(IResolvable value) Contains configuration information used when creating a new identity source.voidContains configuration information used when creating a new identity source.voidsetPolicyStoreId(String value) Specifies the ID of the policy store in which you want to store this identity source.voidsetPrincipalEntityType(String value) Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.Methods inherited from class software.amazon.awscdk.CfnResource
addDeletionOverride, addDependency, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getAtt, getCfnOptions, getCfnResourceType, getEnv, getMetadata, getUpdatedProperites, getUpdatedProperties, isCfnResource, obtainDependencies, obtainResourceDependencies, removeDependency, replaceDependency, shouldSynthesize, toString, validatePropertiesMethods inherited from class software.amazon.awscdk.CfnRefElement
getRefMethods inherited from class software.amazon.awscdk.CfnElement
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalIdMethods inherited from class software.constructs.Construct
getNode, isConstructMethods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSetMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, waitMethods inherited from interface software.constructs.IConstruct
getNodeMethods inherited from interface software.amazon.awscdk.interfaces.IEnvironmentAware
getEnvMethods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Field Details
-
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
-
-
Constructor Details
-
CfnIdentitySource
protected CfnIdentitySource(software.amazon.jsii.JsiiObjectRef objRef) -
CfnIdentitySource
protected CfnIdentitySource(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
CfnIdentitySource
@Stability(Stable) public CfnIdentitySource(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnIdentitySourceProps props) Create a newAWS::VerifiedPermissions::IdentitySource.- Parameters:
scope- Scope in which this resource is defined. This parameter is required.id- Construct identifier for this resource (unique in its scope). This parameter is required.props- Resource properties. This parameter is required.
-
-
Method Details
-
isCfnIdentitySource
Checks whether the given object is a CfnIdentitySource.- Parameters:
x- This parameter is required.
-
inspect
Examines the CloudFormation resource and discloses attributes.- Specified by:
inspectin interfaceIInspectable- Parameters:
inspector- tree inspector to collect and process attributes. This parameter is required.
-
renderProperties
@Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String, Object> props) - Overrides:
renderPropertiesin classCfnResource- Parameters:
props- This parameter is required.
-
getAttrDetails
-
getAttrDetailsClientIds
-
getAttrDetailsDiscoveryUrl
-
getAttrDetailsOpenIdIssuer
-
getAttrDetailsUserPoolArn
-
getAttrIdentitySourceId
The unique ID of the new or updated identity store. -
getCfnProperties
- Overrides:
getCfnPropertiesin classCfnResource
-
getIdentitySourceRef
A reference to a IdentitySource resource.- Specified by:
getIdentitySourceRefin interfaceIIdentitySourceRef
-
getConfiguration
Contains configuration information used when creating a new identity source.Returns union: either
IResolvableorCfnIdentitySource.IdentitySourceConfigurationProperty -
setConfiguration
Contains configuration information used when creating a new identity source. -
setConfiguration
@Stability(Stable) public void setConfiguration(@NotNull CfnIdentitySource.IdentitySourceConfigurationProperty value) Contains configuration information used when creating a new identity source. -
getPolicyStoreId
Specifies the ID of the policy store in which you want to store this identity source. -
setPolicyStoreId
Specifies the ID of the policy store in which you want to store this identity source. -
getPrincipalEntityType
Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source. -
setPrincipalEntityType
Specifies the namespace and data type of the principals generated for identities authenticated by the new identity source.
-