UserPool
- class aws_cdk.aws_cognito.UserPool(scope, id, *, account_recovery=None, auto_verify=None, custom_attributes=None, custom_sender_kms_key=None, device_tracking=None, email=None, email_settings=None, enable_sms_role=None, lambda_triggers=None, mfa=None, mfa_message=None, mfa_second_factor=None, password_policy=None, removal_policy=None, self_sign_up_enabled=None, sign_in_aliases=None, sign_in_case_sensitive=None, sms_role=None, sms_role_external_id=None, sns_region=None, standard_attributes=None, user_invitation=None, user_pool_name=None, user_verification=None)
Bases:
Resource
Define a Cognito User Pool.
- ExampleMetadata:
infused
Example:
pool = cognito.UserPool(self, "Pool") pool.add_client("app-client", o_auth=cognito.OAuthSettings( flows=cognito.OAuthFlows( authorization_code_grant=True ), scopes=[cognito.OAuthScope.OPENID], callback_urls=["https://my-app-domain.com/welcome"], logout_urls=["https://my-app-domain.com/signin"] ) )
- Parameters:
scope (
Construct
) –id (
str
) –account_recovery (
Optional
[AccountRecovery
]) – How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAILauto_verify (
Union
[AutoVerifiedAttrs
,Dict
[str
,Any
],None
]) – Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - IfsignInAlias
includes email and/or phone, they will be included inautoVerifiedAttributes
by default. If absent, no attributes will be auto-verified.custom_attributes (
Optional
[Mapping
[str
,ICustomAttribute
]]) – Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.custom_sender_kms_key (
Optional
[IKey
]) – This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configureddevice_tracking (
Union
[DeviceTracking
,Dict
[str
,Any
],None
]) – Device tracking settings. Default: - see defaults on each property of DeviceTracking.email (
Optional
[UserPoolEmail
]) – Email settings for a user pool. Default: - cognito will use the default email configurationemail_settings (
Union
[EmailSettings
,Dict
[str
,Any
],None
]) – (deprecated) Email settings for a user pool. Default: - see defaults on each property of EmailSettings.enable_sms_role (
Optional
[bool
]) – Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.lambda_triggers (
Union
[UserPoolTriggers
,Dict
[str
,Any
],None
]) – Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.mfa (
Optional
[Mfa
]) – Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFFmfa_message (
Optional
[str
]) – The SMS message template sent during MFA verification. Use ‘{####}’ in the template where Cognito should insert the verification code. Default: ‘Your authentication code is {####}.’mfa_second_factor (
Union
[MfaSecondFactor
,Dict
[str
,Any
],None
]) – Configure the MFA types that users can use in this user pool. Ignored ifmfa
is set toOFF
. Default: - { sms: true, otp: false }, ifmfa
is set toOPTIONAL
orREQUIRED
. { sms: false, otp: false }, otherwisepassword_policy (
Union
[PasswordPolicy
,Dict
[str
,Any
],None
]) – Password policy for this user pool. Default: - see defaults on each property of PasswordPolicy.removal_policy (
Optional
[RemovalPolicy
]) – Policy to apply when the user pool is removed from the stack. Default: RemovalPolicy.RETAINself_sign_up_enabled (
Optional
[bool
]) – Whether self sign up should be enabled. This can be further configured via theselfSignUp
property. Default: falsesign_in_aliases (
Union
[SignInAliases
,Dict
[str
,Any
],None
]) – Methods in which a user registers or signs in to a user pool. Allows either username with aliases OR sign in with email, phone, or both. Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html To match with ‘Option 1’ in the above link, with a verified email, this property should be set to{ username: true, email: true }
. To match with ‘Option 2’ in the above link with both a verified email and phone number, this property should be set to{ email: true, phone: true }
. Default: { username: true }sign_in_case_sensitive (
Optional
[bool
]) – Whether sign-in aliases should be evaluated with case sensitivity. For example, when this option is set to false, users will be able to sign in using eitherMyUsername
ormyusername
. Default: truesms_role (
Optional
[IRole
]) – The IAM role that Cognito will assume while sending SMS messages. Default: - a new IAM role is createdsms_role_external_id (
Optional
[str
]) – The ‘ExternalId’ that Cognito service must using when assuming thesmsRole
, if the role is restricted with an ‘sts:ExternalId’ conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored ifsmsRole
is not specified. Default: - No external id will be configuredsns_region (
Optional
[str
]) – The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-timestandard_attributes (
Union
[StandardAttributes
,Dict
[str
,Any
],None
]) – The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html Default: - All standard attributes are optional and mutable.user_invitation (
Union
[UserInvitationConfig
,Dict
[str
,Any
],None
]) – Configuration around admins signing up users into a user pool. Default: - see defaults in UserInvitationConfiguser_pool_name (
Optional
[str
]) – Name of the user pool. Default: - automatically generated name by CloudFormation at deploy timeuser_verification (
Union
[UserVerificationConfig
,Dict
[str
,Any
],None
]) – Configuration around users signing themselves up to the user pool. Enable or disable self sign-up via theselfSignUpEnabled
property. Default: - see defaults in UserVerificationConfig
Methods
- add_client(id, *, access_token_validity=None, auth_flows=None, disable_o_auth=None, enable_token_revocation=None, generate_secret=None, id_token_validity=None, o_auth=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_client_name=None, write_attributes=None)
Add a new app client to this user pool.
