UserPoolProps
- class aws_cdk.aws_cognito.UserPoolProps(*, account_recovery=None, advanced_security_mode=None, auto_verify=None, custom_attributes=None, custom_sender_kms_key=None, deletion_protection=None, device_tracking=None, email=None, enable_sms_role=None, keep_original=None, lambda_triggers=None, mfa=None, mfa_message=None, mfa_second_factor=None, password_policy=None, removal_policy=None, self_sign_up_enabled=None, sign_in_aliases=None, sign_in_case_sensitive=None, sms_role=None, sms_role_external_id=None, sns_region=None, standard_attributes=None, user_invitation=None, user_pool_name=None, user_verification=None)
Bases:
object
Props for the UserPool construct.
- Parameters:
account_recovery (
Optional
[AccountRecovery
]) – How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAILadvanced_security_mode (
Optional
[AdvancedSecurityMode
]) – The user pool’s Advanced Security Mode. Default: - no valueauto_verify (
Union
[AutoVerifiedAttrs
,Dict
[str
,Any
],None
]) – Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - IfsignInAlias
includes email and/or phone, they will be included inautoVerifiedAttributes
by default. If absent, no attributes will be auto-verified.custom_attributes (
Optional
[Mapping
[str
,ICustomAttribute
]]) – Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.custom_sender_kms_key (
Optional
[IKey
]) – This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configureddeletion_protection (
Optional
[bool
]) – Indicates whether the user pool should have deletion protection enabled. Default: falsedevice_tracking (
Union
[DeviceTracking
,Dict
[str
,Any
],None
]) – Device tracking settings. Default: - see defaults on each property of DeviceTracking.email (
Optional
[UserPoolEmail
]) – Email settings for a user pool. Default: - cognito will use the default email configurationenable_sms_role (
Optional
[bool
]) – Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.keep_original (
Union
[KeepOriginalAttrs
,Dict
[str
,Any
],None
]) – Attributes which Cognito will look to handle changes to the value of your users’ email address and phone number attributes. EMAIL and PHONE are the only available options. Default: - Nothing is kept.lambda_triggers (
Union
[UserPoolTriggers
,Dict
[str
,Any
],None
]) – Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.mfa (
Optional
[Mfa
]) – Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFFmfa_message (
Optional
[str
]) – The SMS message template sent during MFA verification. Use ‘{####}’ in the template where Cognito should insert the verification code. Default: ‘Your authentication code is {####}.’mfa_second_factor (
Union
[MfaSecondFactor
,Dict
[str
,Any
],None
]) – Configure the MFA types that users can use in this user pool. Ignored ifmfa
is set toOFF
. Default: - { sms: true, otp: false }, ifmfa
is set toOPTIONAL
orREQUIRED
. { sms: false, otp: false }, otherwisepassword_policy (
Union
[PasswordPolicy
,Dict
[str
,Any
],None
]) – Password policy for this user pool. Default: - see defaults on each property of PasswordPolicy.removal_policy (
Optional
[RemovalPolicy
]) – Policy to apply when the user pool is removed from the stack. Default: RemovalPolicy.RETAINself_sign_up_enabled (
Optional
[bool
]) – Whether self sign-up should be enabled. To configure self sign-up configuration use theuserVerification
property. Default: - falsesign_in_aliases (
Union
[SignInAliases
,Dict
[str
,Any
],None
]) – Methods in which a user registers or signs in to a user pool. Allows either username with aliases OR sign in with email, phone, or both. Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html To match with ‘Option 1’ in the above link, with a verified email, this property should be set to{ username: true, email: true }
. To match with ‘Option 2’ in the above link with both a verified email and phone number, this property should be set to{ email: true, phone: true }
. Default: { username: true }sign_in_case_sensitive (
Optional
[bool
]) – Whether sign-in aliases should be evaluated with case sensitivity. For example, when this option is set to false, users will be able to sign in using eitherMyUsername
ormyusername
. Default: truesms_role (
Optional
[IRole
]) – The IAM role that Cognito will assume while sending SMS messages. Default: - a new IAM role is created.sms_role_external_id (
Optional
[str
]) – The ‘ExternalId’ that Cognito service must be using when assuming thesmsRole
, if the role is restricted with an ‘sts:ExternalId’ conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored ifsmsRole
is not specified. Default: - No external id will be configured.sns_region (
Optional
[str
]) – The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured. Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-timestandard_attributes (
Union
[StandardAttributes
,Dict
[str
,Any
],None
]) – The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html Default: - All standard attributes are optional and mutable.user_invitation (
Union
[UserInvitationConfig
,Dict
[str
,Any
],None
]) – Configuration around admins signing up users into a user pool. Default: - see defaults in UserInvitationConfig.user_pool_name (
Optional
[str
]) – Name of the user pool. Default: - automatically generated name by CloudFormation at deploy time.user_verification (
Union
[UserVerificationConfig
,Dict
[str
,Any
],None
]) – Configuration around users signing themselves up to the user pool. Enable or disable self sign-up via theselfSignUpEnabled
property. Default: - see defaults in UserVerificationConfig.
