UserPoolProps

class aws_cdk.aws_cognito.UserPoolProps(*, account_recovery=None, advanced_security_mode=None, auto_verify=None, custom_attributes=None, custom_sender_kms_key=None, deletion_protection=None, device_tracking=None, email=None, enable_sms_role=None, keep_original=None, lambda_triggers=None, mfa=None, mfa_message=None, mfa_second_factor=None, password_policy=None, removal_policy=None, self_sign_up_enabled=None, sign_in_aliases=None, sign_in_case_sensitive=None, sms_role=None, sms_role_external_id=None, sns_region=None, standard_attributes=None, user_invitation=None, user_pool_name=None, user_verification=None)

Bases: object

Props for the UserPool construct.

Parameters:
  • account_recovery (Optional[AccountRecovery]) – How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

  • advanced_security_mode (Optional[AdvancedSecurityMode]) – The user pool’s Advanced Security Mode. Default: - no value

  • auto_verify (Union[AutoVerifiedAttrs, Dict[str, Any], None]) – Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

  • custom_attributes (Optional[Mapping[str, ICustomAttribute]]) – Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.

  • custom_sender_kms_key (Optional[IKey]) – This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configured

  • deletion_protection (Optional[bool]) – Indicates whether the user pool should have deletion protection enabled. Default: false

  • device_tracking (Union[DeviceTracking, Dict[str, Any], None]) – Device tracking settings. Default: - see defaults on each property of DeviceTracking.

  • email (Optional[UserPoolEmail]) – Email settings for a user pool. Default: - cognito will use the default email configuration

  • enable_sms_role (Optional[bool]) – Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.

  • keep_original (Union[KeepOriginalAttrs, Dict[str, Any], None]) – Attributes which Cognito will look to handle changes to the value of your users’ email address and phone number attributes. EMAIL and PHONE are the only available options. Default: - Nothing is kept.

  • lambda_triggers (Union[UserPoolTriggers, Dict[str, Any], None]) – Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.

  • mfa (Optional[Mfa]) – Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF

  • mfa_message (Optional[str]) – The SMS message template sent during MFA verification. Use ‘{####}’ in the template where Cognito should insert the verification code. Default: ‘Your authentication code is {####}.’

  • mfa_second_factor (Union[MfaSecondFactor, Dict[str, Any], None]) – Configure the MFA types that users can use in this user pool. Ignored if mfa is set to OFF. Default: - { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

  • password_policy (Union[PasswordPolicy, Dict[str, Any], None]) – Password policy for this user pool. Default: - see defaults on each property of PasswordPolicy.

  • removal_policy (Optional[RemovalPolicy]) – Policy to apply when the user pool is removed from the stack. Default: RemovalPolicy.RETAIN

  • self_sign_up_enabled (Optional[bool]) – Whether self sign-up should be enabled. To configure self sign-up configuration use the userVerification property. Default: - false

  • sign_in_aliases (Union[SignInAliases, Dict[str, Any], None]) – Methods in which a user registers or signs in to a user pool. Allows either username with aliases OR sign in with email, phone, or both. Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html To match with ‘Option 1’ in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with ‘Option 2’ in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }. Default: { username: true }

  • sign_in_case_sensitive (Optional[bool]) – Whether sign-in aliases should be evaluated with case sensitivity. For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername. Default: true

  • sms_role (Optional[IRole]) – The IAM role that Cognito will assume while sending SMS messages. Default: - a new IAM role is created.

  • sms_role_external_id (Optional[str]) – The ‘ExternalId’ that Cognito service must be using when assuming the smsRole, if the role is restricted with an ‘sts:ExternalId’ conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored if smsRole is not specified. Default: - No external id will be configured.

  • sns_region (Optional[str]) – The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured. Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time

  • standard_attributes (Union[StandardAttributes, Dict[str, Any], None]) – The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html Default: - All standard attributes are optional and mutable.

  • user_invitation (Union[UserInvitationConfig, Dict[str, Any], None]) – Configuration around admins signing up users into a user pool. Default: - see defaults in UserInvitationConfig.

  • user_pool_name (Optional[str]) – Name of the user pool. Default: - automatically generated name by CloudFormation at deploy time.

  • user_verification (Union[UserVerificationConfig, Dict[str, Any], None]) – Configuration around users signing themselves up to the user pool. Enable or disable self sign-up via the selfSignUpEnabled property. Default: - see defaults in UserVerificationConfig.

ExampleMetadata:

infused

Example:

cognito.UserPool(self, "myuserpool",
    # ...
    self_sign_up_enabled=True,
    user_verification=cognito.UserVerificationConfig(
        email_subject="Verify your email for our awesome app!",
        email_body="Thanks for signing up to our awesome app! Your verification code is {####}",
        email_style=cognito.VerificationEmailStyle.CODE,
        sms_message="Thanks for signing up to our awesome app! Your verification code is {####}"
    )
)

Attributes

account_recovery

How will a user be able to recover their account?

Default:

AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

advanced_security_mode

The user pool’s Advanced Security Mode.

Default:
  • no value

auto_verify

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.

Default:

  • If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default.

If absent, no attributes will be auto-verified.

custom_attributes

Define a set of custom attributes that can be configured for each user in the user pool.

Default:
  • No custom attributes.

custom_sender_kms_key

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

Default:
  • no key ID configured

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html

deletion_protection

Indicates whether the user pool should have deletion protection enabled.

Default:

false

device_tracking

Device tracking settings.

Default:
  • see defaults on each property of DeviceTracking.

email

Email settings for a user pool.

Default:
  • cognito will use the default email configuration

enable_sms_role

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.

Default:
  • CDK will determine based on other properties of the user pool if an SMS role should be created or not.

keep_original

Attributes which Cognito will look to handle changes to the value of your users’ email address and phone number attributes.

EMAIL and PHONE are the only available options.

Default:
  • Nothing is kept.

lambda_triggers

Lambda functions to use for supported Cognito triggers.

Default:
  • No Lambda triggers.

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

mfa

Configure whether users of this user pool can or are required use MFA to sign in.

Default:

Mfa.OFF

mfa_message

The SMS message template sent during MFA verification.

Use ‘{####}’ in the template where Cognito should insert the verification code.

Default:

‘Your authentication code is {####}.’

mfa_second_factor

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.

Default:

  • { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED.

{ sms: false, otp: false }, otherwise

password_policy

Password policy for this user pool.

Default:
  • see defaults on each property of PasswordPolicy.

removal_policy

Policy to apply when the user pool is removed from the stack.

Default:

RemovalPolicy.RETAIN

self_sign_up_enabled

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.

Default:
  • false

sign_in_aliases

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with ‘Option 1’ in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with ‘Option 2’ in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

Default:

{ username: true }

sign_in_case_sensitive

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.

Default:

true

sms_role

The IAM role that Cognito will assume while sending SMS messages.

Default:
  • a new IAM role is created.

sms_role_external_id

ExternalId’ conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.

Default:
  • No external id will be configured.

Type:

The ‘ExternalId’ that Cognito service must be using when assuming the smsRole, if the role is restricted with an ‘sts

sns_region

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.

Default:
standard_attributes

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

Default:
  • All standard attributes are optional and mutable.

user_invitation

Configuration around admins signing up users into a user pool.

Default:
  • see defaults in UserInvitationConfig.

user_pool_name

Name of the user pool.

Default:
  • automatically generated name by CloudFormation at deploy time.

user_verification

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

Default:
  • see defaults in UserVerificationConfig.