UserPool

class aws_cdk.aws_cognito.UserPool(scope, id, *, account_recovery=None, auto_verify=None, custom_attributes=None, email_settings=None, enable_sms_role=None, lambda_triggers=None, mfa=None, mfa_second_factor=None, password_policy=None, self_sign_up_enabled=None, sign_in_aliases=None, sign_in_case_sensitive=None, sms_role=None, sms_role_external_id=None, standard_attributes=None, user_invitation=None, user_pool_name=None, user_verification=None)

Bases: aws_cdk.core.Resource

(experimental) Define a Cognito User Pool.

Stability

experimental

Parameters
  • scope (Construct) –

  • id (str) –

  • account_recovery (Optional[AccountRecovery]) – (experimental) How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

  • auto_verify (Optional[AutoVerifiedAttrs]) – (experimental) Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

  • custom_attributes (Optional[Mapping[str, ICustomAttribute]]) – (experimental) Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.

  • email_settings (Optional[EmailSettings]) – (experimental) Email settings for a user pool. Default: - see defaults on each property of EmailSettings.

  • enable_sms_role (Optional[bool]) – (experimental) Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.

  • lambda_triggers (Optional[UserPoolTriggers]) – (experimental) Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.

  • mfa (Optional[Mfa]) – (experimental) Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF

  • mfa_second_factor (Optional[MfaSecondFactor]) – (experimental) Configure the MFA types that users can use in this user pool. Ignored if mfa is set to OFF. Default: - { sms: true, oneTimePassword: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, oneTimePassword: false }, otherwise

  • password_policy (Optional[PasswordPolicy]) – (experimental) Password policy for this user pool. Default: - see defaults on each property of PasswordPolicy.

  • self_sign_up_enabled (Optional[bool]) – (experimental) Whether self sign up should be enabled. This can be further configured via the selfSignUp property. Default: false

  • sign_in_aliases (Optional[SignInAliases]) – (experimental) Methods in which a user registers or signs in to a user pool. Allows either username with aliases OR sign in with email, phone, or both. Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html To match with ‘Option 1’ in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with ‘Option 2’ in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }. Default: { username: true }

  • sign_in_case_sensitive (Optional[bool]) – (experimental) Whether sign-in aliases should be evaluated with case sensitivity. For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername. Default: true

  • sms_role (Optional[IRole]) – (experimental) The IAM role that Cognito will assume while sending SMS messages. Default: - a new IAM role is created

  • sms_role_external_id (Optional[str]) – (experimental) The ‘ExternalId’ that Cognito service must using when assuming the smsRole, if the role is restricted with an ‘sts:ExternalId’ conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored if smsRole is not specified. Default: - No external id will be configured

  • standard_attributes (Optional[StandardAttributes]) – (experimental) The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html Default: - All standard attributes are optional and mutable.

  • user_invitation (Optional[UserInvitationConfig]) – (experimental) Configuration around admins signing up users into a user pool. Default: - see defaults in UserInvitationConfig

  • user_pool_name (Optional[str]) – (experimental) Name of the user pool. Default: - automatically generated name by CloudFormation at deploy time

  • user_verification (Optional[UserVerificationConfig]) – (experimental) Configuration around users signing themselves up to the user pool. Enable or disable self sign-up via the selfSignUpEnabled property. Default: - see defaults in UserVerificationConfig

Stability

experimental

Methods

add_client(id, *, auth_flows=None, disable_o_auth=None, generate_secret=None, o_auth=None, prevent_user_existence_errors=None, supported_identity_providers=None, user_pool_client_name=None)

(experimental) Add a new app client to this user pool.

Parameters
  • id (str) –

  • auth_flows (Optional[AuthFlow]) – (experimental) The set of OAuth authentication flows to enable on the client. Default: - all auth flows disabled

  • disable_o_auth (Optional[bool]) – (experimental) Turns off all OAuth interactions for this client. Default: false

  • generate_secret (Optional[bool]) – (experimental) Whether to generate a client secret. Default: false

  • o_auth (Optional[OAuthSettings]) – (experimental) OAuth settings for this to client to interact with the app. An error is thrown when this is specified and disableOAuth is set. Default: - see defaults in OAuthSettings. meaningless if disableOAuth is set.

  • prevent_user_existence_errors (Optional[bool]) – (experimental) Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence. Default: true for new stacks

  • supported_identity_providers (Optional[List[UserPoolClientIdentityProvider]]) – (experimental) The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

  • user_pool_client_name (Optional[str]) – (experimental) Name of the application client. Default: - cloudformation generated name

Stability

experimental

Return type

UserPoolClient

add_domain(id, *, cognito_domain=None, custom_domain=None)

(experimental) Associate a domain to this user pool.

Parameters
  • id (str) –

  • cognito_domain (Optional[CognitoDomainOptions]) – (experimental) Associate a cognito prefix domain with your user pool Either customDomain or cognitoDomain must be specified. Default: - not set if customDomain is specified, otherwise, throws an error.

  • custom_domain (Optional[CustomDomainOptions]) – (experimental) Associate a custom domain with your user pool Either customDomain or cognitoDomain must be specified. Default: - not set if cognitoDomain is specified, otherwise, throws an error.

Stability

experimental

Return type

UserPoolDomain

add_trigger(operation, fn)

(experimental) Add a lambda trigger to a user pool operation.

Parameters
See

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

Stability

experimental

Return type

None

register_identity_provider(provider)

(experimental) Register an identity provider with this user pool.

Parameters

provider (IUserPoolIdentityProvider) –

Stability

experimental

Return type

None

to_string()

Returns a string representation of this construct.

Return type

str

Attributes

env

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

Return type

ResourceEnvironment

identity_providers

(experimental) Get all identity providers registered with this user pool.

Stability

experimental

Return type

List[IUserPoolIdentityProvider]

node

The construct tree node associated with this construct.

Return type

ConstructNode

stack

The stack in which this resource is defined.

Return type

Stack

user_pool_arn

(experimental) The ARN of the user pool.

Stability

experimental

Return type

str

user_pool_id

(experimental) The physical ID of this user pool resource.

Stability

experimental

Return type

str

user_pool_provider_name

(experimental) User pool provider name.

Stability

experimental

Attribute

true

Return type

str

user_pool_provider_url

(experimental) User pool provider URL.

Stability

experimental

Attribute

true

Return type

str

Static Methods

classmethod from_user_pool_arn(scope, id, user_pool_arn)

(experimental) Import an existing user pool based on its ARN.

Parameters
  • scope (Construct) –

  • id (str) –

  • user_pool_arn (str) –

Stability

experimental

Return type

IUserPool

classmethod from_user_pool_id(scope, id, user_pool_id)

(experimental) Import an existing user pool based on its id.

Parameters
  • scope (Construct) –

  • id (str) –

  • user_pool_id (str) –

Stability

experimental

Return type

IUserPool

classmethod is_construct(x)

Return whether the given object is a Construct.

Parameters

x (Any) –

Return type

bool