Hi,

Thank you for the report.

The Problem

When setting up Amazon Cognito Identity Pool with rule-based role mapping, we encounter a "chicken and egg" situation:

flowchart TD
%% Problem Section
subgraph Problem["The Problem"]
direction TB
A[Identity Pool with Role Mapping] -->|needs| B[IAM Role ARN]
B -->|needs| C[Identity Pool ID]
C -->|circular dependency| A
end

1. Identity Pool Side:

• When you create an Identity Pool with rule-based role mappings
• Each rule needs to specify which IAM Role should be assigned
• This means the IAM Role must exist first

2. IAM Role Side:

• The IAM Role's trust policy needs to specify which Identity Pool can assume it
• It does this by including the Identity Pool ID in its conditions:

{
  "StringEquals": {
    "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-abcd-efgh..."
  }
}

• This means the Identity Pool must exist first

This creates a circular dependency:

1. Can't create Identity Pool without IAM Role
2. Can't create IAM Role without Identity Pool ID

We break this circular dependency by splitting the process into three sequential steps:

flowchart TD
%% Solution Section
subgraph Solution["Breaking the Chain"]
    direction TB
    D[Create Identity Pool] -->|get| E[Identity Pool ID]
    E -->|use in| F[Create IAM Role]
    F -->|use both in| G[Create Role Mapping]
    E -->|use both in| G
end

classDef default fill:#2d2d2d,stroke:#7f7f7f,color:white

Step 1: Create Identity Pool First

• Create the Identity Pool without any role mappings
• This gives us the Identity Pool ID we need

Step 2: Create IAM Role

• Now that we have the Identity Pool ID
• Create the IAM Role with the correct trust policy
• Use the Identity Pool ID in the trust policy conditions

Step 3: Create Role Attachment

• Use a separate CfnIdentityPoolRoleAttachment resource
• This connects the IAM Role to the Identity Pool
• Configure the rule-based mappings here
• We can do this because we now have both:
  • The Identity Pool ID
  • The IAM Role ARN

By separating the role attachment into its own resource, we avoid the circular dependency and allow CloudFormation to create the resources in the correct order.

Let me know if it works for you.

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Hi @pahud , Thank you for your response.

Your understanding of the problem and the resolution look good to me.

Using the L1 construct for creating the role attachment, I can synth this correctly, but haven't tested with a deployment as I am still developing.

Would there be support to do this with the aws-cognito-identitypool-alpha library in the future?

I will let you know if I face any other problems.

Hi,

Thanks for your response and the proposed solution. I investigated the suggested approach, but encountered an error when trying to create the AWS::Cognito::IdentityPoolRoleAttachment separately:

'AWS::Cognito::IdentityPoolRoleAttachment' with identifier 'us-east-1:' already exists.

This indicates that the Identity Pool Role Attachment cannot be created later as a separate resource, likely because the Identity Pool is already associated with a role attachment. Given this constraint, an alternative approach may be required to avoid the circular dependency while ensuring that the role mappings are correctly established.

Let me know if you have any suggestions or if there are any recommended workarounds for this scenario.

Best,
Sarthak