UserPool

class aws_cdk.aws_cognito.UserPool(scope, id, *, account_recovery=None, advanced_security_mode=None, auto_verify=None, custom_attributes=None, custom_sender_kms_key=None, custom_threat_protection_mode=None, deletion_protection=None, device_tracking=None, email=None, enable_sms_role=None, feature_plan=None, keep_original=None, lambda_triggers=None, mfa=None, mfa_message=None, mfa_second_factor=None, passkey_relying_party_id=None, passkey_user_verification=None, password_policy=None, removal_policy=None, self_sign_up_enabled=None, sign_in_aliases=None, sign_in_case_sensitive=None, sign_in_policy=None, sms_role=None, sms_role_external_id=None, sns_region=None, standard_attributes=None, standard_threat_protection_mode=None, user_invitation=None, user_pool_name=None, user_verification=None)

Bases: Resource

Define a Cognito User Pool.

ExampleMetadata:

infused

Example:

pool = cognito.UserPool(self, "Pool")
pool.add_client("app-client",
    o_auth=cognito.OAuthSettings(
        flows=cognito.OAuthFlows(
            authorization_code_grant=True
        ),
        scopes=[cognito.OAuthScope.OPENID],
        callback_urls=["https://my-app-domain.com/welcome"],
        logout_urls=["https://my-app-domain.com/signin"]
    )
)
Parameters:

  • scope (Construct) –

  • id (str) –

  • account_recovery (Optional[AccountRecovery]) – How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

  • advanced_security_mode (Optional[AdvancedSecurityMode]) – (deprecated) The user pool’s Advanced Security Mode. Default: - no value

  • auto_verify (Union[AutoVerifiedAttrs, Dict[str, Any], None]) – Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

  • custom_attributes (Optional[Mapping[str, ICustomAttribute]]) – Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.

  • custom_sender_kms_key (Optional[IKey]) – This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configured

  • custom_threat_protection_mode (Optional[CustomThreatProtectionMode]) – The Type of Threat Protection Enabled for Custom Authentication. This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS Default: - no value

  • deletion_protection (Optional[bool]) – Indicates whether the user pool should have deletion protection enabled. Default: false

  • device_tracking (Union[DeviceTracking, Dict[str, Any], None]) – Device tracking settings. Default: - see defaults on each property of DeviceTracking.

  • email (Optional[UserPoolEmail]) – Email settings for a user pool. Default: - cognito will use the default email configuration

  • enable_sms_role (Optional[bool]) – Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.

  • feature_plan (Optional[FeaturePlan]) – The user pool feature plan, or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise

  • keep_original (Union[KeepOriginalAttrs, Dict[str, Any], None]) – Attributes which Cognito will look to handle changes to the value of your users’ email address and phone number attributes. EMAIL and PHONE are the only available options. Default: - Nothing is kept.

  • lambda_triggers (Union[UserPoolTriggers, Dict[str, Any], None]) – Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.

  • mfa (Optional[Mfa]) – Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF

  • mfa_message (Optional[str]) – The SMS message template sent during MFA verification. Use ‘{####}’ in the template where Cognito should insert the verification code. Default: ‘Your authentication code is {####}.’

  • mfa_second_factor (Union[MfaSecondFactor, Dict[str, Any], None]) – Configure the MFA types that users can use in this user pool. Ignored if mfa is set to OFF. Default: - { sms: true, otp: false, email: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false, email:false }, otherwise

  • passkey_relying_party_id (Optional[str]) – The authentication domain that passkey providers must use as a relying party (RP) in their configuration. Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain: - The user pool is configured for passkey authentication. - The user pool has a custom domain, whether or not it also has a prefix domain. - Your application performs authentication with managed login or the classic hosted UI. Default: - No authentication domain

  • passkey_user_verification (Optional[PasskeyUserVerification]) – Your user-pool treatment for MFA with a passkey. You can override other MFA options and require passkey MFA, or you can set it as preferred. When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in. Default: - Cognito default setting is PasskeyUserVerification.PREFERRED

  • password_policy (Union[PasswordPolicy, Dict[str, Any], None]) – Password policy for this user pool. Default: - see defaults on each property of PasswordPolicy.

