CreateUserPool - Amazon Cognito

CreateUserPool

Creates a new Amazon Cognito user pool and sets the password policy for the pool.

Note

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.

Request Syntax

{ "AccountRecoverySetting": { "RecoveryMechanisms": [ { "Name": "string", "Priority": number } ] }, "AdminCreateUserConfig": { "AllowAdminCreateUserOnly": boolean, "InviteMessageTemplate": { "EmailMessage": "string", "EmailSubject": "string", "SMSMessage": "string" }, "UnusedAccountValidityDays": number }, "AliasAttributes": [ "string" ], "AutoVerifiedAttributes": [ "string" ], "DeviceConfiguration": { "ChallengeRequiredOnNewDevice": boolean, "DeviceOnlyRememberedOnUserPrompt": boolean }, "EmailConfiguration": { "ConfigurationSet": "string", "EmailSendingAccount": "string", "From": "string", "ReplyToEmailAddress": "string", "SourceArn": "string" }, "EmailVerificationMessage": "string", "EmailVerificationSubject": "string", "LambdaConfig": { "CreateAuthChallenge": "string", "CustomEmailSender": { "LambdaArn": "string", "LambdaVersion": "string" }, "CustomMessage": "string", "CustomSMSSender": { "LambdaArn": "string", "LambdaVersion": "string" }, "DefineAuthChallenge": "string", "KMSKeyID": "string", "PostAuthentication": "string", "PostConfirmation": "string", "PreAuthentication": "string", "PreSignUp": "string", "PreTokenGeneration": "string", "UserMigration": "string", "VerifyAuthChallengeResponse": "string" }, "MfaConfiguration": "string", "Policies": { "PasswordPolicy": { "MinimumLength": number, "RequireLowercase": boolean, "RequireNumbers": boolean, "RequireSymbols": boolean, "RequireUppercase": boolean, "TemporaryPasswordValidityDays": number } }, "PoolName": "string", "Schema": [ { "AttributeDataType": "string", "DeveloperOnlyAttribute": boolean, "Mutable": boolean, "Name": "string", "NumberAttributeConstraints": { "MaxValue": "string", "MinValue": "string" }, "Required": boolean, "StringAttributeConstraints": { "MaxLength": "string", "MinLength": "string" } } ], "SmsAuthenticationMessage": "string", "SmsConfiguration": { "ExternalId": "string", "SnsCallerArn": "string", "SnsRegion": "string" }, "SmsVerificationMessage": "string", "UserAttributeUpdateSettings": { "AttributesRequireVerificationBeforeUpdate": [ "string" ] }, "UsernameAttributes": [ "string" ], "UsernameConfiguration": { "CaseSensitive": boolean }, "UserPoolAddOns": { "AdvancedSecurityMode": "string" }, "UserPoolTags": { "string" : "string" }, "VerificationMessageTemplate": { "DefaultEmailOption": "string", "EmailMessage": "string", "EmailMessageByLink": "string", "EmailSubject": "string", "EmailSubjectByLink": "string", "SmsMessage": "string" } }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

AccountRecoverySetting

The available verified method a user can use to recover their password when they call ForgotPassword. You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.

Type: AccountRecoverySettingType object

Required: No

AdminCreateUserConfig

The configuration for AdminCreateUser requests.

Type: AdminCreateUserConfigType object

Required: No

AliasAttributes

Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username.

Type: Array of strings

Valid Values: phone_number | email | preferred_username

Required: No

AutoVerifiedAttributes

The attributes to be auto-verified. Possible values: email, phone_number.

Type: Array of strings

Valid Values: phone_number | email

Required: No

DeviceConfiguration

The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool.

Note

When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature.

Type: DeviceConfigurationType object

Required: No

EmailConfiguration

The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.

Type: EmailConfigurationType object

Required: No

EmailVerificationMessage

This parameter is no longer used. See VerificationMessageTemplateType.

Type: String

Length Constraints: Minimum length of 6. Maximum length of 20000.

Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*\{####\}[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*

Required: No

EmailVerificationSubject

This parameter is no longer used. See VerificationMessageTemplateType.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 140.

Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}\s]+

Required: No

LambdaConfig

The Lambda trigger configuration information for the new user pool.

Note

In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function.

For more information on using the Lambda API to add permission, see AddPermission .

For adding permission using the AWS CLI, see add-permission .

Type: LambdaConfigType object

Required: No

MfaConfiguration

Specifies MFA configuration details.

Type: String

Valid Values: OFF | ON | OPTIONAL

Required: No

Policies

The policies associated with the new user pool.

Type: UserPoolPolicyType object

Required: No

PoolName

A string used to name the user pool.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w\s+=,.@-]+

Required: Yes

Schema

An array of schema attributes for the new user pool. These attributes can be standard or custom attributes.

Type: Array of SchemaAttributeType objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: No

SmsAuthenticationMessage

A string representing the SMS authentication message.

Type: String

Length Constraints: Minimum length of 6. Maximum length of 140.

Pattern: .*\{####\}.*

Required: No

SmsConfiguration

The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account.

Type: SmsConfigurationType object

Required: No

SmsVerificationMessage

This parameter is no longer used. See VerificationMessageTemplateType.

Type: String

Length Constraints: Minimum length of 6. Maximum length of 140.

Pattern: .*\{####\}.*

Required: No

UserAttributeUpdateSettings

The settings for updates to user attributes. These settings include the property AttributesRequireVerificationBeforeUpdate, a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see Verifying updates to email addresses and phone numbers.

