我用下面的CloudFormation创建堆栈
Resources:
MyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: 'true'
CognitoRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- 'cognito-identity.amazonaws.com'
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- 'authenticated'
CognitoRole2:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- 'cognito-identity.amazonaws.com'
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- 'unauthenticated'
RoleAttachment:
DependsOn: MyIdentityPool
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId:
Ref: MyPinpointIdentityPool
Roles:
unauthenticated:
Fn::GetAtt: CognitoRole2.Arn
AccessPolicy:
Type: 'AWS::IAM::Policy'
Properties:
...
Roles:
- Ref: CognitoGeneralRole
堆栈创建成功,但是当我通过改变IdentityPoolRoleAttachment更新堆栈
RoleAttachment:
DependsOn: MyIdentityPool
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId:
Ref: MyPinpointIdentityPool
Roles:
unauthenticated:
Fn::GetAtt: CognitoRole2.Arn
authenticated:
Fn::GetAtt: CognitoRole.Arn
我AWS::Cognito::IdentityPoolRoleAttachment Resource cannot be updated。
可能是什么的原因是什么?
回答这个问题我自己。
根据他们的支持,根本原因是,修改角色附件不被CluodFormation支持