CfnUserPool
- class aws_cdk.aws_cognito.CfnUserPool(scope, id, *, account_recovery_setting=None, admin_create_user_config=None, alias_attributes=None, auto_verified_attributes=None, deletion_protection=None, device_configuration=None, email_configuration=None, email_verification_message=None, email_verification_subject=None, enabled_mfas=None, lambda_config=None, mfa_configuration=None, policies=None, schema=None, sms_authentication_message=None, sms_configuration=None, sms_verification_message=None, user_attribute_update_settings=None, username_attributes=None, username_configuration=None, user_pool_add_ons=None, user_pool_name=None, user_pool_tags=None, verification_message_template=None)
Bases:
CfnResourceA CloudFormation
AWS::Cognito::UserPool.The
AWS::Cognito::UserPoolresource creates an Amazon Cognito user pool. For more information on working with Amazon Cognito user pools, see Amazon Cognito User Pools and CreateUserPool . .. epigraph:If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.
- CloudformationResource
AWS::Cognito::UserPool
- Link
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito # user_pool_tags: Any cfn_user_pool = cognito.CfnUserPool(self, "MyCfnUserPool", account_recovery_setting=cognito.CfnUserPool.AccountRecoverySettingProperty( recovery_mechanisms=[cognito.CfnUserPool.RecoveryOptionProperty( name="name", priority=123 )] ), admin_create_user_config=cognito.CfnUserPool.AdminCreateUserConfigProperty( allow_admin_create_user_only=False, invite_message_template=cognito.CfnUserPool.InviteMessageTemplateProperty( email_message="emailMessage", email_subject="emailSubject", sms_message="smsMessage" ), unused_account_validity_days=123 ), alias_attributes=["aliasAttributes"], auto_verified_attributes=["autoVerifiedAttributes"], deletion_protection="deletionProtection", device_configuration=cognito.CfnUserPool.DeviceConfigurationProperty( challenge_required_on_new_device=False, device_only_remembered_on_user_prompt=False ), email_configuration=cognito.CfnUserPool.EmailConfigurationProperty( configuration_set="configurationSet", email_sending_account="emailSendingAccount", from="from", reply_to_email_address="replyToEmailAddress", source_arn="sourceArn" ), email_verification_message="emailVerificationMessage", email_verification_subject="emailVerificationSubject", enabled_mfas=["enabledMfas"], lambda_config=cognito.CfnUserPool.LambdaConfigProperty( create_auth_challenge="createAuthChallenge", custom_email_sender=cognito.CfnUserPool.CustomEmailSenderProperty( lambda_arn="lambdaArn", lambda_version="lambdaVersion" ), custom_message="customMessage", custom_sms_sender=cognito.CfnUserPool.CustomSMSSenderProperty( lambda_arn="lambdaArn", lambda_version="lambdaVersion" ), define_auth_challenge="defineAuthChallenge", kms_key_id="kmsKeyId", post_authentication="postAuthentication", post_confirmation="postConfirmation", pre_authentication="preAuthentication", pre_sign_up="preSignUp", pre_token_generation="preTokenGeneration", user_migration="userMigration", verify_auth_challenge_response="verifyAuthChallengeResponse" ), mfa_configuration="mfaConfiguration", policies=cognito.CfnUserPool.PoliciesProperty( password_policy=cognito.CfnUserPool.PasswordPolicyProperty( minimum_length=123, require_lowercase=False, require_numbers=False, require_symbols=False, require_uppercase=False, temporary_password_validity_days=123 ) ), schema=[cognito.CfnUserPool.SchemaAttributeProperty( attribute_data_type="attributeDataType", developer_only_attribute=False, mutable=False, name="name", number_attribute_constraints=cognito.CfnUserPool.NumberAttributeConstraintsProperty( max_value="maxValue", min_value="minValue" ), required=False, string_attribute_constraints=cognito.CfnUserPool.StringAttributeConstraintsProperty( max_length="maxLength", min_length="minLength" ) )], sms_authentication_message="smsAuthenticationMessage", sms_configuration=cognito.CfnUserPool.SmsConfigurationProperty( external_id="externalId", sns_caller_arn="snsCallerArn", sns_region="snsRegion" ), sms_verification_message="smsVerificationMessage", user_attribute_update_settings=cognito.CfnUserPool.UserAttributeUpdateSettingsProperty( attributes_require_verification_before_update=["attributesRequireVerificationBeforeUpdate"] ), username_attributes=["usernameAttributes"], username_configuration=cognito.CfnUserPool.UsernameConfigurationProperty( case_sensitive=False ), user_pool_add_ons=cognito.CfnUserPool.UserPoolAddOnsProperty( advanced_security_mode="advancedSecurityMode" ), user_pool_name="userPoolName", user_pool_tags=user_pool_tags, verification_message_template=cognito.CfnUserPool.VerificationMessageTemplateProperty( default_email_option="defaultEmailOption", email_message="emailMessage", email_message_by_link="emailMessageByLink", email_subject="emailSubject", email_subject_by_link="emailSubjectByLink", sms_message="smsMessage" ) )
Create a new
AWS::Cognito::UserPool.- Parameters
scope (
Construct) –scope in which this resource is defined.
id (
str) –scoped id of the resource.
account_recovery_setting (
Union[IResolvable,AccountRecoverySettingProperty,Dict[str,Any],None]) – Use this setting to define which verified available method a user can use to recover their password when they callForgotPassword. It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.admin_create_user_config (
Union[IResolvable,AdminCreateUserConfigProperty,Dict[str,Any],None]) – The configuration for creating a new user profile.alias_attributes (
Optional[Sequence[str]]) – Attributes supported as an alias for this user pool. Possible values: phone_number , email , or preferred_username . .. epigraph:: This user pool property cannot be updated.auto_verified_attributes (
Optional[Sequence[str]]) – The attributes to be auto-verified. Possible values: email , phone_number .deletion_protection (
Optional[str]) –AWS::Cognito::UserPool.DeletionProtection.device_configuration (
Union[IResolvable,DeviceConfigurationProperty,Dict[str,Any],None]) – The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for anyDeviceConfigurationfield, you activate the Amazon Cognito device-remembering feature.email_configuration (
Union[IResolvable,EmailConfigurationProperty,Dict[str,Any],None]) – The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.email_verification_message (
Optional[str]) – This parameter is no longer used. See VerificationMessageTemplateType .email_verification_subject (
Optional[str]) –This parameter is no longer used. See VerificationMessageTemplateType .
