我的Serverless YML创建了一个Cognito Pool &客户
resources:
Resources:
CognitoUserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: ${self:provider.stage}_pool
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_email
Priority: 1
- Name: verified_phone_number
Priority: 2
AdminCreateUserConfig:
UnusedAccountValidityDays: 30
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
- phone_number
MfaConfiguration: OFF
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: True
RequireNumbers: True
RequireSymbols: True
RequireUppercase: True
Schema:
- Name: email
AttributeDataType: String
Mutable: false
Required: true
UserPoolTags:
env: ${self:provider.stage}
CognitoUserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
DependsOn:
- CognitoUserPoolIdentityProvider
Properties:
AllowedOAuthFlows:
- code
- implicit
AllowedOAuthFlowsUserPoolClient: true
AllowedOAuthScopes:
- email
- profile
- phone
- openid
- aws.cognito.signin.user.admin
CallbackURLs:
- http://localhost:3000/oauth/login
ClientName: ${self:provider.stage}_retailer_client
EnableTokenRevocation: true
ExplicitAuthFlows:
- ALLOW_ADMIN_USER_PASSWORD_AUTH
- ALLOW_CUSTOM_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
- ALLOW_USER_PASSWORD_AUTH
- ALLOW_USER_SRP_AUTH
GenerateSecret: False
LogoutURLs:
- http://localhost:3000/oauth/logout
PreventUserExistenceErrors: LEGACY
SupportedIdentityProviders: [ "COGNITO", "Google" ]
UserPoolId:
Ref: CognitoUserPool
CognitoUserPoolDomain:
Type: "AWS::Cognito::UserPoolDomain"
Properties:
CustomDomainConfig:
CertificateArn: arn:aws:acm:us-east-1:256645674595:certificate/b6bd7asd1-a8ca-6d19-92a2-cf1s4fsa9a3ha
Domain: "auth.whatnerds.com"
UserPoolId:
Ref: CognitoUserPool
CognitoUserPoolIdentityProvider:
Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
ProviderName: Google
AttributeMapping:
email: email
email_verified: email_verified
family_name: family_name
given_name: given_name
name: name
username: sub
ProviderDetails:
client_id: CLIENT_ID
client_secret: SECRET_ID
authorize_scopes: profile email openid
ProviderType: Google
UserPoolId:
Ref: CognitoUserPool
我试图通过环境参数导出我的用户池ID和用户池客户端ID到我的lambda:
provider:
name: aws
runtime: nodejs12.x
environment:
USER_POOL_ID: !Ref CognitoUserPool
CLIENT_ID: !Ref CognitoUserPoolClient
REGION: ca-central-1a
我的Lambda环境配置如下所示:
λ配置
我的lambda调用的响应抛出一个错误,其中UserPool ID和客户端ID被读取为[object object]并抛出一个错误。
Debug Serverless Offline CLI
Chrome错误:
{"message":"2 validation errors detected: Value '[object Object]' at 'clientId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w+]+; Value '[object Object]' at 'userPoolId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w-]+_[0-9a-zA-Z]+","code":"InvalidParameterException","time":"2022-06-25T15:39:58.851Z","requestId":"5b1ad21d-218a-4cd0-9475-f89b8ec1fc28","statusCode":400,"retryable":false,"retryDelay":49.39420786096056}
有什么建议我可能做错了吗?
这是因为USER_POOL_ID和CLIENT_ID在创建之前被引用了。
不可能在无服务器中引用CloudFormation输出。因为它创建了一个循环依赖,正如有人在这个无服务器论坛上指出的那样。
https://forum.serverless.com/t/can-i-access-outputs-from-custom-resources-as-variables-in-serverless-yml/508/10
可以通过使用跨堆栈引用来克服这个问题。
首先,在另一个堆栈中创建CognitoUserPool和CognitoUserPoolClient,并导出它们的id作为输出。然后在您的堆栈中与授权者一起引用输出,就像您通常做的那样。
这篇文章很好地解释了跨堆栈引用以及如何使用它们。