- ExampleMetadata:
infused
Example:
cognito.UserPool(self, "myuserpool", # ... self_sign_up_enabled=True, user_verification=cognito.UserVerificationConfig( email_subject="Verify your email for our awesome app!", email_body="Thanks for signing up to our awesome app! Your verification code is {####}", email_style=cognito.VerificationEmailStyle.CODE, sms_message="Thanks for signing up to our awesome app! Your verification code is {####}" ) )
Attributes
- account_recovery
How will a user be able to recover their account?
- Default:
AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL
- advanced_security_mode
The user pool’s Advanced Security Mode.
- Default:
no value
- auto_verify
Attributes which Cognito will look to verify automatically upon user sign up.
EMAIL and PHONE are the only available options.
- Default:
If
signInAlias
includes email and/or phone, they will be included inautoVerifiedAttributes
by default.
If absent, no attributes will be auto-verified.
- custom_attributes
Define a set of custom attributes that can be configured for each user in the user pool.
- Default:
No custom attributes.
- custom_sender_kms_key
This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
- Default:
no key ID configured
- See:
- deletion_protection
Indicates whether the user pool should have deletion protection enabled.
- Default:
false
- device_tracking
Device tracking settings.
- Default:
see defaults on each property of DeviceTracking.
- email
Email settings for a user pool.
- Default:
cognito will use the default email configuration
- enable_sms_role
Setting this would explicitly enable or disable SMS role creation.
When left unspecified, CDK will determine based on other properties if a role is needed or not.
- Default:
CDK will determine based on other properties of the user pool if an SMS role should be created or not.
- keep_original
Attributes which Cognito will look to handle changes to the value of your users’ email address and phone number attributes.
EMAIL and PHONE are the only available options.
- Default:
Nothing is kept.
- lambda_triggers
Lambda functions to use for supported Cognito triggers.
- Default:
No Lambda triggers.
- See:
- mfa
Configure whether users of this user pool can or are required use MFA to sign in.
- Default:
Mfa.OFF
- mfa_message
The SMS message template sent during MFA verification.
Use ‘{####}’ in the template where Cognito should insert the verification code.
- Default:
‘Your authentication code is {####}.’
- mfa_second_factor
Configure the MFA types that users can use in this user pool.
Ignored if
mfa
is set toOFF
.- Default:
{ sms: true, otp: false }, if
mfa
is set toOPTIONAL
orREQUIRED
.
{ sms: false, otp: false }, otherwise
- password_policy
Password policy for this user pool.
- Default:
see defaults on each property of PasswordPolicy.
- removal_policy
Policy to apply when the user pool is removed from the stack.
- Default:
RemovalPolicy.RETAIN
- self_sign_up_enabled
Whether self sign-up should be enabled.
To configure self sign-up configuration use the
userVerification
property.- Default:
false
- sign_in_aliases
Methods in which a user registers or signs in to a user pool.
Allows either username with aliases OR sign in with email, phone, or both.
Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
To match with ‘Option 1’ in the above link, with a verified email, this property should be set to
{ username: true, email: true }
. To match with ‘Option 2’ in the above link with both a verified email and phone number, this property should be set to{ email: true, phone: true }
.- Default:
{ username: true }
- sign_in_case_sensitive
Whether sign-in aliases should be evaluated with case sensitivity.
For example, when this option is set to false, users will be able to sign in using either
MyUsername
ormyusername
.- Default:
true
- sms_role
The IAM role that Cognito will assume while sending SMS messages.
- Default:
a new IAM role is created.
- sms_role_external_id
ExternalId’ conditional.
Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
This property will be ignored if
smsRole
is not specified.- Default:
No external id will be configured.
- Type:
The ‘ExternalId’ that Cognito service must be using when assuming the
smsRole
, if the role is restricted with an ‘sts
- sns_region
The region to integrate with SNS to send SMS messages.
This property will do nothing if SMS configuration is not configured.
- Default:
The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time
- standard_attributes
The set of attributes that are required for every user in the user pool.
Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
- Default:
All standard attributes are optional and mutable.
- user_invitation
Configuration around admins signing up users into a user pool.
- Default:
see defaults in UserInvitationConfig.
- user_pool_name
Name of the user pool.
- Default:
automatically generated name by CloudFormation at deploy time.
- user_verification
Configuration around users signing themselves up to the user pool.
Enable or disable self sign-up via the
selfSignUpEnabled
property.- Default:
see defaults in UserVerificationConfig.