使用 Pulumi 创建 Cognito 身份池 - 未附加角色

如何解决使用 Pulumi 创建 Cognito 身份池 - 未附加角色

我遵循了 Pulumi Cognito.IdentityPool docs，但无法使用 an attachment 将身份池与角色相关联。这应该很简单：创建身份池，创建角色，将角色附加到身份池。简单的。不幸的是，Pulumi 文档中的代码没有达到这个目的，缺少一些东西。这是我的代码：

import * as aws from '@pulumi/aws'

import { Stack,cognito,region } from '../../config'

const userPool = cognito.userPools[REDACTED]
const providerName: string = `cognito-idp.${region}.amazonaws.com/${userPool.poolId}`

export const swimmingPool = new aws.cognito.IdentityPool(REDACTED,{
  identityPoolName: 'stuff!',allowUnauthenticatedIdentities: false,allowClassicFlow: false,cognitoIdentityProviders: [{
    providerName,clientId: userPool.clientId,serverSidetokenCheck: false,}],})

export const role = new aws.iam.Role(REDACTED,{
  assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal(
    { Federated: 'cognito-identity.amazonaws.com' },),})

export const policy = new aws.iam.RolePolicy(REDACTED,{
  role: role.id,policy: {
    Version: '2012-10-17',Statement: [
      {
        Action: [
          'cognito-sync:*','cognito-identity:*','s3:PutObject','s3:Getobject',],Effect: 'Allow',Resource: '*',},})

export const roleAttachment = new aws.cognito.IdentityPoolRoleAttachment(REDACTED,{
  identityPoolId: swimmingPool.id,roles: { authenticated: role.arn },roleMappings: [{
    identityProvider: `cognito-idp.${region}.amazonaws.com/${userPool.poolId}:${userPool.clientId}`,ambiguousRoleResolution: 'AuthenticatedRole',type: 'Rules',mappingRules: [{
      claim: 'isAdmin',matchType: 'Equals',roleArn: role.arn,value: 'paid',})

当我查看身份池时，我希望在 AWS 控制台中看到附加的角色，但 You have not specified roles for this identity pool. Click here to fix it. 反而出现了。附加我附加的附件必须做什么？