[ aws . cognito-identity ]

get-identity-pool-roles

Description

Gets the roles for an identity pool.

You must use AWS Developer credentials to call this API.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  get-identity-pool-roles
--identity-pool-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--identity-pool-id (string)

An identity pool ID in the format REGION:GUID.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

To get identity pool roles

This example gets identity pool roles.

Command:

aws cognito-identity get-identity-pool-roles --identity-pool-id "us-west-2:11111111-1111-1111-1111-111111111111"

Output:

{
  "IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
  "Roles": {
      "authenticated": "arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolAuth_Role",
      "unauthenticated": "arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolUnauth_Role"
  }
}

Output

IdentityPoolId -> (string)

An identity pool ID in the format REGION:GUID.

Roles -> (map)

The map of roles associated with this pool. Currently only authenticated and unauthenticated roles are supported.

key -> (string)

value -> (string)

RoleMappings -> (map)

How users for a specific identity provider are to mapped to roles. This is a String-to- RoleMapping object map. The string identifies the identity provider, for example, “graph.facebook.com” or “cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id”.

key -> (string)

value -> (structure)

A role mapping.

Type -> (string)

The role mapping type. Token will use cognito:roles and cognito:preferred_role claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.

AmbiguousRoleResolution -> (string)

If you specify Token or Rules as the Type , AmbiguousRoleResolution is required.

Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type.

RulesConfiguration -> (structure)

The rules to be used for mapping users to roles.

If you specify Rules as the role mapping type, RulesConfiguration is required.

Rules -> (list)

An array of rules. You can specify up to 25 rules per identity provider.

Rules are evaluated in order. The first one to match specifies the role.

(structure)

A rule that maps a claim name, a claim value, and a match type to a role ARN.

Claim -> (string)

The claim name that must be present in the token, for example, “isAdmin” or “paid”.

MatchType -> (string)

The match condition that specifies how closely the claim value in the IdP token must match Value .

Value -> (string)

A brief string that the claim must match, for example, “paid” or “yes”.

RoleARN -> (string)

The role ARN.