UserPoolClient

Provides a Cognito User Pool Client resource.

Example Usage

Create a basic user pool client

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var pool = new Aws.Cognito.UserPool("pool", new Aws.Cognito.UserPoolArgs
        {
        });
        var client = new Aws.Cognito.UserPoolClient("client", new Aws.Cognito.UserPoolClientArgs
        {
            UserPoolId = pool.Id,
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cognito"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        pool, err := cognito.NewUserPool(ctx, "pool", nil)
        if err != nil {
            return err
        }
        _, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
            UserPoolId: pool.ID(),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

pool = aws.cognito.UserPool("pool")
client = aws.cognito.UserPoolClient("client", user_pool_id=pool.id)

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const pool = new aws.cognito.UserPool("pool", {});
const client = new aws.cognito.UserPoolClient("client", {
    userPoolId: pool.id,
});

Create a user pool client with no SRP authentication

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var pool = new Aws.Cognito.UserPool("pool", new Aws.Cognito.UserPoolArgs
        {
        });
        var client = new Aws.Cognito.UserPoolClient("client", new Aws.Cognito.UserPoolClientArgs
        {
            ExplicitAuthFlows = 
            {
                "ADMIN_NO_SRP_AUTH",
            },
            GenerateSecret = true,
            UserPoolId = pool.Id,
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cognito"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        pool, err := cognito.NewUserPool(ctx, "pool", nil)
        if err != nil {
            return err
        }
        _, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
            ExplicitAuthFlows: pulumi.StringArray{
                pulumi.String("ADMIN_NO_SRP_AUTH"),
            },
            GenerateSecret: pulumi.Bool(true),
            UserPoolId:     pool.ID(),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

pool = aws.cognito.UserPool("pool")
client = aws.cognito.UserPoolClient("client",
    explicit_auth_flows=["ADMIN_NO_SRP_AUTH"],
    generate_secret=True,
    user_pool_id=pool.id)

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const pool = new aws.cognito.UserPool("pool", {});
const client = new aws.cognito.UserPoolClient("client", {
    explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
    generateSecret: true,
    userPoolId: pool.id,
});

Create a user pool client with pinpoint analytics

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var current = Output.Create(Aws.GetCallerIdentity.InvokeAsync());
        var testUserPool = new Aws.Cognito.UserPool("testUserPool", new Aws.Cognito.UserPoolArgs
        {
        });
        var testApp = new Aws.Pinpoint.App("testApp", new Aws.Pinpoint.AppArgs
        {
        });
        var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""cognito-idp.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
        });
        var testRolePolicy = new Aws.Iam.RolePolicy("testRolePolicy", new Aws.Iam.RolePolicyArgs
        {
            Policy = Output.Tuple(current, testApp.ApplicationId).Apply(values =>
            {
                var current = values.Item1;
                var applicationId = values.Item2;
                return @$"{{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {{
      ""Action"": [
        ""mobiletargeting:UpdateEndpoint"",
        ""mobiletargeting:PutItems""
      ],
      ""Effect"": ""Allow"",
      ""Resource"": ""arn:aws:mobiletargeting:*:{current.AccountId}:apps/{applicationId}*""
    }}
  ]
}}

";
            }),
            Role = testRole.Id,
        });
        var testUserPoolClient = new Aws.Cognito.UserPoolClient("testUserPoolClient", new Aws.Cognito.UserPoolClientArgs
        {
            AnalyticsConfiguration = new Aws.Cognito.Inputs.UserPoolClientAnalyticsConfigurationArgs
            {
                ApplicationId = testApp.ApplicationId,
                ExternalId = "some_id",
                RoleArn = testRole.Arn,
                UserDataShared = true,
            },
            UserPoolId = testUserPool.Id,
        });
    }

}

package main

import (
    "fmt"

    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cognito"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/iam"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/pinpoint"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        current, err := aws.GetCallerIdentity(ctx, nil, nil)
        if err != nil {
            return err
        }
        testUserPool, err := cognito.NewUserPool(ctx, "testUserPool", nil)
        if err != nil {
            return err
        }
        testApp, err := pinpoint.NewApp(ctx, "testApp", nil)
        if err != nil {
            return err
        }
        testRole, err := iam.NewRole(ctx, "testRole", &iam.RoleArgs{
            AssumeRolePolicy: pulumi.String(fmt.Sprintf("%v%v%v%v%v%v%v%v%v%v%v%v%v%v", "{\n", "  \"Version\": \"2012-10-17\",\n", "  \"Statement\": [\n", "    {\n", "      \"Action\": \"sts:AssumeRole\",\n", "      \"Principal\": {\n", "        \"Service\": \"cognito-idp.amazonaws.com\"\n", "      },\n", "      \"Effect\": \"Allow\",\n", "      \"Sid\": \"\"\n", "    }\n", "  ]\n", "}\n", "\n")),
        })
        if err != nil {
            return err
        }
        _, err = iam.NewRolePolicy(ctx, "testRolePolicy", &iam.RolePolicyArgs{
            Policy: testApp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
                return fmt.Sprintf("%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v", "{\n", "  \"Version\": \"2012-10-17\",\n", "  \"Statement\": [\n", "    {\n", "      \"Action\": [\n", "        \"mobiletargeting:UpdateEndpoint\",\n", "        \"mobiletargeting:PutItems\"\n", "      ],\n", "      \"Effect\": \"Allow\",\n", "      \"Resource\": \"arn:aws:mobiletargeting:*:", current.AccountId, ":apps/", applicationId, "*\"\n", "    }\n", "  ]\n", "}\n", "\n"), nil
            }).(pulumi.StringOutput),
            Role: testRole.ID(),
        })
        if err != nil {
            return err
        }
        _, err = cognito.NewUserPoolClient(ctx, "testUserPoolClient", &cognito.UserPoolClientArgs{
            AnalyticsConfiguration: &cognito.UserPoolClientAnalyticsConfigurationArgs{
                ApplicationId:  testApp.ApplicationId,
                ExternalId:     pulumi.String("some_id"),
                RoleArn:        testRole.Arn,
                UserDataShared: pulumi.Bool(true),
            },
            UserPoolId: testUserPool.ID(),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

current = aws.get_caller_identity()
test_user_pool = aws.cognito.UserPool("testUserPool")
test_app = aws.pinpoint.App("testApp")
test_role = aws.iam.Role("testRole", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "cognito-idp.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
test_role_policy = aws.iam.RolePolicy("testRolePolicy",
    policy=test_app.application_id.apply(lambda application_id: f"""{{
  "Version": "2012-10-17",
  "Statement": [
    {{
      "Action": [
        "mobiletargeting:UpdateEndpoint",
        "mobiletargeting:PutItems"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:mobiletargeting:*:{current.account_id}:apps/{application_id}*"
    }}
  ]
}}

"""),
    role=test_role.id)
test_user_pool_client = aws.cognito.UserPoolClient("testUserPoolClient",
    analytics_configuration={
        "application_id": test_app.application_id,
        "external_id": "some_id",
        "role_arn": test_role.arn,
        "userDataShared": True,
    },
    user_pool_id=test_user_pool.id)

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const current = pulumi.output(aws.getCallerIdentity({ async: true }));
const testUserPool = new aws.cognito.UserPool("test", {});
const testApp = new aws.pinpoint.App("test", {});
const testRole = new aws.iam.Role("test", {
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "cognito-idp.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
});
const testRolePolicy = new aws.iam.RolePolicy("test", {
    policy: pulumi.interpolate`{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "mobiletargeting:UpdateEndpoint",
        "mobiletargeting:PutItems"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:mobiletargeting:*:${current.accountId}:apps/${testApp.applicationId}*"
    }
  ]
}
`,
    role: testRole.id,
});
const testUserPoolClient = new aws.cognito.UserPoolClient("test", {
    analyticsConfiguration: {
        applicationId: testApp.applicationId,
        externalId: "some_id",
        roleArn: testRole.arn,
        userDataShared: true,
    },
    userPoolId: testUserPool.id,
});

Create a UserPoolClient Resource

new UserPoolClient(name: string, args: UserPoolClientArgs, opts?: CustomResourceOptions);

def UserPoolClient(resource_name, opts=None, allowed_oauth_flows=None, allowed_oauth_flows_user_pool_client=None, allowed_oauth_scopes=None, analytics_configuration=None, callback_urls=None, default_redirect_uri=None, explicit_auth_flows=None, generate_secret=None, logout_urls=None, name=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_id=None, write_attributes=None, __props__=None);

func NewUserPoolClient(ctx *Context, name string, args UserPoolClientArgs, opts ...ResourceOption) (*UserPoolClient, error)

public UserPoolClient(string name, UserPoolClientArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args UserPoolClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args UserPoolClientArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args UserPoolClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

UserPoolClient Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The UserPoolClient resource accepts the following input properties:

UserPoolId string: The user pool the client belongs to.
AllowedOauthFlows List<string>: List of allowed OAuth flows (code, implicit, client_credentials).
AllowedOauthFlowsUserPoolClient bool: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
AllowedOauthScopes List<string>: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
AnalyticsConfiguration UserPoolClientAnalyticsConfigurationArgs: The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
CallbackUrls List<string>: List of allowed callback URLs for the identity providers.
DefaultRedirectUri string: The default redirect URI. Must be in the list of callback URLs.
ExplicitAuthFlows List<string>: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
GenerateSecret bool: Should an application secret be generated.
LogoutUrls List<string>: List of allowed logout URLs for the identity providers.
Name string: The name of the application client.
PreventUserExistenceErrors string: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
ReadAttributes List<string>: List of user pool attributes the application client can read from.
RefreshTokenValidity int: The time limit in days refresh tokens are valid for.
SupportedIdentityProviders List<string>: List of provider names for the identity providers that are supported on this client.
WriteAttributes List<string>: List of user pool attributes the application client can write to.

UserPoolId string: The user pool the client belongs to.
AllowedOauthFlows []string: List of allowed OAuth flows (code, implicit, client_credentials).
AllowedOauthFlowsUserPoolClient bool: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
AllowedOauthScopes []string: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
AnalyticsConfiguration UserPoolClientAnalyticsConfiguration: The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
CallbackUrls []string: List of allowed callback URLs for the identity providers.
DefaultRedirectUri string: The default redirect URI. Must be in the list of callback URLs.
ExplicitAuthFlows []string: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
GenerateSecret bool: Should an application secret be generated.
LogoutUrls []string: List of allowed logout URLs for the identity providers.
Name string: The name of the application client.
PreventUserExistenceErrors string: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
ReadAttributes []string: List of user pool attributes the application client can read from.
RefreshTokenValidity int: The time limit in days refresh tokens are valid for.
SupportedIdentityProviders []string: List of provider names for the identity providers that are supported on this client.
WriteAttributes []string: List of user pool attributes the application client can write to.

userPoolId string: The user pool the client belongs to.
allowedOauthFlows string[]: List of allowed OAuth flows (code, implicit, client_credentials).
allowedOauthFlowsUserPoolClient boolean: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
allowedOauthScopes string[]: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
analyticsConfiguration UserPoolClientAnalyticsConfiguration: The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
callbackUrls string[]: List of allowed callback URLs for the identity providers.
defaultRedirectUri string: The default redirect URI. Must be in the list of callback URLs.
explicitAuthFlows string[]: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
generateSecret boolean: Should an application secret be generated.
logoutUrls string[]: List of allowed logout URLs for the identity providers.
name string: The name of the application client.
preventUserExistenceErrors string: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
readAttributes string[]: List of user pool attributes the application client can read from.
refreshTokenValidity number: The time limit in days refresh tokens are valid for.
supportedIdentityProviders string[]: List of provider names for the identity providers that are supported on this client.
writeAttributes string[]: List of user pool attributes the application client can write to.

user_pool_id str: The user pool the client belongs to.
allowed_oauth_flows List[str]: List of allowed OAuth flows (code, implicit, client_credentials).
allowed_oauth_flows_user_pool_client bool: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
allowed_oauth_scopes List[str]: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
analytics_configuration Dict[UserPoolClientAnalyticsConfiguration]: The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
callback_urls List[str]: List of allowed callback URLs for the identity providers.
default_redirect_uri str: The default redirect URI. Must be in the list of callback URLs.
explicit_auth_flows List[str]: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
generate_secret bool: Should an application secret be generated.
logout_urls List[str]: List of allowed logout URLs for the identity providers.
name str: The name of the application client.
prevent_user_existence_errors str: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
read_attributes List[str]: List of user pool attributes the application client can read from.
refresh_token_validity float: The time limit in days refresh tokens are valid for.
supported_identity_providers List[str]: List of provider names for the identity providers that are supported on this client.
write_attributes List[str]: List of user pool attributes the application client can write to.

Outputs

All input properties are implicitly available as output properties. Additionally, the UserPoolClient resource produces the following output properties:

ClientSecret string: The client secret of the user pool client.
Id string: The provider-assigned unique ID for this managed resource.

ClientSecret string: The client secret of the user pool client.
Id string: The provider-assigned unique ID for this managed resource.

clientSecret string: The client secret of the user pool client.
id string: The provider-assigned unique ID for this managed resource.

client_secret str: The client secret of the user pool client.
id str: The provider-assigned unique ID for this managed resource.

Look up an Existing UserPoolClient Resource

Get an existing UserPoolClient resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: UserPoolClientState, opts?: CustomResourceOptions): UserPoolClient

static get(resource_name, id, opts=None, allowed_oauth_flows=None, allowed_oauth_flows_user_pool_client=None, allowed_oauth_scopes=None, analytics_configuration=None, callback_urls=None, client_secret=None, default_redirect_uri=None, explicit_auth_flows=None, generate_secret=None, logout_urls=None, name=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_id=None, write_attributes=None, __props__=None);

func GetUserPoolClient(ctx *Context, name string, id IDInput, state *UserPoolClientState, opts ...ResourceOption) (*UserPoolClient, error)

public static UserPoolClient Get(string name, Input<string> id, UserPoolClientState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowedOauthFlows List<string>: List of allowed OAuth flows (code, implicit, client_credentials).
AllowedOauthFlowsUserPoolClient bool: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
AllowedOauthScopes List<string>: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
AnalyticsConfiguration UserPoolClientAnalyticsConfigurationArgs: The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
CallbackUrls List<string>: List of allowed callback URLs for the identity providers.
ClientSecret string: The client secret of the user pool client.
DefaultRedirectUri string: The default redirect URI. Must be in the list of callback URLs.
ExplicitAuthFlows List<string>: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
GenerateSecret bool: Should an application secret be generated.
LogoutUrls List<string>: List of allowed logout URLs for the identity providers.
Name string: The name of the application client.
PreventUserExistenceErrors string: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
ReadAttributes List<string>: List of user pool attributes the application client can read from.
RefreshTokenValidity int: The time limit in days refresh tokens are valid for.
SupportedIdentityProviders List<string>: List of provider names for the identity providers that are supported on this client.
UserPoolId string: The user pool the client belongs to.
WriteAttributes List<string>: List of user pool attributes the application client can write to.

AllowedOauthFlows []string: List of allowed OAuth flows (code, implicit, client_credentials).
AllowedOauthFlowsUserPoolClient bool: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
AllowedOauthScopes []string: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
AnalyticsConfiguration UserPoolClientAnalyticsConfiguration: The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
CallbackUrls []string: List of allowed callback URLs for the identity providers.
ClientSecret string: The client secret of the user pool client.
DefaultRedirectUri string: The default redirect URI. Must be in the list of callback URLs.
ExplicitAuthFlows []string: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
GenerateSecret bool: Should an application secret be generated.
LogoutUrls []string: List of allowed logout URLs for the identity providers.
Name string: The name of the application client.
PreventUserExistenceErrors string: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
ReadAttributes []string: List of user pool attributes the application client can read from.
RefreshTokenValidity int: The time limit in days refresh tokens are valid for.
SupportedIdentityProviders []string: List of provider names for the identity providers that are supported on this client.
UserPoolId string: The user pool the client belongs to.
WriteAttributes []string: List of user pool attributes the application client can write to.

allowedOauthFlows string[]: List of allowed OAuth flows (code, implicit, client_credentials).
allowedOauthFlowsUserPoolClient boolean: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
allowedOauthScopes string[]: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
analyticsConfiguration UserPoolClientAnalyticsConfiguration: The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
callbackUrls string[]: List of allowed callback URLs for the identity providers.
clientSecret string: The client secret of the user pool client.
defaultRedirectUri string: The default redirect URI. Must be in the list of callback URLs.
explicitAuthFlows string[]: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
generateSecret boolean: Should an application secret be generated.
logoutUrls string[]: List of allowed logout URLs for the identity providers.
name string: The name of the application client.
preventUserExistenceErrors string: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
readAttributes string[]: List of user pool attributes the application client can read from.
refreshTokenValidity number: The time limit in days refresh tokens are valid for.
supportedIdentityProviders string[]: List of provider names for the identity providers that are supported on this client.
userPoolId string: The user pool the client belongs to.
writeAttributes string[]: List of user pool attributes the application client can write to.

allowed_oauth_flows List[str]: List of allowed OAuth flows (code, implicit, client_credentials).
allowed_oauth_flows_user_pool_client bool: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
allowed_oauth_scopes List[str]: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
analytics_configuration Dict[UserPoolClientAnalyticsConfiguration]: The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
callback_urls List[str]: List of allowed callback URLs for the identity providers.
client_secret str: The client secret of the user pool client.
default_redirect_uri str: The default redirect URI. Must be in the list of callback URLs.
explicit_auth_flows List[str]: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
generate_secret bool: Should an application secret be generated.
logout_urls List[str]: List of allowed logout URLs for the identity providers.
name str: The name of the application client.
prevent_user_existence_errors str: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
read_attributes List[str]: List of user pool attributes the application client can read from.
refresh_token_validity float: The time limit in days refresh tokens are valid for.
supported_identity_providers List[str]: List of provider names for the identity providers that are supported on this client.
user_pool_id str: The user pool the client belongs to.
write_attributes List[str]: List of user pool attributes the application client can write to.

Supporting Types

UserPoolClientAnalyticsConfiguration

See the input and output API doc for this type.

ApplicationId string: The application ID for an Amazon Pinpoint application.
ExternalId string: An ID for the Analytics Configuration.
RoleArn string: The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
UserDataShared bool: If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

ApplicationId string: The application ID for an Amazon Pinpoint application.
ExternalId string: An ID for the Analytics Configuration.
RoleArn string: The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
UserDataShared bool: If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

applicationId string: The application ID for an Amazon Pinpoint application.
externalId string: An ID for the Analytics Configuration.
roleArn string: The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
userDataShared boolean: If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

application_id str: The application ID for an Amazon Pinpoint application.
externalId str: An ID for the Analytics Configuration.
role_arn str: The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
userDataShared bool: If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud