问无服务器框架-将Cognito用户池配置为通过SES发送电子邮件
EN

Stack Overflow用户

提问于 2020-03-11 23:25:02

回答 1查看 1K关注 0票数 1

我可以使用Serverless Framework创建一个Cognito用户池。不幸的是，新用户注册后的电子邮件验证是使用Cognito的电子邮件交付系统发送的，这是相当有限的。我知道我可以进入控制台并更改选项，以使用亚马逊的SES，但我如何在无服务器框架中做到这一点？

service: cognito

provider:
name: aws
runtime: nodejs12.x
region: us-west-2
stage: prod
memorySize: 128
timeout: 5
endpointType: regional

Resources:
    # Creates a role that allows Cognito to send SNS messages
    SNSRole:
    Type: "AWS::IAM::Role"
    Properties:
        AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
            - Effect: "Allow"
            Principal: 
                Service: 
                - "cognito-idp.amazonaws.com"
            Action: 
                - "sts:AssumeRole"
        Policies:
        - PolicyName: "CognitoSNSPolicy"
            PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
                - Effect: "Allow"
                Action: "sns:publish"
                Resource: "*"

    # Creates a user pool in cognito for your app to auth against
    UserPool:
    Type: AWS::Cognito::UserPool
        DeletionPolicy: Retain
        Properties:
        UserPoolName: MyUserPool
        AutoVerifiedAttributes:
            - email
        Policies:
            PasswordPolicy:
            MinimumLength: 8
            RequireLowercase: true
            RequireNumbers: true
            RequireSymbols: false
            RequireUppercase: true
        UsernameAttributes:
            - email

    # Creates a User Pool Client to be used by the identity pool
    UserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
        ClientName: !Sub ${AuthName}-client
        GenerateSecret: false
        UserPoolId: !Ref UserPool

    # Creates a federeated Identity pool
    IdentityPool:
    Type: "AWS::Cognito::IdentityPool"
    Properties:
        IdentityPoolName: !Sub ${AuthName}Identity
        AllowUnauthenticatedIdentities: true
        CognitoIdentityProviders: 
        - ClientId: !Ref UserPoolClient
            ProviderName: !GetAtt UserPool.ProviderName

    # Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
    CognitoUnAuthorizedRole:
    Type: "AWS::IAM::Role"
    Properties:
        AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
            - Effect: "Allow"
            Principal: 
                Federated: "cognito-identity.amazonaws.com"
            Action: 
                - "sts:AssumeRoleWithWebIdentity"
            Condition:
                StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
                "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": unauthenticated
        Policies:
        - PolicyName: "CognitoUnauthorizedPolicy"
            PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
                - Effect: "Allow"
                Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                Resource: "*"

    # Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation
    # Only allows users in the previously created Identity Pool
    CognitoAuthorizedRole:
    Type: "AWS::IAM::Role"
    Properties:
        AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
            - Effect: "Allow"
            Principal: 
                Federated: "cognito-identity.amazonaws.com"
            Action: 
                - "sts:AssumeRoleWithWebIdentity"
            Condition:
                StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
                "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
        - PolicyName: "CognitoAuthorizedPolicy"
            PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
                - Effect: "Allow"
                Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                    - "cognito-identity:*"
                Resource: "*"
                - Effect: "Allow"
                Action:
                    - "lambda:InvokeFunction"
                Resource: "*"

    # Assigns the roles to the Identity Pool
    IdentityPoolRoleMapping:
    Type: "AWS::Cognito::IdentityPoolRoleAttachment"
    Properties:
        IdentityPoolId: !Ref IdentityPool
        Roles:
        authenticated: !GetAtt CognitoAuthorizedRole.Arn
        unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn

Outputs:
    UserPoolId:
    Value: !Ref UserPool
    Export:
        Name: "UserPool::Id"
    UserPoolClientId:
    Value: !Ref UserPoolClient
    Export:
        Name: "UserPoolClient::Id"
    IdentityPoolId:
    Value: !Ref IdentityPool
    Export:
        Name: "IdentityPool::Id"

amazon-cloudformation

amazon-cognito

serverless-framework

amazon-ses

回答 1

Stack Overflow用户

回答已采纳

发布于 2020-03-12 01:45:48

使用用户池中的EmailConfiguration属性。

UserPool:
    Type: AWS::Cognito::UserPool
        DeletionPolicy: Retain
        Properties:
            ...
            EmailConfiguration: 
                EmailSendingAccount: DEVELOPER
                ReplyToEmailAddress: # email address
                SourceArn: # sourceARN to verified email address in SES