get_identity_pool_roles

CognitoIdentity.Client.get_identity_pool_roles(**kwargs)

Gets the roles for an identity pool.

You must use AWS Developer credentials to call this API.

See also: AWS API Documentation

Request Syntax

response = client.get_identity_pool_roles(
    IdentityPoolId='string'
)
Parameters
IdentityPoolId (string) --

[REQUIRED]

An identity pool ID in the format REGION:GUID.

Return type
dict
Returns
Response Syntax
{
    'IdentityPoolId': 'string',
    'Roles': {
        'string': 'string'
    },
    'RoleMappings': {
        'string': {
            'Type': 'Token'|'Rules',
            'AmbiguousRoleResolution': 'AuthenticatedRole'|'Deny',
            'RulesConfiguration': {
                'Rules': [
                    {
                        'Claim': 'string',
                        'MatchType': 'Equals'|'Contains'|'StartsWith'|'NotEqual',
                        'Value': 'string',
                        'RoleARN': 'string'
                    },
                ]
            }
        }
    }
}

Response Structure

  • (dict) --

    Returned in response to a successful GetIdentityPoolRoles operation.

    • IdentityPoolId (string) --

      An identity pool ID in the format REGION:GUID.

    • Roles (dict) --

      The map of roles associated with this pool. Currently only authenticated and unauthenticated roles are supported.

      • (string) --
        • (string) --
    • RoleMappings (dict) --

      How users for a specific identity provider are to mapped to roles. This is a String-to- RoleMapping object map. The string identifies the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".

      • (string) --
        • (dict) --

          A role mapping.

          • Type (string) --

            The role mapping type. Token will use cognito:roles and cognito:preferred_role claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.

          • AmbiguousRoleResolution (string) --

            If you specify Token or Rules as the Type , AmbiguousRoleResolution is required.

            Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type.

          • RulesConfiguration (dict) --

            The rules to be used for mapping users to roles.

            If you specify Rules as the role mapping type, RulesConfiguration is required.

            • Rules (list) --

              An array of rules. You can specify up to 25 rules per identity provider.

              Rules are evaluated in order. The first one to match specifies the role.

              • (dict) --

                A rule that maps a claim name, a claim value, and a match type to a role ARN.

                • Claim (string) --

                  The claim name that must be present in the token, for example, "isAdmin" or "paid".

                • MatchType (string) --

                  The match condition that specifies how closely the claim value in the IdP token must match Value .

                • Value (string) --

                  A brief string that the claim must match, for example, "paid" or "yes".

                • RoleARN (string) --

                  The role ARN.

Exceptions

  • CognitoIdentity.Client.exceptions.InvalidParameterException
  • CognitoIdentity.Client.exceptions.ResourceNotFoundException
  • CognitoIdentity.Client.exceptions.NotAuthorizedException
  • CognitoIdentity.Client.exceptions.ResourceConflictException
  • CognitoIdentity.Client.exceptions.TooManyRequestsException
  • CognitoIdentity.Client.exceptions.InternalErrorException