- Parameters:
id (
str
) –access_token_validity (
Optional
[Duration
]) – Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)auth_flows (
Union
[AuthFlow
,Dict
[str
,Any
],None
]) – The set of OAuth authentication flows to enable on the client. Default: - all auth flows disableddisable_o_auth (
Optional
[bool
]) – Turns off all OAuth interactions for this client. Default: falseenable_token_revocation (
Optional
[bool
]) – Enable token revocation for this client. Default: true for new user pool clientsgenerate_secret (
Optional
[bool
]) – Whether to generate a client secret. Default: falseid_token_validity (
Optional
[Duration
]) – Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)o_auth (
Union
[OAuthSettings
,Dict
[str
,Any
],None
]) – OAuth settings for this client to interact with the app. An error is thrown when this is specified anddisableOAuth
is set. Default: - see defaults inOAuthSettings
. meaningless ifdisableOAuth
is set.prevent_user_existence_errors (
Optional
[bool
]) – Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence. Default: falseread_attributes (
Optional
[ClientAttributes
]) – The set of attributes this client will be able to read. Default: - all standard and custom attributesrefresh_token_validity (
Optional
[Duration
]) – Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)supported_identity_providers (
Optional
[Sequence
[UserPoolClientIdentityProvider
]]) – The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using theUserPool.registerIdentityProvider()
API.user_pool_client_name (
Optional
[str
]) – Name of the application client. Default: - cloudformation generated namewrite_attributes (
Optional
[ClientAttributes
]) – The set of attributes this client will be able to write. Default: - all standard and custom attributes
- Return type:
- add_domain(id, *, cognito_domain=None, custom_domain=None)
Associate a domain to this user pool.
- Parameters:
id (
str
) –cognito_domain (
Union
[CognitoDomainOptions
,Dict
[str
,Any
],None
]) – Associate a cognito prefix domain with your user pool EithercustomDomain
orcognitoDomain
must be specified. Default: - not set ifcustomDomain
is specified, otherwise, throws an error.custom_domain (
Union
[CustomDomainOptions
,Dict
[str
,Any
],None
]) – Associate a custom domain with your user pool EithercustomDomain
orcognitoDomain
must be specified. Default: - not set ifcognitoDomain
is specified, otherwise, throws an error.
- Return type:
- add_resource_server(id, *, identifier, scopes=None, user_pool_resource_server_name=None)
Add a new resource server to this user pool.
- Parameters:
id (
str
) –identifier (
str
) – A unique resource server identifier for the resource server.scopes (
Optional
[Sequence
[ResourceServerScope
]]) – Oauth scopes. Default: - No scopes will be addeduser_pool_resource_server_name (
Optional
[str
]) – A friendly name for the resource server. Default: - same asidentifier
- Return type:
- add_trigger(operation, fn)
Add a lambda trigger to a user pool operation.
- Parameters:
operation (
UserPoolOperation
) –fn (
IFunction
) –
- See:
- Return type:
None
- apply_removal_policy(policy)
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY
), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN
).- Parameters:
policy (
RemovalPolicy
) –- Return type:
None
- grant(grantee, *actions)
Adds an IAM policy statement associated with this user pool to an IAM principal’s policy.
- Parameters:
grantee (
IGrantable
) –actions (
str
) –
- Return type:
- register_identity_provider(provider)
Register an identity provider with this user pool.
- Parameters:
provider (
IUserPoolIdentityProvider
) –- Return type:
None
- to_string()
Returns a string representation of this construct.
- Return type:
str
Attributes
- env
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
- identity_providers
Get all identity providers registered with this user pool.
- node
The construct tree node associated with this construct.
- stack
The stack in which this resource is defined.
- user_pool_arn
The ARN of the user pool.
- user_pool_id
The physical ID of this user pool resource.
- user_pool_provider_name
User pool provider name.
- Attribute:
true
- user_pool_provider_url
User pool provider URL.
- Attribute:
true
Static Methods
- classmethod from_user_pool_arn(scope, id, user_pool_arn)
Import an existing user pool based on its ARN.
- classmethod from_user_pool_id(scope, id, user_pool_id)
Import an existing user pool based on its id.
- classmethod is_construct(x)
Return whether the given object is a Construct.
- Parameters:
x (
Any
) –- Return type:
bool
- classmethod is_resource(construct)
Check whether the given construct is a Resource.
- Parameters:
construct (
IConstruct
) –- Return type:
bool