forked from mrburrito/spaceinvaders.workshop
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfixcognito.sh
More file actions
executable file
·98 lines (85 loc) · 3.45 KB
/
fixcognito.sh
File metadata and controls
executable file
·98 lines (85 loc) · 3.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/bin/bash
##
# Fixes the configuration for the permissions to the users authenticated by Cognito
##
_DEBUG="on"
function DEBUG() {
[ "$_DEBUG" == "on" ] && $@
}
function removeQuotes() {
retval=$1
retval=${retval#\"}
retval=${retval%\"}
echo "$retval"
}
function setRoleMappings() {
appName=$1
echo
echo "Setting Role Mappings for envName: "$appName
getPlayersRole=$(echo aws "iam list-roles --query 'Roles[?contains(RoleName,\`"$appName"PlayersRole\`)].Arn|[0]'")
playersRoleArn=$(removeQuotes $( eval $getPlayersRole ))
DEBUG echo $playersRoleArn
getManagersRole=$(echo aws "iam list-roles --query 'Roles[?contains(RoleName,\`"$appName"ManagersRole\`)].Arn|[0]'")
managersRoleArn=$(removeQuotes $( eval $getManagersRole ))
DEBUG echo $managersRoleArn
getUnauthRole=$(echo aws "iam list-roles --query 'Roles[?contains(RoleName,\`"$appName"UnauthRole\`)].Arn|[0]'")
unauthRoleArn=$(removeQuotes $( eval $getUnauthRole ))
DEBUG echo $unauthRoleArn
getIdentityPool=$(echo aws "cognito-identity list-identity-pools --max-results 60 --query 'IdentityPools[?starts_with(IdentityPoolName,\`"$appName"\`)]|[0].IdentityPoolId'")
identityPoolId=$( removeQuotes $( eval $getIdentityPool ) )
DEBUG echo $identityPoolId
getCognitoProviderName=$(echo "aws cognito-identity describe-identity-pool --identity-pool-id "$identityPoolId" --query 'CognitoIdentityProviders[0].ProviderName'")
cognitoProviderName=$( removeQuotes $( eval $getCognitoProviderName ) )
DEBUG echo $cognitoProviderName
#aws cognito-idp list-identity-providers --user-pool-id us-east-2_nMp73BoqG
getUserPoolId=$(echo "aws cognito-idp list-user-pools --query 'UserPools[?Name == \`"$appName"\`]|[0].Id' --max-results=20")
userPoolId=$( removeQuotes $( eval $getUserPoolId ) )
DEBUG echo $userPoolId
clientId=$( removeQuotes $(aws cognito-idp list-user-pool-clients --user-pool-id $userPoolId --query 'UserPoolClients[0].ClientId') )
DEBUG echo $clientId
playersRoleValue=$appName"PlayersRole"
managersRoleValue=$appName"ManagersRole"
roleMappings=$(cat <<-END
{
"$cognitoProviderName:$clientId": {
"AmbiguousRoleResolution": "Deny",
"Type": "Rules",
"RulesConfiguration": {
"Rules": [
{
"Claim": "cognito:preferred_role",
"MatchType": "Contains",
"RoleARN": "$playersRoleArn",
"Value": "$playersRoleValue"
},
{
"Claim": "cognito:preferred_role",
"MatchType": "Contains",
"RoleARN": "$managersRoleArn",
"Value": "$managersRoleValue"
}
]
}
}
}
END
)
setIdentityPoolRoles=$(cat <<-END
aws cognito-identity set-identity-pool-roles \
--identity-pool-id $identityPoolId
--roles authenticated="$playersRoleArn",unauthenticated="$unauthRoleArn" \
--role-mappings '$roleMappings'
END
)
DEBUG echo $setIdentityPoolRoles
eval $setIdentityPoolRoles
}
if [ "$envname" == "" ]; then
echo
echo "** ERROR**"
echo Please ensure that the variable envname is defined
else
## Just making sure that the environment name is going to be in uppercase
envName=$(echo $envname | tr 'a-z' 'A-Z')
setRoleMappings $envName
fi