I used following CloudFormation to create the stack
Resources:
MyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: 'true'
CognitoRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- 'cognito-identity.amazonaws.com'
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- 'authenticated'
CognitoRole2:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- 'cognito-identity.amazonaws.com'
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- 'unauthenticated'
RoleAttachment:
DependsOn: MyIdentityPool
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId:
Ref: MyPinpointIdentityPool
Roles:
unauthenticated:
Fn::GetAtt: CognitoRole2.Arn
AccessPolicy:
Type: 'AWS::IAM::Policy'
Properties:
...
Roles:
- Ref: CognitoGeneralRole
stack creation was successful however when I update the stack by changing IdentityPoolRoleAttachment to
RoleAttachment:
DependsOn: MyIdentityPool
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId:
Ref: MyPinpointIdentityPool
Roles:
unauthenticated:
Fn::GetAtt: CognitoRole2.Arn
authenticated:
Fn::GetAtt: CognitoRole.Arn
I got AWS::Cognito::IdentityPoolRoleAttachment Resource cannot be updated.
What could be the cause of that?