Type: UserAttributeUpdateSettingsType object

Required: No

UsernameAttributes

Specifies whether a user can use an email address or phone number as a username when they sign up.

Type: Array of strings

Valid Values: phone_number | email

Required: No

UsernameConfiguration

Case sensitivity on the username input for the selected sign-in option. For example, when case sensitivity is set to False, users can sign in using either "username" or "Username". This configuration is immutable once it has been set. For more information, see UsernameConfigurationType.

Type: UsernameConfigurationType object

Required: No

UserPoolAddOns

Enables advanced security risk detection. Set the key AdvancedSecurityMode to the value "AUDIT".

Type: UserPoolAddOnsType object

Required: No

UserPoolTags

The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.

Type: String to string map

Key Length Constraints: Minimum length of 1. Maximum length of 128.

Value Length Constraints: Minimum length of 0. Maximum length of 256.

Required: No

VerificationMessageTemplate

The template for the verification message that the user sees when the app requests permission to access the user's information.

Type: VerificationMessageTemplateType object

Required: No

Response Syntax

{ "UserPool": { "AccountRecoverySetting": { "RecoveryMechanisms": [ { "Name": "string", "Priority": number } ] }, "AdminCreateUserConfig": { "AllowAdminCreateUserOnly": boolean, "InviteMessageTemplate": { "EmailMessage": "string", "EmailSubject": "string", "SMSMessage": "string" }, "UnusedAccountValidityDays": number }, "AliasAttributes": [ "string" ], "Arn": "string", "AutoVerifiedAttributes": [ "string" ], "CreationDate": number, "CustomDomain": "string", "DeviceConfiguration": { "ChallengeRequiredOnNewDevice": boolean, "DeviceOnlyRememberedOnUserPrompt": boolean }, "Domain": "string", "EmailConfiguration": { "ConfigurationSet": "string", "EmailSendingAccount": "string", "From": "string", "ReplyToEmailAddress": "string", "SourceArn": "string" }, "EmailConfigurationFailure": "string", "EmailVerificationMessage": "string", "EmailVerificationSubject": "string", "EstimatedNumberOfUsers": number, "Id": "string", "LambdaConfig": { "CreateAuthChallenge": "string", "CustomEmailSender": { "LambdaArn": "string", "LambdaVersion": "string" }, "CustomMessage": "string", "CustomSMSSender": { "LambdaArn": "string", "LambdaVersion": "string" }, "DefineAuthChallenge": "string", "KMSKeyID": "string", "PostAuthentication": "string", "PostConfirmation": "string", "PreAuthentication": "string", "PreSignUp": "string", "PreTokenGeneration": "string", "UserMigration": "string", "VerifyAuthChallengeResponse": "string" }, "LastModifiedDate": number, "MfaConfiguration": "string", "Name": "string", "Policies": { "PasswordPolicy": { "MinimumLength": number, "RequireLowercase": boolean, "RequireNumbers": boolean, "RequireSymbols": boolean, "RequireUppercase": boolean, "TemporaryPasswordValidityDays": number } }, "SchemaAttributes": [ { "AttributeDataType": "string", "DeveloperOnlyAttribute": boolean, "Mutable": boolean, "Name": "string", "NumberAttributeConstraints": { "MaxValue": "string", "MinValue": "string" }, "Required": boolean, "StringAttributeConstraints": { "MaxLength": "string", "MinLength": "string" } } ], "SmsAuthenticationMessage": "string", "SmsConfiguration": { "ExternalId": "string", "SnsCallerArn": "string", "SnsRegion": "string" }, "SmsConfigurationFailure": "string", "SmsVerificationMessage": "string", "Status": "string", "UserAttributeUpdateSettings": { "AttributesRequireVerificationBeforeUpdate": [ "string" ] }, "UsernameAttributes": [ "string" ], "UsernameConfiguration": { "CaseSensitive": boolean }, "UserPoolAddOns": { "AdvancedSecurityMode": "string" }, "UserPoolTags": { "string" : "string" }, "VerificationMessageTemplate": { "DefaultEmailOption": "string", "EmailMessage": "string", "EmailMessageByLink": "string", "EmailSubject": "string", "EmailSubjectByLink": "string", "SmsMessage": "string" } } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

UserPool

A container for the user pool details.

Type: UserPoolType object

Errors

For information about the errors that are common to all actions, see Common Errors.

InternalErrorException

This exception is thrown when Amazon Cognito encounters an internal error.

HTTP Status Code: 500

InvalidEmailRoleAccessPolicyException

This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.

HTTP Status Code: 400

InvalidParameterException

This exception is thrown when the Amazon Cognito service encounters an invalid parameter.

HTTP Status Code: 400

InvalidSmsRoleAccessPolicyException

This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.

HTTP Status Code: 400

InvalidSmsRoleTrustRelationshipException

This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust cognito-idp.amazonaws.com or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.

HTTP Status Code: 400

LimitExceededException

This exception is thrown when a user exceeds the limit for a requested AWS resource.

HTTP Status Code: 400

NotAuthorizedException

This exception is thrown when a user isn't authorized.

HTTP Status Code: 400

TooManyRequestsException

This exception is thrown when the user has made too many requests for a given operation.

HTTP Status Code: 400

UserPoolTaggingException

This exception is thrown when a user pool tag can't be set or updated.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: