Configure Cognito Identity Pool in Serverless


#1

Link to chapter - https://serverless-stack.com/chapters/configure-cognito-identity-pool-in-serverless.html


#2

Can we use Ref: ApiGatewayRestApi even we’ve not defined ApiGatewayRestApi?


#3

I should probably add a note on this. The ApiGatewayRestApi is a name that Serverless Framework uses to name the API Gateway resource that is defined in the serverless.yml.


#4

An Identity Pool seems to require an UnAuth role as well as an Auth Role. How is the UnAuth role handled in a .yml file?


#5

Are you seeing any errors? We don’t set the Unauth role. But we have this at the top AllowUnauthenticatedIdentities: false.


#6

Thanks for the response. I have that line in my yaml file, but when I log in to the console and look at my identity pool, It still tells me that I need to attach an unauthorized role policy. I figured out how to add the unauth policy in the yaml file, but for future reference Is that warning in the AWS console something I can just ignore?


#7

Oh yeah, you don’t need to. By configuring our infrastructure as code, you don’t need to check the console.


#8

How would I go about allowing unauthenticated read-only access to the files in the s3 attachments bucket? I still want only authenticated users to be able to upload files (as the current code has it), but I also want unauthenticated users to be able to fetch files from the s3 bucket. Thanks in advance.


#9

So the URLs that we generate are publicly accessible AFAIK. Can you give that a try?


#10

Yes, it appears the URLs are publicly accessible. In terms of actually generating those URLs though, I wouldn’t want to use the aws-amplify “Storage.get.vault(…)” method (since it involves authentication), right? How would I go about it in an unauthenticated way?

UPDATE:

Got it to work by doing s3 = AWS.S3(…) with credentials I put in an .env file, and then s3.getSignedUrl(…) with the s3 bucket name and file key.


#11

Glad you figured it out. Thanks for the update.