This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

cognito¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.cognito.AwaitableGetUserPoolsResult(arns=None, id=None, ids=None, name=None)¶

class pulumi_aws.cognito.GetUserPoolsResult(arns=None, id=None, ids=None, name=None)¶

A collection of values returned by getUserPools.

id = None¶: The provider-assigned unique ID for this managed resource.

ids = None¶: The list of cognito user pool ids.

class pulumi_aws.cognito.IdentityPool(resource_name, opts=None, allow_unauthenticated_identities=None, cognito_identity_providers=None, developer_provider_name=None, identity_pool_name=None, openid_connect_provider_arns=None, saml_provider_arns=None, supported_login_providers=None, tags=None, __props__=None, __name__=None, __opts__=None)¶

Provides an AWS Cognito Identity Pool.

import pulumi
import pulumi_aws as aws

default = aws.iam.SamlProvider("default", saml_metadata_document=(lambda path: open(path).read())("saml-metadata.xml"))
main = aws.cognito.IdentityPool("main",
    allow_unauthenticated_identities=False,
    cognito_identity_providers=[
        {
            "client_id": "6lhlkkfbfb4q5kpp90urffae",
            "provider_name": "cognito-idp.us-east-1.amazonaws.com/us-east-1_Tv0493apJ",
            "serverSideTokenCheck": False,
        },
        {
            "client_id": "7kodkvfqfb4qfkp39eurffae",
            "provider_name": "cognito-idp.us-east-1.amazonaws.com/eu-west-1_Zr231apJu",
            "serverSideTokenCheck": False,
        },
    ],
    identity_pool_name="identity pool",
    openid_connect_provider_arns=["arn:aws:iam::123456789012:oidc-provider/foo.example.com"],
    saml_provider_arns=[default.arn],
    supported_login_providers={
        "accounts.google.com": "123456789012.apps.googleusercontent.com",
        "graph.facebook.com": "7346241598935552",
    })

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
allow_unauthenticated_identities (pulumi.Input[bool]) – Whether the identity pool supports unauthenticated logins or not.
cognito_identity_providers (pulumi.Input[list]) – An array of Amazon Cognito Identity user pools and their client IDs.
developer_provider_name (pulumi.Input[str]) – The “domain” by which Cognito will refer to your users. This name acts as a placeholder that allows your backend and the Cognito service to communicate about the developer provider.
identity_pool_name (pulumi.Input[str]) – The Cognito Identity Pool name.
openid_connect_provider_arns (pulumi.Input[list]) – A list of OpendID Connect provider ARNs.
saml_provider_arns (pulumi.Input[list]) – An array of Amazon Resource Names (ARNs) of the SAML provider for your identity.
supported_login_providers (pulumi.Input[dict]) – Key-Value pairs mapping provider names to provider app IDs.
tags (pulumi.Input[dict]) – A map of tags to assign to the Identity Pool.

The cognito_identity_providers object supports the following:

client_id (pulumi.Input[str]) - The client ID for the Amazon Cognito Identity User Pool.
provider_name (pulumi.Input[str]) - The provider name for an Amazon Cognito Identity User Pool.
serverSideTokenCheck (pulumi.Input[bool]) - Whether server-side token validation is enabled for the identity provider’s token or not.

allow_unauthenticated_identities: pulumi.Output[bool] = None¶: Whether the identity pool supports unauthenticated logins or not.

arn: pulumi.Output[str] = None¶: The ARN of the identity pool.

cognito_identity_providers: pulumi.Output[list] = None¶

An array of Amazon Cognito Identity user pools and their client IDs.

client_id (str) - The client ID for the Amazon Cognito Identity User Pool.
provider_name (str) - The provider name for an Amazon Cognito Identity User Pool.
serverSideTokenCheck (bool) - Whether server-side token validation is enabled for the identity provider’s token or not.

developer_provider_name: pulumi.Output[str] = None¶: The “domain” by which Cognito will refer to your users. This name acts as a placeholder that allows your backend and the Cognito service to communicate about the developer provider.

identity_pool_name: pulumi.Output[str] = None¶: The Cognito Identity Pool name.

openid_connect_provider_arns: pulumi.Output[list] = None¶: A list of OpendID Connect provider ARNs.

saml_provider_arns: pulumi.Output[list] = None¶: An array of Amazon Resource Names (ARNs) of the SAML provider for your identity.

supported_login_providers: pulumi.Output[dict] = None¶: Key-Value pairs mapping provider names to provider app IDs.

tags: pulumi.Output[dict] = None¶: A map of tags to assign to the Identity Pool.

static get(resource_name, id, opts=None, allow_unauthenticated_identities=None, arn=None, cognito_identity_providers=None, developer_provider_name=None, identity_pool_name=None, openid_connect_provider_arns=None, saml_provider_arns=None, supported_login_providers=None, tags=None)¶

Get an existing IdentityPool resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
allow_unauthenticated_identities (pulumi.Input[bool]) – Whether the identity pool supports unauthenticated logins or not.
arn (pulumi.Input[str]) – The ARN of the identity pool.
cognito_identity_providers (pulumi.Input[list]) – An array of Amazon Cognito Identity user pools and their client IDs.
developer_provider_name (pulumi.Input[str]) – The “domain” by which Cognito will refer to your users. This name acts as a placeholder that allows your backend and the Cognito service to communicate about the developer provider.
identity_pool_name (pulumi.Input[str]) – The Cognito Identity Pool name.
openid_connect_provider_arns (pulumi.Input[list]) – A list of OpendID Connect provider ARNs.
saml_provider_arns (pulumi.Input[list]) – An array of Amazon Resource Names (ARNs) of the SAML provider for your identity.
supported_login_providers (pulumi.Input[dict]) – Key-Value pairs mapping provider names to provider app IDs.
tags (pulumi.Input[dict]) – A map of tags to assign to the Identity Pool.

The cognito_identity_providers object supports the following:

client_id (pulumi.Input[str]) - The client ID for the Amazon Cognito Identity User Pool.
provider_name (pulumi.Input[str]) - The provider name for an Amazon Cognito Identity User Pool.
serverSideTokenCheck (pulumi.Input[bool]) - Whether server-side token validation is enabled for the identity provider’s token or not.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.cognito.IdentityPoolRoleAttachment(resource_name, opts=None, identity_pool_id=None, role_mappings=None, roles=None, __props__=None, __name__=None, __opts__=None)¶

Provides an AWS Cognito Identity Pool Roles Attachment.

import pulumi
import pulumi_aws as aws

main_identity_pool = aws.cognito.IdentityPool("mainIdentityPool",
    allow_unauthenticated_identities=False,
    identity_pool_name="identity pool",
    supported_login_providers={
        "graph.facebook.com": "7346241598935555",
    })
authenticated_role = aws.iam.Role("authenticatedRole", assume_role_policy=main_identity_pool.id.apply(lambda id: f"""{{
  "Version": "2012-10-17",
  "Statement": [
    {{
      "Effect": "Allow",
      "Principal": {{
        "Federated": "cognito-identity.amazonaws.com"
      }},
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {{
        "StringEquals": {{
          "cognito-identity.amazonaws.com:aud": "{id}"
        }},
        "ForAnyValue:StringLike": {{
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }}
      }}
    }}
  ]
}}

"""))
authenticated_role_policy = aws.iam.RolePolicy("authenticatedRolePolicy",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*",
        "cognito-identity:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

""",
    role=authenticated_role.id)
main_identity_pool_role_attachment = aws.cognito.IdentityPoolRoleAttachment("mainIdentityPoolRoleAttachment",
    identity_pool_id=main_identity_pool.id,
    role_mappings=[{
        "ambiguousRoleResolution": "AuthenticatedRole",
        "identity_provider": "graph.facebook.com",
        "mappingRule": [{
            "claim": "isAdmin",
            "matchType": "Equals",
            "role_arn": authenticated_role.arn,
            "value": "paid",
        }],
        "type": "Rules",
    }],
    roles={
        "authenticated": authenticated_role.arn,
    })

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
identity_pool_id (pulumi.Input[str]) – An identity pool ID in the format REGION:GUID.
role_mappings (pulumi.Input[list]) – A List of Role Mapping.
roles (pulumi.Input[dict]) – The map of roles associated with this pool. For a given role, the key will be either “authenticated” or “unauthenticated” and the value will be the Role ARN.

The role_mappings object supports the following:

ambiguousRoleResolution (pulumi.Input[str]) - Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type. Required if you specify Token or Rules as the Type.
identity_provider (pulumi.Input[str]) - A string identifying the identity provider, for example, “graph.facebook.com” or “cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id”.
mappingRules (pulumi.Input[list]) - The Rules Configuration to be used for mapping users to roles. You can specify up to 25 rules per identity provider. Rules are evaluated in order. The first one to match specifies the role.
- claim (pulumi.Input[str]) - The claim name that must be present in the token, for example, “isAdmin” or “paid”.
- matchType (pulumi.Input[str]) - The match condition that specifies how closely the claim value in the IdP token must match Value.
- role_arn (pulumi.Input[str]) - The role ARN.
- value (pulumi.Input[str]) - A brief string that the claim must match, for example, “paid” or “yes”.
type (pulumi.Input[str]) - The role mapping type.

identity_pool_id: pulumi.Output[str] = None¶: An identity pool ID in the format REGION:GUID.

role_mappings: pulumi.Output[list] = None¶

A List of Role Mapping.

ambiguousRoleResolution (str) - Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type. Required if you specify Token or Rules as the Type.
identity_provider (str) - A string identifying the identity provider, for example, “graph.facebook.com” or “cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id”.
mappingRules (list) - The Rules Configuration to be used for mapping users to roles. You can specify up to 25 rules per identity provider. Rules are evaluated in order. The first one to match specifies the role.
- claim (str) - The claim name that must be present in the token, for example, “isAdmin” or “paid”.
- matchType (str) - The match condition that specifies how closely the claim value in the IdP token must match Value.
- role_arn (str) - The role ARN.
- value (str) - A brief string that the claim must match, for example, “paid” or “yes”.
type (str) - The role mapping type.

roles: pulumi.Output[dict] = None¶: The map of roles associated with this pool. For a given role, the key will be either “authenticated” or “unauthenticated” and the value will be the Role ARN.

static get(resource_name, id, opts=None, identity_pool_id=None, role_mappings=None, roles=None)¶

Get an existing IdentityPoolRoleAttachment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
identity_pool_id (pulumi.Input[str]) – An identity pool ID in the format REGION:GUID.
role_mappings (pulumi.Input[list]) – A List of Role Mapping.
roles (pulumi.Input[dict]) – The map of roles associated with this pool. For a given role, the key will be either “authenticated” or “unauthenticated” and the value will be the Role ARN.

The role_mappings object supports the following:

ambiguousRoleResolution (pulumi.Input[str]) - Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type. Required if you specify Token or Rules as the Type.
identity_provider (pulumi.Input[str]) - A string identifying the identity provider, for example, “graph.facebook.com” or “cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id”.
mappingRules (pulumi.Input[list]) - The Rules Configuration to be used for mapping users to roles. You can specify up to 25 rules per identity provider. Rules are evaluated in order. The first one to match specifies the role.
- claim (pulumi.Input[str]) - The claim name that must be present in the token, for example, “isAdmin” or “paid”.
- matchType (pulumi.Input[str]) - The match condition that specifies how closely the claim value in the IdP token must match Value.
- role_arn (pulumi.Input[str]) - The role ARN.
- value (pulumi.Input[str]) - A brief string that the claim must match, for example, “paid” or “yes”.
type (pulumi.Input[str]) - The role mapping type.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.cognito.IdentityProvider(resource_name, opts=None, attribute_mapping=None, idp_identifiers=None, provider_details=None, provider_name=None, provider_type=None, user_pool_id=None, __props__=None, __name__=None, __opts__=None)¶

Provides a Cognito User Identity Provider resource.

import pulumi
import pulumi_aws as aws

example = aws.cognito.UserPool("example", auto_verified_attributes=["email"])
example_provider = aws.cognito.IdentityProvider("exampleProvider",
    attribute_mapping={
        "email": "email",
        "username": "sub",
    },
    provider_details={
        "authorize_scopes": "email",
        "client_id": "your client_id",
        "client_secret": "your client_secret",
    },
    provider_name="Google",
    provider_type="Google",
    user_pool_id=example.id)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
attribute_mapping (pulumi.Input[dict]) – The map of attribute mapping of user pool attributes. AttributeMapping in AWS API documentation
idp_identifiers (pulumi.Input[list]) – The list of identity providers.
provider_details (pulumi.Input[dict]) – The map of identity details, such as access token
provider_name (pulumi.Input[str]) – The provider name
provider_type (pulumi.Input[str]) – The provider type. See AWS API for valid values
user_pool_id (pulumi.Input[str]) – The user pool id

attribute_mapping: pulumi.Output[dict] = None¶: The map of attribute mapping of user pool attributes. AttributeMapping in AWS API documentation

idp_identifiers: pulumi.Output[list] = None¶: The list of identity providers.

provider_details: pulumi.Output[dict] = None¶: The map of identity details, such as access token

provider_name: pulumi.Output[str] = None¶: The provider name

provider_type: pulumi.Output[str] = None¶: The provider type. See AWS API for valid values

user_pool_id: pulumi.Output[str] = None¶: The user pool id

static get(resource_name, id, opts=None, attribute_mapping=None, idp_identifiers=None, provider_details=None, provider_name=None, provider_type=None, user_pool_id=None)¶

Get an existing IdentityProvider resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
attribute_mapping (pulumi.Input[dict]) –
The map of attribute mapping of user pool attributes. AttributeMapping in AWS API documentation
idp_identifiers (pulumi.Input[list]) – The list of identity providers.
provider_details (pulumi.Input[dict]) – The map of identity details, such as access token
provider_name (pulumi.Input[str]) – The provider name
provider_type (pulumi.Input[str]) –
The provider type. See AWS API for valid values
user_pool_id (pulumi.Input[str]) – The user pool id

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.cognito.ResourceServer(resource_name, opts=None, identifier=None, name=None, scopes=None, user_pool_id=None, __props__=None, __name__=None, __opts__=None)¶

Provides a Cognito Resource Server.

import pulumi
import pulumi_aws as aws

pool = aws.cognito.UserPool("pool")
resource = aws.cognito.ResourceServer("resource",
    identifier="https://example.com",
    user_pool_id=pool.id)

import pulumi
import pulumi_aws as aws

pool = aws.cognito.UserPool("pool")
resource = aws.cognito.ResourceServer("resource",
    identifier="https://example.com",
    scopes=[{
        "scopeDescription": "a Sample Scope Description",
        "scopeName": "sample-scope",
    }],
    user_pool_id=pool.id)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
identifier (pulumi.Input[str]) – An identifier for the resource server.
name (pulumi.Input[str]) – A name for the resource server.
scopes (pulumi.Input[list]) – A list of Authorization Scope.

The scopes object supports the following:

scopeDescription (pulumi.Input[str]) - The scope description.
scopeName (pulumi.Input[str]) - The scope name.

identifier: pulumi.Output[str] = None¶: An identifier for the resource server.

name: pulumi.Output[str] = None¶: A name for the resource server.

scope_identifiers: pulumi.Output[list] = None¶: A list of all scopes configured for this resource server in the format identifier/scope_name.

scopes: pulumi.Output[list] = None¶

A list of Authorization Scope.

scopeDescription (str) - The scope description.
scopeName (str) - The scope name.

static get(resource_name, id, opts=None, identifier=None, name=None, scope_identifiers=None, scopes=None, user_pool_id=None)¶

Get an existing ResourceServer resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
identifier (pulumi.Input[str]) – An identifier for the resource server.
name (pulumi.Input[str]) – A name for the resource server.
scope_identifiers (pulumi.Input[list]) – A list of all scopes configured for this resource server in the format identifier/scope_name.
scopes (pulumi.Input[list]) – A list of Authorization Scope.

The scopes object supports the following:

scopeDescription (pulumi.Input[str]) - The scope description.
scopeName (pulumi.Input[str]) - The scope name.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.cognito.UserGroup(resource_name, opts=None, description=None, name=None, precedence=None, role_arn=None, user_pool_id=None, __props__=None, __name__=None, __opts__=None)¶

Provides a Cognito User Group resource.

import pulumi
import pulumi_aws as aws

main_user_pool = aws.cognito.UserPool("mainUserPool")
group_role = aws.iam.Role("groupRole", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-dead-beef-cafe-123456790ab"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

""")
main_user_group = aws.cognito.UserGroup("mainUserGroup",
    description="Managed by Pulumi",
    precedence=42,
    role_arn=group_role.arn,
    user_pool_id=main_user_pool.id)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
description (pulumi.Input[str]) – The description of the user group.
name (pulumi.Input[str]) – The name of the user group.
precedence (pulumi.Input[float]) – The precedence of the user group.
role_arn (pulumi.Input[str]) – The ARN of the IAM role to be associated with the user group.
user_pool_id (pulumi.Input[str]) – The user pool ID.

description: pulumi.Output[str] = None¶: The description of the user group.

name: pulumi.Output[str] = None¶: The name of the user group.

precedence: pulumi.Output[float] = None¶: The precedence of the user group.

role_arn: pulumi.Output[str] = None¶: The ARN of the IAM role to be associated with the user group.

user_pool_id: pulumi.Output[str] = None¶: The user pool ID.

static get(resource_name, id, opts=None, description=None, name=None, precedence=None, role_arn=None, user_pool_id=None)¶

Get an existing UserGroup resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
description (pulumi.Input[str]) – The description of the user group.
name (pulumi.Input[str]) – The name of the user group.
precedence (pulumi.Input[float]) – The precedence of the user group.
role_arn (pulumi.Input[str]) – The ARN of the IAM role to be associated with the user group.
user_pool_id (pulumi.Input[str]) – The user pool ID.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.cognito.UserPool(resource_name, opts=None, admin_create_user_config=None, alias_attributes=None, auto_verified_attributes=None, device_configuration=None, email_configuration=None, email_verification_message=None, email_verification_subject=None, lambda_config=None, mfa_configuration=None, name=None, password_policy=None, schemas=None, sms_authentication_message=None, sms_configuration=None, sms_verification_message=None, software_token_mfa_configuration=None, tags=None, user_pool_add_ons=None, username_attributes=None, username_configuration=None, verification_message_template=None, __props__=None, __name__=None, __opts__=None)¶

Provides a Cognito User Pool resource.

import pulumi
import pulumi_aws as aws

pool = aws.cognito.UserPool("pool")

import pulumi
import pulumi_aws as aws

# ... other configuration ...
example = aws.cognito.UserPool("example",
    mfa_configuration="ON",
    sms_authentication_message="Your code is {####}",
    sms_configuration={
        "externalId": "example",
        "snsCallerArn": aws_iam_role["example"]["arn"],
    },
    software_token_mfa_configuration={
        "enabled": True,
    })

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
admin_create_user_config (pulumi.Input[dict]) – The configuration for AdminCreateUser requests.
alias_attributes (pulumi.Input[list]) – Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username. Conflicts with username_attributes.
auto_verified_attributes (pulumi.Input[list]) – The attributes to be auto-verified. Possible values: email, phone_number.
device_configuration (pulumi.Input[dict]) – The configuration for the user pool’s device tracking.
email_configuration (pulumi.Input[dict]) – The Email Configuration.
email_verification_message (pulumi.Input[str]) – A string representing the email verification message. Conflicts with verification_message_template configuration block email_message argument.
email_verification_subject (pulumi.Input[str]) – A string representing the email verification subject. Conflicts with verification_message_template configuration block email_subject argument.
lambda_config (pulumi.Input[dict]) – A container for the AWS Lambda triggers associated with the user pool.
mfa_configuration (pulumi.Input[str]) – Multi-Factor Authentication (MFA) configuration for the User Pool. Defaults of OFF. Valid values:
name (pulumi.Input[str]) – The name of the attribute.
password_policy (pulumi.Input[dict]) – A container for information about the user pool password policy.
schemas (pulumi.Input[list]) – A container with the schema attributes of a user pool. Schema attributes from the standard attribute set only need to be specified if they are different from the default configuration. Maximum of 50 attributes.
sms_authentication_message (pulumi.Input[str]) – A string representing the SMS authentication message. The message must contain the {####} placeholder, which will be replaced with the code.
sms_configuration (pulumi.Input[dict]) – Configuration block for Short Message Service (SMS) settings. Detailed below. These settings apply to SMS user verification and SMS Multi-Factor Authentication (MFA). Due to Cognito API restrictions, the SMS configuration cannot be removed without recreating the Cognito User Pool. For user data safety, this resource will ignore the removal of this configuration by disabling drift detection. To force resource recreation after this configuration has been applied, see the ``up` command and use –replace <https://www.pulumi.com/docs/reference/cli/pulumi_up/>`_.
sms_verification_message (pulumi.Input[str]) – A string representing the SMS verification message. Conflicts with verification_message_template configuration block sms_message argument.
software_token_mfa_configuration (pulumi.Input[dict]) – Configuration block for software token Mult-Factor Authentication (MFA) settings. Detailed below.
tags (pulumi.Input[dict]) – A map of tags to assign to the User Pool.
user_pool_add_ons (pulumi.Input[dict]) – Configuration block for user pool add-ons to enable user pool advanced security mode features.
username_attributes (pulumi.Input[list]) – Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts with alias_attributes.
username_configuration (pulumi.Input[dict]) – The Username Configuration.
verification_message_template (pulumi.Input[dict]) – The verification message templates configuration.

The admin_create_user_config object supports the following:

allowAdminCreateUserOnly (pulumi.Input[bool]) - Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
inviteMessageTemplate (pulumi.Input[dict]) - The invite message template structure.
- emailMessage (pulumi.Input[str]) - The email message template. Must contain the {####} placeholder. Conflicts with email_verification_message argument.
- emailSubject (pulumi.Input[str]) - The subject line for the email message template. Conflicts with email_verification_subject argument.
- smsMessage (pulumi.Input[str]) - The SMS message template. Must contain the {####} placeholder. Conflicts with sms_verification_message argument.
unusedAccountValidityDays (pulumi.Input[float]) - DEPRECATED Use password_policy.temporary_password_validity_days instead - The user account expiration limit, in days, after which the account is no longer usable.

The device_configuration object supports the following:

challengeRequiredOnNewDevice (pulumi.Input[bool]) - Indicates whether a challenge is required on a new device. Only applicable to a new device.
deviceOnlyRememberedOnUserPrompt (pulumi.Input[bool]) - If true, a device is only remembered on user prompt.

The email_configuration object supports the following:

emailSendingAccount (pulumi.Input[str]) - The email delivery method to use. COGNITO_DEFAULT for the default email functionality built into Cognito or DEVELOPER to use your Amazon SES configuration.
fromEmailAddress (pulumi.Input[str]) - Sender’s email address or sender’s display name with their email address (e.g. john@example.com, John Smith <john@example.com> or "John Smith Ph.D." <john@example.com>). Escaped double quotes are required around display names that contain certain characters as specified in RFC 5322.
replyToEmailAddress (pulumi.Input[str]) - The REPLY-TO email address.
source_arn (pulumi.Input[str]) - The ARN of the SES verified email identity to to use. Required if email_sending_account is set to DEVELOPER.

The lambda_config object supports the following:

createAuthChallenge (pulumi.Input[str]) - The ARN of the lambda creating an authentication challenge.
customMessage (pulumi.Input[str]) - A custom Message AWS Lambda trigger.
defineAuthChallenge (pulumi.Input[str]) - Defines the authentication challenge.
postAuthentication (pulumi.Input[str]) - A post-authentication AWS Lambda trigger.
postConfirmation (pulumi.Input[str]) - A post-confirmation AWS Lambda trigger.
preAuthentication (pulumi.Input[str]) - A pre-authentication AWS Lambda trigger.
preSignUp (pulumi.Input[str]) - A pre-registration AWS Lambda trigger.
preTokenGeneration (pulumi.Input[str]) - Allow to customize identity token claims before token generation.
userMigration (pulumi.Input[str]) - The user migration Lambda config type.
verifyAuthChallengeResponse (pulumi.Input[str]) - Verifies the authentication challenge response.

The password_policy object supports the following:

minimumLength (pulumi.Input[float]) - The minimum length of the password policy that you have set.
requireLowercase (pulumi.Input[bool]) - Whether you have required users to use at least one lowercase letter in their password.
require_numbers (pulumi.Input[bool]) - Whether you have required users to use at least one number in their password.
require_symbols (pulumi.Input[bool]) - Whether you have required users to use at least one symbol in their password.
requireUppercase (pulumi.Input[bool]) - Whether you have required users to use at least one uppercase letter in their password.
temporaryPasswordValidityDays (pulumi.Input[float]) - In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator.

The schemas object supports the following:

attributeDataType (pulumi.Input[str]) - The attribute data type. Must be one of Boolean, Number, String, DateTime.
developerOnlyAttribute (pulumi.Input[bool]) - Specifies whether the attribute type is developer only.
mutable (pulumi.Input[bool]) - Specifies whether the attribute can be changed once it has been created.
name (pulumi.Input[str]) - The name of the attribute.
numberAttributeConstraints (pulumi.Input[dict]) - Specifies the constraints for an attribute of the number type.
- maxValue (pulumi.Input[str]) - The maximum value of an attribute that is of the number data type.
- minValue (pulumi.Input[str]) - The minimum value of an attribute that is of the number data type.
required (pulumi.Input[bool]) - Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.
stringAttributeConstraints (pulumi.Input[dict]) - -Specifies the constraints for an attribute of the string type.
- maxLength (pulumi.Input[str]) - The maximum length of an attribute value of the string type.
- minLength (pulumi.Input[str]) - The minimum length of an attribute value of the string type.

The sms_configuration object supports the following:

externalId (pulumi.Input[str]) - The external ID used in IAM role trust relationships. For more information about using external IDs, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.
snsCallerArn (pulumi.Input[str]) - The ARN of the Amazon SNS caller. This is usually the IAM role that you’ve given Cognito permission to assume.

The software_token_mfa_configuration object supports the following:

enabled (pulumi.Input[bool]) - Boolean whether to enable software token Multi-Factor (MFA) tokens, such as Time-based One-Time Password (TOTP). To disable software token MFA when sms_configuration is not present, the mfa_configuration argument must be set to OFF and the software_token_mfa_configuration configuration block must be fully removed.

The user_pool_add_ons object supports the following:

advancedSecurityMode (pulumi.Input[str]) - The mode for advanced security, must be one of OFF, AUDIT or ENFORCED.

The username_configuration object supports the following:

caseSensitive (pulumi.Input[bool]) - Specifies whether username case sensitivity will be applied for all users in the user pool through Cognito APIs.

The verification_message_template object supports the following:

defaultEmailOption (pulumi.Input[str]) - The default email option. Must be either CONFIRM_WITH_CODE or CONFIRM_WITH_LINK. Defaults to CONFIRM_WITH_CODE.
emailMessage (pulumi.Input[str]) - The email message template. Must contain the {####} placeholder. Conflicts with email_verification_message argument.
emailMessageByLink (pulumi.Input[str]) - The email message template for sending a confirmation link to the user, it must contain the {##Click Here##} placeholder.
emailSubject (pulumi.Input[str]) - The subject line for the email message template. Conflicts with email_verification_subject argument.
emailSubjectByLink (pulumi.Input[str]) - The subject line for the email message template for sending a confirmation link to the user.
smsMessage (pulumi.Input[str]) - The SMS message template. Must contain the {####} placeholder. Conflicts with sms_verification_message argument.

admin_create_user_config: pulumi.Output[dict] = None¶

The configuration for AdminCreateUser requests.

allowAdminCreateUserOnly (bool) - Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
inviteMessageTemplate (dict) - The invite message template structure.
- emailMessage (str) - The email message template. Must contain the {####} placeholder. Conflicts with email_verification_message argument.
- emailSubject (str) - The subject line for the email message template. Conflicts with email_verification_subject argument.
- smsMessage (str) - The SMS message template. Must contain the {####} placeholder. Conflicts with sms_verification_message argument.
unusedAccountValidityDays (float) - DEPRECATED Use password_policy.temporary_password_validity_days instead - The user account expiration limit, in days, after which the account is no longer usable.

alias_attributes: pulumi.Output[list] = None¶: Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username. Conflicts with username_attributes.

arn: pulumi.Output[str] = None¶: The ARN of the user pool.

auto_verified_attributes: pulumi.Output[list] = None¶: The attributes to be auto-verified. Possible values: email, phone_number.

