Configure Cognito Identity Pool in Serverless


Link to chapter -


Can we use Ref: ApiGatewayRestApi even we’ve not defined ApiGatewayRestApi?


I should probably add a note on this. The ApiGatewayRestApi is a name that Serverless Framework uses to name the API Gateway resource that is defined in the serverless.yml.


An Identity Pool seems to require an UnAuth role as well as an Auth Role. How is the UnAuth role handled in a .yml file?


Are you seeing any errors? We don’t set the Unauth role. But we have this at the top AllowUnauthenticatedIdentities: false.


Thanks for the response. I have that line in my yaml file, but when I log in to the console and look at my identity pool, It still tells me that I need to attach an unauthorized role policy. I figured out how to add the unauth policy in the yaml file, but for future reference Is that warning in the AWS console something I can just ignore?


Oh yeah, you don’t need to. By configuring our infrastructure as code, you don’t need to check the console.


How would I go about allowing unauthenticated read-only access to the files in the s3 attachments bucket? I still want only authenticated users to be able to upload files (as the current code has it), but I also want unauthenticated users to be able to fetch files from the s3 bucket. Thanks in advance.


So the URLs that we generate are publicly accessible AFAIK. Can you give that a try?


Yes, it appears the URLs are publicly accessible. In terms of actually generating those URLs though, I wouldn’t want to use the aws-amplify “Storage.get.vault(…)” method (since it involves authentication), right? How would I go about it in an unauthenticated way?


Got it to work by doing s3 = AWS.S3(…) with credentials I put in an .env file, and then s3.getSignedUrl(…) with the s3 bucket name and file key.


Glad you figured it out. Thanks for the update.