set_identity_pool_roles

CognitoIdentity.Client.set_identity_pool_roles(**kwargs)

Sets the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action.

You must use AWS Developer credentials to call this API.

See also: AWS API Documentation

Request Syntax

response = client.set_identity_pool_roles(
    IdentityPoolId='string',
    Roles={
        'string': 'string'
    },
    RoleMappings={
        'string': {
            'Type': 'Token'|'Rules',
            'AmbiguousRoleResolution': 'AuthenticatedRole'|'Deny',
            'RulesConfiguration': {
                'Rules': [
                    {
                        'Claim': 'string',
                        'MatchType': 'Equals'|'Contains'|'StartsWith'|'NotEqual',
                        'Value': 'string',
                        'RoleARN': 'string'
                    },
                ]
            }
        }
    }
)
Parameters
  • IdentityPoolId (string) --

    [REQUIRED]

    An identity pool ID in the format REGION:GUID.

  • Roles (dict) --

    [REQUIRED]

    The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN.

    • (string) --
      • (string) --
  • RoleMappings (dict) --

    How users for a specific identity provider are to mapped to roles. This is a string to RoleMapping object map. The string identifies the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".

    Up to 25 rules can be specified per identity provider.

    • (string) --
      • (dict) --

        A role mapping.

        • Type (string) -- [REQUIRED]

          The role mapping type. Token will use cognito:roles and cognito:preferred_role claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.

        • AmbiguousRoleResolution (string) --

          If you specify Token or Rules as the Type , AmbiguousRoleResolution is required.

          Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type.

        • RulesConfiguration (dict) --

          The rules to be used for mapping users to roles.

          If you specify Rules as the role mapping type, RulesConfiguration is required.

          • Rules (list) -- [REQUIRED]

            An array of rules. You can specify up to 25 rules per identity provider.

            Rules are evaluated in order. The first one to match specifies the role.

            • (dict) --

              A rule that maps a claim name, a claim value, and a match type to a role ARN.

              • Claim (string) -- [REQUIRED]

                The claim name that must be present in the token, for example, "isAdmin" or "paid".

              • MatchType (string) -- [REQUIRED]

                The match condition that specifies how closely the claim value in the IdP token must match Value .

              • Value (string) -- [REQUIRED]

                A brief string that the claim must match, for example, "paid" or "yes".

              • RoleARN (string) -- [REQUIRED]

                The role ARN.

Returns

None

Exceptions

  • CognitoIdentity.Client.exceptions.InvalidParameterException
  • CognitoIdentity.Client.exceptions.ResourceNotFoundException
  • CognitoIdentity.Client.exceptions.NotAuthorizedException
  • CognitoIdentity.Client.exceptions.ResourceConflictException
  • CognitoIdentity.Client.exceptions.TooManyRequestsException
  • CognitoIdentity.Client.exceptions.InternalErrorException
  • CognitoIdentity.Client.exceptions.ConcurrentModificationException