A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"Type" : "AWS::Cognito::UserPoolGroup",
"Properties" : {
"Description" : String,
"GroupName" : String,
"Precedence" : Integer,
"RoleArn" : String,
"UserPoolId" : String
}
}
YAML
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: String
GroupName: String
Precedence: Integer
RoleArn: String
UserPoolId: String
Properties
Description-
A description of the group that you're creating.
Required: No
Type: String
Maximum:
2048Update requires: No interruption
GroupName-
A name for the group. This name must be unique in your user pool.
Required: No
Type: String
Pattern:
[\p{L}\p{M}\p{S}\p{N}\p{P}]+Minimum:
1Maximum:
128Update requires: Replacement
Precedence-
A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower
Precedencevalues take precedence over groups with higher or nullPrecedencevalues. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for thecognito:rolesandcognito:preferred_roleclaims.Two groups can have the same
Precedencevalue. If this happens, neither group takes precedence over the other. If two groups with the samePrecedencehave the same role ARN, that role is used in thecognito:preferred_roleclaim in tokens for users in each group. If the two groups have different role ARNs, thecognito:preferred_roleclaim isn't set in users' tokens.The default
Precedencevalue is null. The maximumPrecedencevalue is2^31-1.Required: No
Type: Integer
Minimum:
0Update requires: No interruption
RoleArn-
The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group. A group role primarily declares a preferred role for the credentials that you get from an identity pool. Amazon Cognito ID tokens have a
cognito:preferred_roleclaim that presents the highest-precedence group that a user belongs to. Both ID and access tokens also contain acognito:groupsclaim that list all the groups that a user is a member of.Required: No
Type: String
Pattern:
arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?Minimum:
20Maximum:
2048Update requires: No interruption
UserPoolId-
The ID of the user pool where you want to create a user group.
Required: Yes
Type: String
Pattern:
[\w-]+_[0-9a-zA-Z]+Minimum:
1Maximum:
55Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the user pool group. For example:
Admins.
For more information about using the Ref function, see Ref.
Examples
Creating a new user group in a user pool
The following example creates a group named "ExampleGroup" with an IAM role and a precedence of 1.
JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Provision a new user group to an Amazon Cognito user pool\n",
"Resources": {
"ExampleGroup": {
"Properties": {
"Description": "My Example Group",
"GroupName": "ExampleGroup",
"Precedence": 1,
"RoleArn": "arn:aws:iam::123456789012:role/my-test-cognito-role",
"UserPoolId": "us-west-2_EXAMPLE"
},
"Type": "AWS::Cognito::UserPoolGroup"
}
}
}YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: |
Provision a new user group to an Amazon Cognito user pool
Resources:
ExampleGroup:
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: My Example Group
GroupName: ExampleGroup
Precedence: 1
RoleArn: arn:aws:iam::123456789012:role/my-test-cognito-role
UserPoolId: us-west-2_EXAMPLE