creation_date: pulumi.Output[str] = None¶: The date the user pool was created.

device_configuration: pulumi.Output[dict] = None¶

The configuration for the user pool’s device tracking.

challengeRequiredOnNewDevice (bool) - Indicates whether a challenge is required on a new device. Only applicable to a new device.
deviceOnlyRememberedOnUserPrompt (bool) - If true, a device is only remembered on user prompt.

email_configuration: pulumi.Output[dict] = None¶

The Email Configuration.

emailSendingAccount (str) - The email delivery method to use. COGNITO_DEFAULT for the default email functionality built into Cognito or DEVELOPER to use your Amazon SES configuration.
fromEmailAddress (str) - Sender’s email address or sender’s display name with their email address (e.g. john@example.com, John Smith <john@example.com> or "John Smith Ph.D." <john@example.com>). Escaped double quotes are required around display names that contain certain characters as specified in RFC 5322.
replyToEmailAddress (str) - The REPLY-TO email address.
source_arn (str) - The ARN of the SES verified email identity to to use. Required if email_sending_account is set to DEVELOPER.

email_verification_message: pulumi.Output[str] = None¶: A string representing the email verification message. Conflicts with verification_message_template configuration block email_message argument.

email_verification_subject: pulumi.Output[str] = None¶: A string representing the email verification subject. Conflicts with verification_message_template configuration block email_subject argument.

endpoint: pulumi.Output[str] = None¶: The endpoint name of the user pool. Example format: cognito-idp.REGION.amazonaws.com/xxxx_yyyyy

lambda_config: pulumi.Output[dict] = None¶

A container for the AWS Lambda triggers associated with the user pool.

createAuthChallenge (str) - The ARN of the lambda creating an authentication challenge.
customMessage (str) - A custom Message AWS Lambda trigger.
defineAuthChallenge (str) - Defines the authentication challenge.
postAuthentication (str) - A post-authentication AWS Lambda trigger.
postConfirmation (str) - A post-confirmation AWS Lambda trigger.
preAuthentication (str) - A pre-authentication AWS Lambda trigger.
preSignUp (str) - A pre-registration AWS Lambda trigger.
preTokenGeneration (str) - Allow to customize identity token claims before token generation.
userMigration (str) - The user migration Lambda config type.
verifyAuthChallengeResponse (str) - Verifies the authentication challenge response.

last_modified_date: pulumi.Output[str] = None¶: The date the user pool was last modified.

mfa_configuration: pulumi.Output[str] = None¶: Multi-Factor Authentication (MFA) configuration for the User Pool. Defaults of OFF. Valid values:

name: pulumi.Output[str] = None¶: The name of the attribute.

password_policy: pulumi.Output[dict] = None¶

A container for information about the user pool password policy.

minimumLength (float) - The minimum length of the password policy that you have set.
requireLowercase (bool) - Whether you have required users to use at least one lowercase letter in their password.
require_numbers (bool) - Whether you have required users to use at least one number in their password.
require_symbols (bool) - Whether you have required users to use at least one symbol in their password.
requireUppercase (bool) - Whether you have required users to use at least one uppercase letter in their password.
temporaryPasswordValidityDays (float) - In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator.

schemas: pulumi.Output[list] = None¶

A container with the schema attributes of a user pool. Schema attributes from the standard attribute set only need to be specified if they are different from the default configuration. Maximum of 50 attributes.

attributeDataType (str) - The attribute data type. Must be one of Boolean, Number, String, DateTime.
developerOnlyAttribute (bool) - Specifies whether the attribute type is developer only.
mutable (bool) - Specifies whether the attribute can be changed once it has been created.
name (str) - The name of the attribute.
numberAttributeConstraints (dict) - Specifies the constraints for an attribute of the number type.
- maxValue (str) - The maximum value of an attribute that is of the number data type.
- minValue (str) - The minimum value of an attribute that is of the number data type.
required (bool) - Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.
stringAttributeConstraints (dict) - -Specifies the constraints for an attribute of the string type.
- maxLength (str) - The maximum length of an attribute value of the string type.
- minLength (str) - The minimum length of an attribute value of the string type.

sms_authentication_message: pulumi.Output[str] = None¶: A string representing the SMS authentication message. The message must contain the {####} placeholder, which will be replaced with the code.

sms_configuration: pulumi.Output[dict] = None¶

Configuration block for Short Message Service (SMS) settings. Detailed below. These settings apply to SMS user verification and SMS Multi-Factor Authentication (MFA). Due to Cognito API restrictions, the SMS configuration cannot be removed without recreating the Cognito User Pool. For user data safety, this resource will ignore the removal of this configuration by disabling drift detection. To force resource recreation after this configuration has been applied, see the ``up` command and use –replace <https://www.pulumi.com/docs/reference/cli/pulumi_up/>`_.