  • removal_policy (Optional[RemovalPolicy]) – Policy to apply when the user pool is removed from the stack. Default: RemovalPolicy.RETAIN

  • self_sign_up_enabled (Optional[bool]) – Whether self sign-up should be enabled. To configure self sign-up configuration use the userVerification property. Default: - false

  • sign_in_aliases (Union[SignInAliases, Dict[str, Any], None]) – Methods in which a user registers or signs in to a user pool. Allows either username with aliases OR sign in with email, phone, or both. Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html To match with ‘Option 1’ in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with ‘Option 2’ in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }. Default: { username: true }

  • sign_in_case_sensitive (Optional[bool]) – Whether sign-in aliases should be evaluated with case sensitivity. For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername. Default: true

  • sign_in_policy (Union[SignInPolicy, Dict[str, Any], None]) – Sign-in policy for this user pool. Default: - see defaults on each property of SignInPolicy.

  • sms_role (Optional[IRole]) – The IAM role that Cognito will assume while sending SMS messages. Default: - a new IAM role is created.

  • sms_role_external_id (Optional[str]) – The ‘ExternalId’ that Cognito service must be using when assuming the smsRole, if the role is restricted with an ‘sts:ExternalId’ conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored if smsRole is not specified. Default: - No external id will be configured.

  • sns_region (Optional[str]) – The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured. Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time

  • standard_attributes (Union[StandardAttributes, Dict[str, Any], None]) – The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html Default: - All standard attributes are optional and mutable.

  • standard_threat_protection_mode (Optional[StandardThreatProtectionMode]) – The Type of Threat Protection Enabled for Standard Authentication. This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS Default: - StandardThreatProtectionMode.NO_ENFORCEMENT

  • user_invitation (Union[UserInvitationConfig, Dict[str, Any], None]) – Configuration around admins signing up users into a user pool. Default: - see defaults in UserInvitationConfig.

  • user_pool_name (Optional[str]) – Name of the user pool. Default: - automatically generated name by CloudFormation at deploy time.

  • user_verification (Union[UserVerificationConfig, Dict[str, Any], None]) – Configuration around users signing themselves up to the user pool. Enable or disable self sign-up via the selfSignUpEnabled property. Default: - see defaults in UserVerificationConfig.

Methods

add_client(id, *, access_token_validity=None, analytics=None, auth_flows=None, auth_session_validity=None, disable_o_auth=None, enable_propagate_additional_user_context_data=None, enable_token_revocation=None, generate_secret=None, id_token_validity=None, o_auth=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_client_name=None, write_attributes=None)

Add a new app client to this user pool.

Parameters:

  • id (str) –

  • access_token_validity (Optional[Duration]) – Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • analytics (Union[AnalyticsConfiguration, Dict[str, Any], None]) – The analytics configuration for this client. Default: - no analytics configuration

  • auth_flows (Union[AuthFlow, Dict[str, Any], None]) – The set of OAuth authentication flows to enable on the client. Default: - If you don’t specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

  • auth_session_validity (Optional[Duration]) – Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in AuthSessionValidity. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)

  • disable_o_auth (Optional[bool]) – Turns off all OAuth interactions for this client. Default: false

  • enable_propagate_additional_user_context_data (Optional[bool]) – Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients

  • enable_token_revocation (Optional[bool]) – Enable token revocation for this client. Default: true for new user pool clients

  • generate_secret (Optional[bool]) – Whether to generate a client secret. Default: false

  • id_token_validity (Optional[Duration]) – Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • o_auth (Union[OAuthSettings, Dict[str, Any], None]) – OAuth settings for this client to interact with the app. An error is thrown when this is specified and disableOAuth is set. Default: - see defaults in OAuthSettings. meaningless if disableOAuth is set.

  • prevent_user_existence_errors (Optional[bool]) – Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence. Default: false

  • read_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to read. Default: - all standard and custom attributes

  • refresh_token_validity (Optional[Duration]) – Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)

  • supported_identity_providers (Optional[Sequence[UserPoolClientIdentityProvider]]) – The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

  • user_pool_client_name (Optional[str]) – Name of the application client. Default: - cloudformation generated name

  • write_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to write. Default: - all standard and custom attributes

Return type:

UserPoolClient

add_domain(id, *, cognito_domain=None, custom_domain=None, managed_login_version=None)

Associate a domain to this user pool.

Parameters:

  • id (str) –

  • cognito_domain (Union[CognitoDomainOptions, Dict[str, Any], None]) – Associate a cognito prefix domain with your user pool Either customDomain or cognitoDomain must be specified. Default: - not set if customDomain is specified, otherwise, throws an error.

  • custom_domain (Union[CustomDomainOptions, Dict[str, Any], None]) – Associate a custom domain with your user pool Either customDomain or cognitoDomain must be specified. Default: - not set if cognitoDomain is specified, otherwise, throws an error.

  • managed_login_version (Optional[ManagedLoginVersion]) – A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI

Return type:

UserPoolDomain

add_group(id, *, description=None, group_name=None, precedence=None, role=None)

Add a new group to this user pool.

Parameters:

  • id (str) –

  • description (Optional[str]) – A string containing the description of the group. Default: - no description

  • group_name (Optional[str]) – The name of the group. Must be unique. Default: - auto generate a name

  • precedence (Union[int, float, None]) – A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user’s tokens for the cognito:roles and cognito:preferred_role claims. Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn’t set in users’ tokens. Default: - null

  • role (Optional[IRole]) – The role for the group. Default: - no description

Return type:

UserPoolGroup

add_resource_server(id, *, identifier, scopes=None, user_pool_resource_server_name=None)

Add a new resource server to this user pool.

Parameters:

  • id (str) –

  • identifier (str) – A unique resource server identifier for the resource server.

  • scopes (Optional[Sequence[ResourceServerScope]]) – Oauth scopes. Default: - No scopes will be added

  • user_pool_resource_server_name (Optional[str]) – A friendly name for the resource server. Default: - same as identifier

Return type:

UserPoolResourceServer

add_trigger(operation, fn, lambda_version=None)

Add a lambda trigger to a user pool operation.

Parameters:
See:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

Return type:

None

apply_removal_policy(policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:

policy (RemovalPolicy) –

Return type:

None

grant(grantee, *actions)

Adds an IAM policy statement associated with this user pool to an IAM principal’s policy.

Parameters:
Return type:

Grant

register_identity_provider(provider)

Register an identity provider with this user pool.

Parameters:

provider (IUserPoolIdentityProvider) –

Return type:

None

to_string()

Returns a string representation of this construct.

Return type:

str

Attributes

env

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

identity_providers

Get all identity providers registered with this user pool.

node

The tree node.

stack

The stack in which this resource is defined.

user_pool_arn

The ARN of the user pool.

user_pool_id

The physical ID of this user pool resource.

user_pool_provider_name

User pool provider name.

Attribute:

true

user_pool_provider_url

User pool provider URL.

Attribute:

true

Static Methods

classmethod from_user_pool_arn(scope, id, user_pool_arn)

Import an existing user pool based on its ARN.

Parameters:

  • scope (Construct) –

  • id (str) –

  • user_pool_arn (str) –

Return type:

IUserPool

classmethod from_user_pool_id(scope, id, user_pool_id)

Import an existing user pool based on its id.

Parameters:

  • scope (Construct) –

  • id (str) –

  • user_pool_id (str) –

Return type:

IUserPool

classmethod is_construct(x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Construct.

classmethod is_owned_resource(construct)

Returns true if the construct was created by CDK, and false otherwise.

Parameters:

construct (IConstruct) –

Return type:

bool

classmethod is_resource(construct)

Check whether the given construct is a Resource.

Parameters:

construct (IConstruct) –

Return type:

bool