enabled_mfas (
Optional[Sequence[str]]) – Enables MFA on a specified user pool. To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values: -SMS_MFA- Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided. -SOFTWARE_TOKEN_MFA- Enables software token MFA for the user pool. Allowed values:SMS_MFA|SOFTWARE_TOKEN_MFAlambda_config (
Union[IResolvable,LambdaConfigProperty,Dict[str,Any],None]) – The Lambda trigger configuration information for the new user pool. .. epigraph:: In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function. For more information on using the Lambda API to add permission, see AddPermission . For adding permission using the AWS CLI , see add-permission .mfa_configuration (
Optional[str]) – The multi-factor authentication (MFA) configuration. Valid values include:. -OFFMFA won’t be used for any users. -ONMFA is required for all users to sign in. -OPTIONALMFA will be required only for individual users who have an MFA factor activated.policies (
Union[IResolvable,PoliciesProperty,Dict[str,Any],None]) – The policy associated with a user pool.schema (
Union[IResolvable,Sequence[Union[IResolvable,SchemaAttributeProperty,Dict[str,Any]]],None]) – The schema attributes for the new user pool. These attributes can be standard or custom attributes. .. epigraph:: During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.sms_authentication_message (
Optional[str]) – A string representing the SMS authentication message.sms_configuration (
Union[IResolvable,SmsConfigurationProperty,Dict[str,Any],None]) – The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .sms_verification_message (
Optional[str]) –This parameter is no longer used. See VerificationMessageTemplateType .
user_attribute_update_settings (
Union[IResolvable,UserAttributeUpdateSettingsProperty,Dict[str,Any],None]) – The settings for updates to user attributes. These settings include the propertyAttributesRequireVerificationBeforeUpdate, a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users’ email address and phone number attributes. For more information, see Verifying updates to email addresses and phone numbers .username_attributes (
Optional[Sequence[str]]) – Determines whether email addresses or phone numbers can be specified as user names when a user signs up. Possible values:phone_numberoremail. This user pool property cannot be updated.username_configuration (
Union[IResolvable,UsernameConfigurationProperty,Dict[str,Any],None]) – You can choose to set case sensitivity on the username input for the selected sign-in option. For example, when this is set toFalse, users will be able to sign in using either “username” or “Username”. This configuration is immutable once it has been set.user_pool_add_ons (
Union[IResolvable,UserPoolAddOnsProperty,Dict[str,Any],None]) – Enables advanced security risk detection. Set the keyAdvancedSecurityModeto the value “AUDIT”.user_pool_name (
Optional[str]) – A string used to name the user pool.user_pool_tags (
Optional[Any]) – The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.verification_message_template (
Union[IResolvable,VerificationMessageTemplateProperty,Dict[str,Any],None]) – The template for the verification message that the user sees when the app requests permission to access the user’s information.
Methods
- add_deletion_override(path)
Syntactic sugar for
addOverride(path, undefined).- Parameters
path (
str) – The path of the value to delete.- Return type
None
- add_depends_on(target)
Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
This can be used for resources across stacks (or nested stack) boundaries and the dependency will automatically be transferred to the relevant scope.
- Parameters
target (
CfnResource) –- Return type
None
- add_metadata(key, value)
Add a value to the CloudFormation Resource Metadata.
- Parameters
key (
str) –value (
Any) –
- See
- Return type
None
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.
- add_override(path, value)
Adds an override to the synthesized CloudFormation resource.
To add a property override, either use
addPropertyOverrideor prefixpathwith “Properties.” (i.e.Properties.TopicName).If the override is nested, separate each nested level using a dot (.) in the path parameter. If there is an array as part of the nesting, specify the index in the path.
To include a literal
.in the property name, prefix with a\. In most programming languages you will need to write this as"\\."because the\itself will need to be escaped.For example:
cfn_resource.add_override("Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes", ["myattribute"]) cfn_resource.add_override("Properties.GlobalSecondaryIndexes.1.ProjectionType", "INCLUDE")
would add the overrides Example:
"Properties": { "GlobalSecondaryIndexes": [ { "Projection": { "NonKeyAttributes": [ "myattribute" ] ... } ... }, { "ProjectionType": "INCLUDE" ... }, ] ... }
The
valueargument toaddOverridewill not be processed or translated in any way. Pass raw JSON values in here with the correct capitalization for CloudFormation. If you pass CDK classes or structs, they will be rendered with lowercased key names, and CloudFormation will reject the template.- Parameters
path (
str) –The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
value (
Any) –The value. Could be primitive or complex.
- Return type
None
- add_property_deletion_override(property_path)
Adds an override that deletes the value of a property from the resource definition.
- Parameters
property_path (
str) – The path to the property.- Return type
None
- add_property_override(property_path, value)
Adds an override to a resource property.
Syntactic sugar for
addOverride("Properties.<...>", value).- Parameters
property_path (
str) – The path of the property.value (
Any) – The value.
- Return type
None
- apply_removal_policy(policy=None, *, apply_to_update_replace_policy=None, default=None)
Sets the deletion policy of the resource based on the removal policy specified.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).- Parameters
policy (
Optional[RemovalPolicy]) –apply_to_update_replace_policy (
Optional[bool]) – Apply the same deletion policy to the resource’s “UpdateReplacePolicy”. Default: truedefault (
Optional[RemovalPolicy]) – The default policy to apply in case the removal policy is not defined. Default: - Default value is resource specific. To determine the default value for a resoure, please consult that specific resource’s documentation.
- Return type
None
- get_att(attribute_name)
Returns a token for an runtime attribute of this resource.
Ideally, use generated attribute accessors (e.g.
resource.arn), but this can be used for future compatibility in case there is no generated attribute.- Parameters
attribute_name (
str) – The name of the attribute.- Return type
- get_metadata(key)
Retrieve a value value from the CloudFormation Resource Metadata.
- Parameters
key (
str) –- See
- Return type
Any
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.
- inspect(inspector)
Examines the CloudFormation resource and discloses attributes.
- Parameters
inspector (
TreeInspector) –tree inspector to collect and process attributes.
- Return type
None
- override_logical_id(new_logical_id)
Overrides the auto-generated logical ID with a specific ID.
- Parameters
new_logical_id (
str) – The new logical ID to use for this stack element.- Return type
None
- to_string()
Returns a string representation of this construct.
- Return type
str- Returns
a string representation of this resource
Attributes
- CFN_RESOURCE_TYPE_NAME = 'AWS::Cognito::UserPool'
- account_recovery_setting
Use this setting to define which verified available method a user can use to recover their password when they call
ForgotPassword.It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
- admin_create_user_config
The configuration for creating a new user profile.
- alias_attributes
phone_number , email , or preferred_username .
This user pool property cannot be updated.
- Link
- Type
Attributes supported as an alias for this user pool. Possible values
- attr_arn
The Amazon Resource Name (ARN) of the user pool, such as
arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341.- CloudformationAttribute
Arn
- attr_provider_name
The provider name of the Amazon Cognito user pool, specified as a
String.- CloudformationAttribute
ProviderName
- attr_provider_url
The URL of the provider of the Amazon Cognito user pool, specified as a
String.- CloudformationAttribute
ProviderURL
- auto_verified_attributes
The attributes to be auto-verified.
Possible values: email , phone_number .
- cfn_options
Options for this resource, such as condition, update policy etc.
- cfn_resource_type
AWS resource type.
- creation_stack
return:
the stack trace of the point where this Resource was created from, sourced from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most node +internal+ entries filtered.
- deletion_protection
AWS::Cognito::UserPool.DeletionProtection.
- device_configuration
The device-remembering configuration for a user pool.
A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:
When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature.
- email_configuration
The email configuration of your user pool.
The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
- email_verification_message
This parameter is no longer used.
- email_verification_subject
This parameter is no longer used.
- enabled_mfas
Enables MFA on a specified user pool.
To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values:
SMS_MFA- Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided.SOFTWARE_TOKEN_MFA- Enables software token MFA for the user pool.
Allowed values:
SMS_MFA|SOFTWARE_TOKEN_MFA
- lambda_config
The Lambda trigger configuration information for the new user pool.
In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function.
For more information on using the Lambda API to add permission, see AddPermission .
For adding permission using the AWS CLI , see add-permission .
- logical_id
The logical ID for this CloudFormation stack element.
The logical ID of the element is calculated from the path of the resource node in the construct tree.
To override this value, use
overrideLogicalId(newLogicalId).- Returns
the logical ID as a stringified token. This value will only get resolved during synthesis.
- mfa_configuration
.
OFFMFA won’t be used for any users.ONMFA is required for all users to sign in.OPTIONALMFA will be required only for individual users who have an MFA factor activated.
- Link
- Type
The multi-factor authentication (MFA) configuration. Valid values include
- node
The construct tree node associated with this construct.
- policies
The policy associated with a user pool.
- ref
Return a string that will be resolved to a CloudFormation
{ Ref }for this element.If, by any chance, the intrinsic reference of a resource is not a string, you could coerce it to an IResolvable through
Lazy.any({ produce: resource.ref }).
- schema
The schema attributes for the new user pool. These attributes can be standard or custom attributes.
During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
- sms_authentication_message
A string representing the SMS authentication message.
- sms_configuration
The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service.
To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
- sms_verification_message
This parameter is no longer used.
- stack
The stack in which this element is defined.
CfnElements must be defined within a stack scope (directly or indirectly).
- tags
The tag keys and values to assign to the user pool.
A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
- user_attribute_update_settings
The settings for updates to user attributes.
These settings include the property
AttributesRequireVerificationBeforeUpdate, a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users’ email address and phone number attributes. For more information, see Verifying updates to email addresses and phone numbers .
- user_pool_add_ons
Enables advanced security risk detection.
Set the key
AdvancedSecurityModeto the value “AUDIT”.
- user_pool_name
A string used to name the user pool.
- username_attributes
Determines whether email addresses or phone numbers can be specified as user names when a user signs up.
Possible values:
phone_numberoremail.This user pool property cannot be updated.
- username_configuration
You can choose to set case sensitivity on the username input for the selected sign-in option.
For example, when this is set to
False, users will be able to sign in using either “username” or “Username”. This configuration is immutable once it has been set.
- verification_message_template
The template for the verification message that the user sees when the app requests permission to access the user’s information.
Static Methods
- classmethod is_cfn_element(x)
Returns
trueif a construct is a stack element (i.e. part of the synthesized cloudformation template).Uses duck-typing instead of
instanceofto allow stack elements from different versions of this library to be included in the same stack.- Parameters
x (
Any) –- Return type
bool- Returns
The construct as a stack element or undefined if it is not a stack element.
- classmethod is_cfn_resource(construct)
Check whether the given construct is a CfnResource.
- Parameters
construct (
IConstruct) –- Return type
bool
- classmethod is_construct(x)
Return whether the given object is a Construct.
- Parameters
x (
Any) –- Return type
bool
AccountRecoverySettingProperty
- class CfnUserPool.AccountRecoverySettingProperty(*, recovery_mechanisms=None)
Bases:
objectUse this setting to define which verified available method a user can use to recover their password when they call
ForgotPassword.It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
- Parameters
recovery_mechanisms (
Union[IResolvable,Sequence[Union[IResolvable,RecoveryOptionProperty,Dict[str,Any]]],None]) – The list ofRecoveryOptionTypes.- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito account_recovery_setting_property = cognito.CfnUserPool.AccountRecoverySettingProperty( recovery_mechanisms=[cognito.CfnUserPool.RecoveryOptionProperty( name="name", priority=123 )] )
Attributes
- recovery_mechanisms
The list of
RecoveryOptionTypes.
