set_identity_pool_roles

CognitoIdentity.Client.set_identity_pool_roles(**kwargs)

Sets the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action.

You must use AWS Developer credentials to call this API.

See also: AWS API Documentation

Request Syntax

response = client.set_identity_pool_roles(
    IdentityPoolId='string',
    Roles={
        'string': 'string'
    },
    RoleMappings={
        'string': {
            'Type': 'Token'|'Rules',
            'AmbiguousRoleResolution': 'AuthenticatedRole'|'Deny',
            'RulesConfiguration': {
                'Rules': [
                    {
                        'Claim': 'string',
                        'MatchType': 'Equals'|'Contains'|'StartsWith'|'NotEqual',
                        'Value': 'string',
                        'RoleARN': 'string'
                    },
                ]
            }
        }
    }
)

Parameters

• IdentityPoolId (string) --

  [REQUIRED]

  An identity pool ID in the format REGION:GUID.

• Roles (dict) --

  [REQUIRED]

  The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN.

  • (string) --
    • (string) --
• RoleMappings (dict) --

  How users for a specific identity provider are to mapped to roles. This is a string to RoleMapping object map. The string identifies the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".

  Up to 25 rules can be specified per identity provider.

  • (string) --
    • (dict) --

      A role mapping.

      • Type (string) -- [REQUIRED]

        The role mapping type. Token will use cognito:roles and cognito:preferred_role claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.

      • AmbiguousRoleResolution (string) --

        If you specify Token or Rules as the Type , AmbiguousRoleResolution is required.

        Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type.

      • RulesConfiguration (dict) --

        The rules to be used for mapping users to roles.

        If you specify Rules as the role mapping type, RulesConfiguration is required.

        • Rules (list) -- [REQUIRED]

          An array of rules. You can specify up to 25 rules per identity provider.

          Rules are evaluated in order. The first one to match specifies the role.

          • (dict) --

            A rule that maps a claim name, a claim value, and a match type to a role ARN.

            • Claim (string) -- [REQUIRED]

              The claim name that must be present in the token, for example, "isAdmin" or "paid".

            • MatchType (string) -- [REQUIRED]

              The match condition that specifies how closely the claim value in the IdP token must match Value .

            • Value (string) -- [REQUIRED]

              A brief string that the claim must match, for example, "paid" or "yes".

            • RoleARN (string) -- [REQUIRED]

              The role ARN.

Returns

None

Exceptions

• CognitoIdentity.Client.exceptions.InvalidParameterException
• CognitoIdentity.Client.exceptions.ResourceNotFoundException
• CognitoIdentity.Client.exceptions.NotAuthorizedException
• CognitoIdentity.Client.exceptions.ResourceConflictException
• CognitoIdentity.Client.exceptions.TooManyRequestsException
• CognitoIdentity.Client.exceptions.InternalErrorException
• CognitoIdentity.Client.exceptions.ConcurrentModificationException