How to set dynamic RoleMappings key for IndentityPoolRoleAttachment in CloudFormation

I am creating a stack to initialize the installation Cognito

. As part of this, I have set up user groups with associated roles. I need to set a parameter Choose role from token

allowing ids to use roles from the group (s) they are assigned to.

This is done through an object RoleMappings

within an object IndentityPoolRoleAttachment

. This mapping object is a map string -> object

where the string represents the identity provider. In my case, this is:

cognito-idp.${some-region}.amazonaws.com/${some-userpool-id}:${some-pool-client-id}

Obviously this should be dynamically built based on the values ​​on the stack, but I haven't found a way to make it syntactically correct. Using Ref

and Fn::Sub

results in syntax errors. I've tried in yaml and json syntax.

Am I missing something obvious?