AdminCreateUserConfigProperty
- class CfnUserPool.AdminCreateUserConfigProperty(*, allow_admin_create_user_only=None, invite_message_template=None, unused_account_validity_days=None)
Bases:
objectThe configuration for
AdminCreateUserrequests.- Parameters
allow_admin_create_user_only (
Union[bool,IResolvable,None]) – Set toTrueif only the administrator is allowed to create user profiles. Set toFalseif users can sign themselves up via an app.invite_message_template (
Union[IResolvable,InviteMessageTemplateProperty,Dict[str,Any],None]) – The message template to be used for the welcome message to new users. See also Customizing User Invitation Messages .unused_account_validity_days (
Union[int,float,None]) – The user account expiration limit, in days, after which a new account that hasn’t signed in is no longer usable. To reset the account after that time limit, you must callAdminCreateUseragain, specifying"RESEND"for theMessageActionparameter. The default value for this parameter is 7. .. epigraph:: If you set a value forTemporaryPasswordValidityDaysinPasswordPolicy, that value will be used, andUnusedAccountValidityDayswill be no longer be an available parameter for that user pool.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito admin_create_user_config_property = cognito.CfnUserPool.AdminCreateUserConfigProperty( allow_admin_create_user_only=False, invite_message_template=cognito.CfnUserPool.InviteMessageTemplateProperty( email_message="emailMessage", email_subject="emailSubject", sms_message="smsMessage" ), unused_account_validity_days=123 )
Attributes
- allow_admin_create_user_only
Set to
Trueif only the administrator is allowed to create user profiles.Set to
Falseif users can sign themselves up via an app.
- invite_message_template
The message template to be used for the welcome message to new users.
See also Customizing User Invitation Messages .
- unused_account_validity_days
The user account expiration limit, in days, after which a new account that hasn’t signed in is no longer usable.
To reset the account after that time limit, you must call
AdminCreateUseragain, specifying"RESEND"for theMessageActionparameter. The default value for this parameter is 7. .. epigraph:If you set a value for ``TemporaryPasswordValidityDays`` in ``PasswordPolicy`` , that value will be used, and ``UnusedAccountValidityDays`` will be no longer be an available parameter for that user pool.
CustomEmailSenderProperty
- class CfnUserPool.CustomEmailSenderProperty(*, lambda_arn=None, lambda_version=None)
Bases:
objectA custom email sender AWS Lambda trigger.
- Parameters
lambda_arn (
Optional[str]) – The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send email notifications to users.lambda_version (
Optional[str]) – The Lambda version represents the signature of the “request” attribute in the “event” information that Amazon Cognito passes to your custom email sender AWS Lambda function. The only supported value isV1_0.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito custom_email_sender_property = cognito.CfnUserPool.CustomEmailSenderProperty( lambda_arn="lambdaArn", lambda_version="lambdaVersion" )
Attributes
- lambda_arn
The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send email notifications to users.
- lambda_version
The Lambda version represents the signature of the “request” attribute in the “event” information that Amazon Cognito passes to your custom email sender AWS Lambda function.
The only supported value is
V1_0.
CustomSMSSenderProperty
- class CfnUserPool.CustomSMSSenderProperty(*, lambda_arn=None, lambda_version=None)
Bases:
objectA custom SMS sender AWS Lambda trigger.
- Parameters
lambda_arn (
Optional[str]) – The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send SMS notifications to users.lambda_version (
Optional[str]) – The Lambda version represents the signature of the “request” attribute in the “event” information Amazon Cognito passes to your custom SMS sender Lambda function. The only supported value isV1_0.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito custom_sMSSender_property = cognito.CfnUserPool.CustomSMSSenderProperty( lambda_arn="lambdaArn", lambda_version="lambdaVersion" )
Attributes
- lambda_arn
The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send SMS notifications to users.
- lambda_version
The Lambda version represents the signature of the “request” attribute in the “event” information Amazon Cognito passes to your custom SMS sender Lambda function.
The only supported value is
V1_0.
DeviceConfigurationProperty
- class CfnUserPool.DeviceConfigurationProperty(*, challenge_required_on_new_device=None, device_only_remembered_on_user_prompt=None)
Bases:
objectThe device-remembering configuration for a user pool.
A DescribeUserPool request returns a null value for this object when the user pool isn’t configured to remember devices. When device remembering is active, you can remember a user’s device with a ConfirmDevice API request. Additionally. when the property
DeviceOnlyRememberedOnUserPromptistrue, you must followConfirmDevicewith an UpdateDeviceStatus API request that sets the user’s device torememberedornot_remembered.To sign in with a remembered device, include
DEVICE_KEYin the authentication parameters in your user’s InitiateAuth request. If your app doesn’t include aDEVICE_KEYparameter, the response from Amazon Cognito includes newly-generatedDEVICE_KEYandDEVICE_GROUP_KEYvalues underNewDeviceMetadata. Store these values to use in future device-authentication requests. .. epigraph:When you provide a value for any property of ``DeviceConfiguration`` , you activate the device remembering for the user pool.
- Parameters
challenge_required_on_new_device (
Union[bool,IResolvable,None]) – When true, a remembered device can sign in with device authentication instead of SMS and time-based one-time password (TOTP) factors for multi-factor authentication (MFA). .. epigraph:: Whether or notChallengeRequiredOnNewDeviceis true, users who sign in with devices that have not been confirmed or remembered must still provide a second factor in a user pool that requires MFA.device_only_remembered_on_user_prompt (
Union[bool,IResolvable,None]) –When true, Amazon Cognito doesn’t automatically remember a user’s device when your app sends a ConfirmDevice API request. In your app, create a prompt for your user to choose whether they want to remember their device. Return the user’s choice in an UpdateDeviceStatus API request. When
DeviceOnlyRememberedOnUserPromptisfalse, Amazon Cognito immediately remembers devices that you register in aConfirmDeviceAPI request.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito device_configuration_property = cognito.CfnUserPool.DeviceConfigurationProperty( challenge_required_on_new_device=False, device_only_remembered_on_user_prompt=False )
Attributes
- challenge_required_on_new_device
When true, a remembered device can sign in with device authentication instead of SMS and time-based one-time password (TOTP) factors for multi-factor authentication (MFA).
Whether or not
ChallengeRequiredOnNewDeviceis true, users who sign in with devices that have not been confirmed or remembered must still provide a second factor in a user pool that requires MFA.
- device_only_remembered_on_user_prompt
//docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html>`_ API request.
When
DeviceOnlyRememberedOnUserPromptisfalse, Amazon Cognito immediately remembers devices that you register in aConfirmDeviceAPI request.- Link
- Type
When true, Amazon Cognito doesn’t automatically remember a user’s device when your app sends a `ConfirmDevice <https
- Type
//docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html>`_ API request. In your app, create a prompt for your user to choose whether they want to remember their device. Return the user’s choice in an `UpdateDeviceStatus <https
EmailConfigurationProperty
- class CfnUserPool.EmailConfigurationProperty(*, configuration_set=None, email_sending_account=None, from_=None, reply_to_email_address=None, source_arn=None)
Bases:
objectThe email configuration of your user pool.
The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
- Parameters
configuration_set (
Optional[str]) – The set of configuration rules that can be applied to emails sent using Amazon SES. A configuration set is applied to an email by including a reference to the configuration set in the headers of the email. Once applied, all of the rules in that configuration set are applied to the email. Configuration sets can be used to apply the following types of rules to emails: - Event publishing – Amazon SES can track the number of send, delivery, open, click, bounce, and complaint events for each email sent. Use event publishing to send information about these events to other AWS services such as SNS and CloudWatch. - IP pool management – When leasing dedicated IP addresses with Amazon SES, you can create groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools with configuration sets.email_sending_account (
Optional[str]) – Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration. Specify one of the following values: - COGNITO_DEFAULT - When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration. To look up the email delivery limit for the default option, see Limits in the Amazon Cognito Developer Guide . The default FROM address isno-reply@verificationemail.com. To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for theSourceArnparameter. - DEVELOPER - When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account . If you use this option, provide the ARN of an Amazon SES verified email address for theSourceArnparameter. Before Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a service-linked role , which is a type of role in your AWS account . This role contains the permissions that allow you to access Amazon SES and send email messages from your email address. For more information about the service-linked role that Amazon Cognito creates, see Using Service-Linked Roles for Amazon Cognito in the Amazon Cognito Developer Guide .from – Identifies either the sender’s email address or the sender’s name with their email address. For example,
testuser@example.comorTest User <testuser@example.com>. This address appears before the body of the email.reply_to_email_address (
Optional[str]) – The destination to which the receiver of the email should reply.source_arn (
Optional[str]) – The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for theEmailSendingAccountparameter: - If you specifyCOGNITO_DEFAULT, Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account. - If you specifyDEVELOPER, Amazon Cognito emails your users with this address by calling Amazon SES on your behalf. The Region value of theSourceArnparameter must indicate a supported AWS Region of your user pool. Typically, the Region in theSourceArnand the user pool Region are the same. For more information, see Amazon SES email configuration regions in the Amazon Cognito Developer Guide .
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito email_configuration_property = cognito.CfnUserPool.EmailConfigurationProperty( configuration_set="configurationSet", email_sending_account="emailSendingAccount", from="from", reply_to_email_address="replyToEmailAddress", source_arn="sourceArn" )
Attributes
- configuration_set
The set of configuration rules that can be applied to emails sent using Amazon SES.
A configuration set is applied to an email by including a reference to the configuration set in the headers of the email. Once applied, all of the rules in that configuration set are applied to the email. Configuration sets can be used to apply the following types of rules to emails:
Event publishing – Amazon SES can track the number of send, delivery, open, click, bounce, and complaint events for each email sent. Use event publishing to send information about these events to other AWS services such as SNS and CloudWatch.
IP pool management – When leasing dedicated IP addresses with Amazon SES, you can create groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools with configuration sets.
- email_sending_account
Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration.
Specify one of the following values:
COGNITO_DEFAULT - When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration.
To look up the email delivery limit for the default option, see Limits in the Amazon Cognito Developer Guide .
The default FROM address is
no-reply@verificationemail.com. To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for theSourceArnparameter.DEVELOPER - When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account .
If you use this option, provide the ARN of an Amazon SES verified email address for the
SourceArnparameter.Before Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a service-linked role , which is a type of role in your AWS account . This role contains the permissions that allow you to access Amazon SES and send email messages from your email address. For more information about the service-linked role that Amazon Cognito creates, see Using Service-Linked Roles for Amazon Cognito in the Amazon Cognito Developer Guide .
- from_
Identifies either the sender’s email address or the sender’s name with their email address.
For example,
testuser@example.comorTest User <testuser@example.com>. This address appears before the body of the email.
- reply_to_email_address
The destination to which the receiver of the email should reply.
- source_arn
The ARN of a verified email address in Amazon SES.
Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for the
EmailSendingAccountparameter:If you specify
COGNITO_DEFAULT, Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.If you specify
DEVELOPER, Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.
The Region value of the
SourceArnparameter must indicate a supported AWS Region of your user pool. Typically, the Region in theSourceArnand the user pool Region are the same. For more information, see Amazon SES email configuration regions in the Amazon Cognito Developer Guide .
InviteMessageTemplateProperty
- class CfnUserPool.InviteMessageTemplateProperty(*, email_message=None, email_subject=None, sms_message=None)
Bases:
objectThe message template to be used for the welcome message to new users.
See also Customizing User Invitation Messages .
- Parameters
email_message (
Optional[str]) – The message template for email messages. EmailMessage is allowed only if EmailSendingAccount is DEVELOPER.email_subject (
Optional[str]) –The subject line for email messages. EmailSubject is allowed only if EmailSendingAccount is DEVELOPER.
sms_message (
Optional[str]) – The message template for SMS messages.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito invite_message_template_property = cognito.CfnUserPool.InviteMessageTemplateProperty( email_message="emailMessage", email_subject="emailSubject", sms_message="smsMessage" )
Attributes
- email_message
The message template for email messages.
EmailMessage is allowed only if EmailSendingAccount is DEVELOPER.
- email_subject
The subject line for email messages.
EmailSubject is allowed only if EmailSendingAccount is DEVELOPER.
- sms_message
The message template for SMS messages.
LambdaConfigProperty
- class CfnUserPool.LambdaConfigProperty(*, create_auth_challenge=None, custom_email_sender=None, custom_message=None, custom_sms_sender=None, define_auth_challenge=None, kms_key_id=None, post_authentication=None, post_confirmation=None, pre_authentication=None, pre_sign_up=None, pre_token_generation=None, user_migration=None, verify_auth_challenge_response=None)
Bases:
objectSpecifies the configuration for AWS Lambda triggers.
