:doc:`CognitoIdentity <../../cognito-identity>` / Client / get_identity_pool_roles

***********************
get_identity_pool_roles
***********************



.. py:method:: CognitoIdentity.Client.get_identity_pool_roles(**kwargs)

  

  Gets the roles for an identity pool.

   

  You must use Amazon Web Services developer credentials to call this operation.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/cognito-identity-2014-06-30/GetIdentityPoolRoles>`_  


  **Request Syntax**
  ::

    response = client.get_identity_pool_roles(
        IdentityPoolId='string'
    )
    
  :type IdentityPoolId: string
  :param IdentityPoolId: **[REQUIRED]** 

    An identity pool ID in the format REGION:GUID.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'IdentityPoolId': 'string',
          'Roles': {
              'string': 'string'
          },
          'RoleMappings': {
              'string': {
                  'Type': 'Token'|'Rules',
                  'AmbiguousRoleResolution': 'AuthenticatedRole'|'Deny',
                  'RulesConfiguration': {
                      'Rules': [
                          {
                              'Claim': 'string',
                              'MatchType': 'Equals'|'Contains'|'StartsWith'|'NotEqual',
                              'Value': 'string',
                              'RoleARN': 'string'
                          },
                      ]
                  }
              }
          }
      }
      
    **Response Structure**

    

    - *(dict) --* 

      Returned in response to a successful ``GetIdentityPoolRoles`` operation.

      
      

      - **IdentityPoolId** *(string) --* 

        An identity pool ID in the format REGION:GUID.

        
      

      - **Roles** *(dict) --* 

        The map of roles associated with this pool. Currently only authenticated and unauthenticated roles are supported.

        
        

        - *(string) --* 
          

          - *(string) --* 
    
  
      

      - **RoleMappings** *(dict) --* 

        How users for a specific identity provider are to mapped to roles. This is a String-to-  RoleMapping object map. The string identifies the identity provider, for example, ``graph.facebook.com`` or ``cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id``.

        
        

        - *(string) --* 
          

          - *(dict) --* 

            A role mapping.

            
            

            - **Type** *(string) --* 

              The role mapping type. Token will use ``cognito:roles`` and ``cognito:preferred_role`` claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.

              
            

            - **AmbiguousRoleResolution** *(string) --* 

              If you specify Token or Rules as the ``Type``, ``AmbiguousRoleResolution`` is required.

               

              Specifies the action to be taken if either no rules match the claim value for the ``Rules`` type, or there is no ``cognito:preferred_role`` claim and there are multiple ``cognito:roles`` matches for the ``Token`` type.

              
            

            - **RulesConfiguration** *(dict) --* 

              The rules to be used for mapping users to roles.

               

              If you specify Rules as the role mapping type, ``RulesConfiguration`` is required.

              
              

              - **Rules** *(list) --* 

                An array of rules. You can specify up to 25 rules per identity provider.

                 

                Rules are evaluated in order. The first one to match specifies the role.

                
                

                - *(dict) --* 

                  A rule that maps a claim name, a claim value, and a match type to a role ARN.

                  
                  

                  - **Claim** *(string) --* 

                    The claim name that must be present in the token, for example, "isAdmin" or "paid".

                    
                  

                  - **MatchType** *(string) --* 

                    The match condition that specifies how closely the claim value in the IdP token must match ``Value``.

                    
                  

                  - **Value** *(string) --* 

                    A brief string that the claim must match, for example, "paid" or "yes".

                    
                  

                  - **RoleARN** *(string) --* 

                    The role ARN.

                    
              
            
          
        
    
  
  
  **Exceptions**
  
  *   :py:class:`CognitoIdentity.Client.exceptions.InvalidParameterException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.NotAuthorizedException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.ResourceConflictException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.TooManyRequestsException`

  
  *   :py:class:`CognitoIdentity.Client.exceptions.InternalErrorException`

  