[ aws . cognito-identity ]
Gets the roles for an identity pool.
You must use AWS Developer credentials to call this API.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
  get-identity-pool-roles
--identity-pool-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--identity-pool-id (string)
An identity pool ID in the format REGION:GUID.
--cli-input-json | --cli-input-yaml (string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.
--generate-cli-skeleton (string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To get identity pool roles
This example gets identity pool roles.
Command:
aws cognito-identity get-identity-pool-roles --identity-pool-id "us-west-2:11111111-1111-1111-1111-111111111111"
Output:
{
  "IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
  "Roles": {
      "authenticated": "arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolAuth_Role",
      "unauthenticated": "arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolUnauth_Role"
  }
}
IdentityPoolId -> (string)
An identity pool ID in the format REGION:GUID.
Roles -> (map)
The map of roles associated with this pool. Currently only authenticated and unauthenticated roles are supported.
key -> (string)
value -> (string)
RoleMappings -> (map)
How users for a specific identity provider are to mapped to roles. This is a String-to- RoleMapping object map. The string identifies the identity provider, for example, “graph.facebook.com” or “cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id”.
key -> (string)
value -> (structure)
A role mapping.
Type -> (string)
The role mapping type. Token will use
cognito:rolesandcognito:preferred_roleclaims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.AmbiguousRoleResolution -> (string)
If you specify Token or Rules as the
Type,AmbiguousRoleResolutionis required.Specifies the action to be taken if either no rules match the claim value for the
Rulestype, or there is nocognito:preferred_roleclaim and there are multiplecognito:rolesmatches for theTokentype.RulesConfiguration -> (structure)
The rules to be used for mapping users to roles.
If you specify Rules as the role mapping type,
RulesConfigurationis required.Rules -> (list)
An array of rules. You can specify up to 25 rules per identity provider.
Rules are evaluated in order. The first one to match specifies the role.
(structure)
A rule that maps a claim name, a claim value, and a match type to a role ARN.
Claim -> (string)
The claim name that must be present in the token, for example, “isAdmin” or “paid”.
MatchType -> (string)
The match condition that specifies how closely the claim value in the IdP token must match
Value.Value -> (string)
A brief string that the claim must match, for example, “paid” or “yes”.
RoleARN -> (string)
The role ARN.