- Parameters
create_auth_challenge (
Optional[str]) – Creates an authentication challenge.custom_email_sender (
Union[IResolvable,CustomEmailSenderProperty,Dict[str,Any],None]) – A custom email sender AWS Lambda trigger.custom_message (
Optional[str]) – A custom Message AWS Lambda trigger.custom_sms_sender (
Union[IResolvable,CustomSMSSenderProperty,Dict[str,Any],None]) – A custom SMS sender AWS Lambda trigger.define_auth_challenge (
Optional[str]) – Defines the authentication challenge.kms_key_id (
Optional[str]) – The Amazon Resource Name of a AWS Key Management Service ( AWS KMS ) key. Amazon Cognito uses the key to encrypt codes and temporary passwords sent toCustomEmailSenderandCustomSMSSender.post_authentication (
Optional[str]) – A post-authentication AWS Lambda trigger.post_confirmation (
Optional[str]) – A post-confirmation AWS Lambda trigger.pre_authentication (
Optional[str]) – A pre-authentication AWS Lambda trigger.pre_sign_up (
Optional[str]) – A pre-registration AWS Lambda trigger.pre_token_generation (
Optional[str]) – A Lambda trigger that is invoked before token generation.user_migration (
Optional[str]) – The user migration Lambda config type.verify_auth_challenge_response (
Optional[str]) – Verifies the authentication challenge response.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito lambda_config_property = cognito.CfnUserPool.LambdaConfigProperty( create_auth_challenge="createAuthChallenge", custom_email_sender=cognito.CfnUserPool.CustomEmailSenderProperty( lambda_arn="lambdaArn", lambda_version="lambdaVersion" ), custom_message="customMessage", custom_sms_sender=cognito.CfnUserPool.CustomSMSSenderProperty( lambda_arn="lambdaArn", lambda_version="lambdaVersion" ), define_auth_challenge="defineAuthChallenge", kms_key_id="kmsKeyId", post_authentication="postAuthentication", post_confirmation="postConfirmation", pre_authentication="preAuthentication", pre_sign_up="preSignUp", pre_token_generation="preTokenGeneration", user_migration="userMigration", verify_auth_challenge_response="verifyAuthChallengeResponse" )
Attributes
- create_auth_challenge
Creates an authentication challenge.
- custom_email_sender
A custom email sender AWS Lambda trigger.
- custom_message
A custom Message AWS Lambda trigger.
- custom_sms_sender
A custom SMS sender AWS Lambda trigger.
- define_auth_challenge
Defines the authentication challenge.
- kms_key_id
The Amazon Resource Name of a AWS Key Management Service ( AWS KMS ) key.
Amazon Cognito uses the key to encrypt codes and temporary passwords sent to
CustomEmailSenderandCustomSMSSender.
- post_authentication
A post-authentication AWS Lambda trigger.
- post_confirmation
A post-confirmation AWS Lambda trigger.
- pre_authentication
A pre-authentication AWS Lambda trigger.
- pre_sign_up
A pre-registration AWS Lambda trigger.
- pre_token_generation
A Lambda trigger that is invoked before token generation.
- user_migration
The user migration Lambda config type.
- verify_auth_challenge_response
Verifies the authentication challenge response.
NumberAttributeConstraintsProperty
- class CfnUserPool.NumberAttributeConstraintsProperty(*, max_value=None, min_value=None)
Bases:
objectThe minimum and maximum values of an attribute that is of the number data type.
- Parameters
max_value (
Optional[str]) – The maximum value of an attribute that is of the number data type.min_value (
Optional[str]) – The minimum value of an attribute that is of the number data type.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito number_attribute_constraints_property = cognito.CfnUserPool.NumberAttributeConstraintsProperty( max_value="maxValue", min_value="minValue" )
Attributes
- max_value
The maximum value of an attribute that is of the number data type.
- min_value
The minimum value of an attribute that is of the number data type.
PasswordPolicyProperty
- class CfnUserPool.PasswordPolicyProperty(*, minimum_length=None, require_lowercase=None, require_numbers=None, require_symbols=None, require_uppercase=None, temporary_password_validity_days=None)
Bases:
objectThe password policy type.
- Parameters
minimum_length (
Union[int,float,None]) – The minimum length of the password in the policy that you have set. This value can’t be less than 6.require_lowercase (
Union[bool,IResolvable,None]) – In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.require_numbers (
Union[bool,IResolvable,None]) – In the password policy that you have set, refers to whether you have required users to use at least one number in their password.require_symbols (
Union[bool,IResolvable,None]) – In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.require_uppercase (
Union[bool,IResolvable,None]) – In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.temporary_password_validity_days (
Union[int,float,None]) – The number of days a temporary password is valid in the password policy. If the user doesn’t sign in during this time, an administrator must reset their password. .. epigraph:: When you setTemporaryPasswordValidityDaysfor a user pool, you can no longer set a value for the legacyUnusedAccountValidityDaysparameter in that user pool.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito password_policy_property = cognito.CfnUserPool.PasswordPolicyProperty( minimum_length=123, require_lowercase=False, require_numbers=False, require_symbols=False, require_uppercase=False, temporary_password_validity_days=123 )
Attributes
- minimum_length
The minimum length of the password in the policy that you have set.
This value can’t be less than 6.
- require_lowercase
In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.
- require_numbers
In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
- require_symbols
In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
- require_uppercase
In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
- temporary_password_validity_days
The number of days a temporary password is valid in the password policy.
If the user doesn’t sign in during this time, an administrator must reset their password. .. epigraph:
When you set ``TemporaryPasswordValidityDays`` for a user pool, you can no longer set a value for the legacy ``UnusedAccountValidityDays`` parameter in that user pool.
PoliciesProperty
- class CfnUserPool.PoliciesProperty(*, password_policy=None)
Bases:
objectThe policy associated with a user pool.
- Parameters
password_policy (
Union[IResolvable,PasswordPolicyProperty,Dict[str,Any],None]) – The password policy.- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito policies_property = cognito.CfnUserPool.PoliciesProperty( password_policy=cognito.CfnUserPool.PasswordPolicyProperty( minimum_length=123, require_lowercase=False, require_numbers=False, require_symbols=False, require_uppercase=False, temporary_password_validity_days=123 ) )
Attributes
- password_policy
The password policy.
RecoveryOptionProperty
- class CfnUserPool.RecoveryOptionProperty(*, name=None, priority=None)
Bases:
objectA map containing a priority as a key, and recovery method name as a value.
- Parameters
name (
Optional[str]) – Specifies the recovery method for a user.priority (
Union[int,float,None]) – A positive integer specifying priority of a method with 1 being the highest priority.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito recovery_option_property = cognito.CfnUserPool.RecoveryOptionProperty( name="name", priority=123 )
Attributes
- name
Specifies the recovery method for a user.
- priority
A positive integer specifying priority of a method with 1 being the highest priority.
SchemaAttributeProperty
- class CfnUserPool.SchemaAttributeProperty(*, attribute_data_type=None, developer_only_attribute=None, mutable=None, name=None, number_attribute_constraints=None, required=None, string_attribute_constraints=None)
Bases:
objectContains information about the schema attribute.
- Parameters
attribute_data_type (
Optional[str]) – The attribute data type.developer_only_attribute (
Union[bool,IResolvable,None]) –We recommend that you use WriteAttributes in the user pool client to control how attributes can be mutated for new use cases instead of using
DeveloperOnlyAttribute. Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users will not be able to modify this attribute using their access token.mutable (
Union[bool,IResolvable,None]) – Specifies whether the value of the attribute can be changed. For any user pool attribute that is mapped to an IdP attribute, you must set this parameter totrue. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool .name (
Optional[str]) – A schema attribute of the name type.number_attribute_constraints (
Union[IResolvable,NumberAttributeConstraintsProperty,Dict[str,Any],None]) – Specifies the constraints for an attribute of the number type.required (
Union[bool,IResolvable,None]) – Specifies whether a user pool attribute is required. If the attribute is required and the user doesn’t provide a value, registration or sign-in will fail.string_attribute_constraints (
Union[IResolvable,StringAttributeConstraintsProperty,Dict[str,Any],None]) – Specifies the constraints for an attribute of the string type.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito schema_attribute_property = cognito.CfnUserPool.SchemaAttributeProperty( attribute_data_type="attributeDataType", developer_only_attribute=False, mutable=False, name="name", number_attribute_constraints=cognito.CfnUserPool.NumberAttributeConstraintsProperty( max_value="maxValue", min_value="minValue" ), required=False, string_attribute_constraints=cognito.CfnUserPool.StringAttributeConstraintsProperty( max_length="maxLength", min_length="minLength" ) )
Attributes
- attribute_data_type
The attribute data type.
- developer_only_attribute
We recommend that you use WriteAttributes in the user pool client to control how attributes can be mutated for new use cases instead of using
DeveloperOnlyAttribute.Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users will not be able to modify this attribute using their access token.
- mutable
Specifies whether the value of the attribute can be changed.
For any user pool attribute that is mapped to an IdP attribute, you must set this parameter to
true. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool .
- name
A schema attribute of the name type.
- number_attribute_constraints
Specifies the constraints for an attribute of the number type.
- required
Specifies whether a user pool attribute is required.
If the attribute is required and the user doesn’t provide a value, registration or sign-in will fail.
- string_attribute_constraints
Specifies the constraints for an attribute of the string type.
SmsConfigurationProperty
- class CfnUserPool.SmsConfigurationProperty(*, external_id=None, sns_caller_arn=None, sns_region=None)
Bases:
objectThe SMS configuration type that includes the settings the Cognito User Pool needs to call for the Amazon SNS service to send an SMS message from your AWS account .
The Cognito User Pool makes the request to the Amazon SNS Service by using an IAM role that you provide for your AWS account .
- Parameters
external_id (
Optional[str]) – The external ID is a value. We recommend you useExternalIdto add security to your IAM role, which is used to call Amazon SNS to send SMS messages for your user pool. If you provide anExternalId, the Cognito User Pool uses it when attempting to assume your IAM role. You can also set your roles trust policy to require theExternalID. If you use the Cognito Management Console to create a role for SMS MFA, Cognito creates a role with the required permissions and a trust policy that usesExternalId.sns_caller_arn (
Optional[str]) – The Amazon Resource Name (ARN) of the Amazon SNS caller. This is the ARN of the IAM role in your AWS account that Amazon Cognito will use to send SMS messages. SMS messages are subject to a spending limit .sns_region (
Optional[str]) – The AWS Region to use with Amazon SNS integration. You can choose the same Region as your user pool, or a supported Legacy Amazon SNS alternate Region . Amazon Cognito resources in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region. For more information, see SMS message settings for Amazon Cognito user pools .
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito sms_configuration_property = cognito.CfnUserPool.SmsConfigurationProperty( external_id="externalId", sns_caller_arn="snsCallerArn", sns_region="snsRegion" )
Attributes
- external_id
The external ID is a value.
We recommend you use
ExternalIdto add security to your IAM role, which is used to call Amazon SNS to send SMS messages for your user pool. If you provide anExternalId, the Cognito User Pool uses it when attempting to assume your IAM role. You can also set your roles trust policy to require theExternalID. If you use the Cognito Management Console to create a role for SMS MFA, Cognito creates a role with the required permissions and a trust policy that usesExternalId.
- sns_caller_arn
The Amazon Resource Name (ARN) of the Amazon SNS caller.
This is the ARN of the IAM role in your AWS account that Amazon Cognito will use to send SMS messages. SMS messages are subject to a spending limit .
- sns_region
The AWS Region to use with Amazon SNS integration.
You can choose the same Region as your user pool, or a supported Legacy Amazon SNS alternate Region .
Amazon Cognito resources in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region. For more information, see SMS message settings for Amazon Cognito user pools .
StringAttributeConstraintsProperty
- class CfnUserPool.StringAttributeConstraintsProperty(*, max_length=None, min_length=None)
Bases:
objectThe
StringAttributeConstraintsproperty type defines the string attribute constraints of an Amazon Cognito user pool.StringAttributeConstraintsis a subproperty of the SchemaAttribute property type.- Parameters
max_length (
Optional[str]) – The maximum length.min_length (
Optional[str]) – The minimum length.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito string_attribute_constraints_property = cognito.CfnUserPool.StringAttributeConstraintsProperty( max_length="maxLength", min_length="minLength" )
Attributes
- max_length
The maximum length.
UserAttributeUpdateSettingsProperty
- class CfnUserPool.UserAttributeUpdateSettingsProperty(*, attributes_require_verification_before_update)
Bases:
objectThe settings for updates to user attributes.
These settings include the property
AttributesRequireVerificationBeforeUpdate, a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users’ email address and phone number attributes. For more information, see Verifying updates to email addresses and phone numbers .- Parameters
attributes_require_verification_before_update (
Sequence[str]) – Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value. You can verify an updated email address or phone number with a VerifyUserAttribute API request. You can also call the AdminUpdateUserAttributes API and setemail_verifiedorphone_number_verifiedto true. WhenAttributesRequireVerificationBeforeUpdateis false, your user pool doesn’t require that your users verify attribute changes before Amazon Cognito updates them. In a user pool whereAttributesRequireVerificationBeforeUpdateis false, API operations that change attribute values can immediately update a user’semailorphone_numberattribute.- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito user_attribute_update_settings_property = cognito.CfnUserPool.UserAttributeUpdateSettingsProperty( attributes_require_verification_before_update=["attributesRequireVerificationBeforeUpdate"] )
Attributes
- attributes_require_verification_before_update
Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute.
When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value.
You can verify an updated email address or phone number with a VerifyUserAttribute API request. You can also call the AdminUpdateUserAttributes API and set
email_verifiedorphone_number_verifiedto true.When
AttributesRequireVerificationBeforeUpdateis false, your user pool doesn’t require that your users verify attribute changes before Amazon Cognito updates them. In a user pool whereAttributesRequireVerificationBeforeUpdateis false, API operations that change attribute values can immediately update a user’semailorphone_numberattribute.
UserPoolAddOnsProperty
- class CfnUserPool.UserPoolAddOnsProperty(*, advanced_security_mode=None)
Bases:
objectThe user pool add-ons type.
- Parameters
advanced_security_mode (
Optional[str]) – The advanced security mode.- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito user_pool_add_ons_property = cognito.CfnUserPool.UserPoolAddOnsProperty( advanced_security_mode="advancedSecurityMode" )
Attributes
- advanced_security_mode
The advanced security mode.
UsernameConfigurationProperty
- class CfnUserPool.UsernameConfigurationProperty(*, case_sensitive=None)
Bases:
objectThe
UsernameConfigurationproperty type specifies case sensitivity on the username input for the selected sign-in option.- Parameters
case_sensitive (
Union[bool,IResolvable,None]) – Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity toFalse(case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name. Valid values include: - True - Enables case sensitivity for all username input. When this option is set toTrue, users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value. - False - Enables case insensitivity for all username input. For example, when this option is set toFalse, users can sign in usingusername,USERNAME, orUserName. This option also enables bothpreferred_usernameandemailalias to be case insensitive, in addition to theusernameattribute.- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito username_configuration_property = cognito.CfnUserPool.UsernameConfigurationProperty( case_sensitive=False )
Attributes
- case_sensitive
Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs.
For most use cases, set case sensitivity to
False(case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name.Valid values include:
True - Enables case sensitivity for all username input. When this option is set to
True, users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value.False - Enables case insensitivity for all username input. For example, when this option is set to
False, users can sign in usingusername,USERNAME, orUserName. This option also enables bothpreferred_usernameandemailalias to be case insensitive, in addition to theusernameattribute.
VerificationMessageTemplateProperty
- class CfnUserPool.VerificationMessageTemplateProperty(*, default_email_option=None, email_message=None, email_message_by_link=None, email_subject=None, email_subject_by_link=None, sms_message=None)
Bases:
objectThe template for verification messages.
- Parameters
default_email_option (
Optional[str]) – The default email option.email_message (
Optional[str]) –The template for email messages that Amazon Cognito sends to your users. You can set an
EmailMessagetemplate only if the value of EmailSendingAccount isDEVELOPER. When your EmailSendingAccount isDEVELOPER, your user pool sends email messages with your own Amazon SES configuration.email_message_by_link (
Optional[str]) –The email message template for sending a confirmation link to the user. You can set an
EmailMessageByLinktemplate only if the value of EmailSendingAccount isDEVELOPER. When your EmailSendingAccount isDEVELOPER, your user pool sends email messages with your own Amazon SES configuration.email_subject (
Optional[str]) –The subject line for the email message template. You can set an
EmailSubjecttemplate only if the value of EmailSendingAccount isDEVELOPER. When your EmailSendingAccount isDEVELOPER, your user pool sends email messages with your own Amazon SES configuration.email_subject_by_link (
Optional[str]) –The subject line for the email message template for sending a confirmation link to the user. You can set an
EmailSubjectByLinktemplate only if the value of EmailSendingAccount isDEVELOPER. When your EmailSendingAccount isDEVELOPER, your user pool sends email messages with your own Amazon SES configuration.sms_message (
Optional[str]) – The template for SMS messages that Amazon Cognito sends to your users.
- Link
- ExampleMetadata
fixture=_generated
Example:
# The code below shows an example of how to instantiate this type. # The values are placeholders you should change. import aws_cdk.aws_cognito as cognito verification_message_template_property = cognito.CfnUserPool.VerificationMessageTemplateProperty( default_email_option="defaultEmailOption", email_message="emailMessage", email_message_by_link="emailMessageByLink", email_subject="emailSubject", email_subject_by_link="emailSubjectByLink", sms_message="smsMessage" )
Attributes
- default_email_option
The default email option.
- email_message
The template for email messages that Amazon Cognito sends to your users.
You can set an
EmailMessagetemplate only if the value of EmailSendingAccount isDEVELOPER. When your EmailSendingAccount isDEVELOPER, your user pool sends email messages with your own Amazon SES configuration.
- email_message_by_link
The email message template for sending a confirmation link to the user.
You can set an
EmailMessageByLinktemplate only if the value of EmailSendingAccount isDEVELOPER. When your EmailSendingAccount isDEVELOPER, your user pool sends email messages with your own Amazon SES configuration.
- email_subject
The subject line for the email message template.
You can set an
EmailSubjecttemplate only if the value of EmailSendingAccount isDEVELOPER. When your EmailSendingAccount isDEVELOPER, your user pool sends email messages with your own Amazon SES configuration.
- email_subject_by_link
The subject line for the email message template for sending a confirmation link to the user.
You can set an
EmailSubjectByLinktemplate only if the value of EmailSendingAccount isDEVELOPER. When your EmailSendingAccount isDEVELOPER, your user pool sends email messages with your own Amazon SES configuration.
- sms_message
The template for SMS messages that Amazon Cognito sends to your users.