externalId (str) - The external ID used in IAM role trust relationships. For more information about using external IDs, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.
snsCallerArn (str) - The ARN of the Amazon SNS caller. This is usually the IAM role that you’ve given Cognito permission to assume.

sms_verification_message: pulumi.Output[str] = None¶: A string representing the SMS verification message. Conflicts with verification_message_template configuration block sms_message argument.

software_token_mfa_configuration: pulumi.Output[dict] = None¶

Configuration block for software token Mult-Factor Authentication (MFA) settings. Detailed below.

enabled (bool) - Boolean whether to enable software token Multi-Factor (MFA) tokens, such as Time-based One-Time Password (TOTP). To disable software token MFA when sms_configuration is not present, the mfa_configuration argument must be set to OFF and the software_token_mfa_configuration configuration block must be fully removed.

tags: pulumi.Output[dict] = None¶: A map of tags to assign to the User Pool.

user_pool_add_ons: pulumi.Output[dict] = None¶

Configuration block for user pool add-ons to enable user pool advanced security mode features.

advancedSecurityMode (str) - The mode for advanced security, must be one of OFF, AUDIT or ENFORCED.

username_attributes: pulumi.Output[list] = None¶: Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts with alias_attributes.

username_configuration: pulumi.Output[dict] = None¶

The Username Configuration.

caseSensitive (bool) - Specifies whether username case sensitivity will be applied for all users in the user pool through Cognito APIs.

verification_message_template: pulumi.Output[dict] = None¶

The verification message templates configuration.

defaultEmailOption (str) - The default email option. Must be either CONFIRM_WITH_CODE or CONFIRM_WITH_LINK. Defaults to CONFIRM_WITH_CODE.
emailMessage (str) - The email message template. Must contain the {####} placeholder. Conflicts with email_verification_message argument.
emailMessageByLink (str) - The email message template for sending a confirmation link to the user, it must contain the {##Click Here##} placeholder.
emailSubject (str) - The subject line for the email message template. Conflicts with email_verification_subject argument.
emailSubjectByLink (str) - The subject line for the email message template for sending a confirmation link to the user.
smsMessage (str) - The SMS message template. Must contain the {####} placeholder. Conflicts with sms_verification_message argument.

static get(resource_name, id, opts=None, admin_create_user_config=None, alias_attributes=None, arn=None, auto_verified_attributes=None, creation_date=None, device_configuration=None, email_configuration=None, email_verification_message=None, email_verification_subject=None, endpoint=None, lambda_config=None, last_modified_date=None, mfa_configuration=None, name=None, password_policy=None, schemas=None, sms_authentication_message=None, sms_configuration=None, sms_verification_message=None, software_token_mfa_configuration=None, tags=None, user_pool_add_ons=None, username_attributes=None, username_configuration=None, verification_message_template=None)¶

Get an existing UserPool resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
admin_create_user_config (pulumi.Input[dict]) – The configuration for AdminCreateUser requests.
alias_attributes (pulumi.Input[list]) – Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username. Conflicts with username_attributes.
arn (pulumi.Input[str]) – The ARN of the user pool.
auto_verified_attributes (pulumi.Input[list]) – The attributes to be auto-verified. Possible values: email, phone_number.
creation_date (pulumi.Input[str]) – The date the user pool was created.
device_configuration (pulumi.Input[dict]) – The configuration for the user pool’s device tracking.
email_configuration (pulumi.Input[dict]) – The Email Configuration.
email_verification_message (pulumi.Input[str]) – A string representing the email verification message. Conflicts with verification_message_template configuration block email_message argument.
email_verification_subject (pulumi.Input[str]) – A string representing the email verification subject. Conflicts with verification_message_template configuration block email_subject argument.
endpoint (pulumi.Input[str]) – The endpoint name of the user pool. Example format: cognito-idp.REGION.amazonaws.com/xxxx_yyyyy
lambda_config (pulumi.Input[dict]) – A container for the AWS Lambda triggers associated with the user pool.
last_modified_date (pulumi.Input[str]) – The date the user pool was last modified.
mfa_configuration (pulumi.Input[str]) – Multi-Factor Authentication (MFA) configuration for the User Pool. Defaults of OFF. Valid values:
name (pulumi.Input[str]) – The name of the attribute.
password_policy (pulumi.Input[dict]) – A container for information about the user pool password policy.
schemas (pulumi.Input[list]) –
A container with the schema attributes of a user pool. Schema attributes from the standard attribute set only need to be specified if they are different from the default configuration. Maximum of 50 attributes.
sms_authentication_message (pulumi.Input[str]) – A string representing the SMS authentication message. The message must contain the {####} placeholder, which will be replaced with the code.
sms_configuration (pulumi.Input[dict]) – Configuration block for Short Message Service (SMS) settings. Detailed below. These settings apply to SMS user verification and SMS Multi-Factor Authentication (MFA). Due to Cognito API restrictions, the SMS configuration cannot be removed without recreating the Cognito User Pool. For user data safety, this resource will ignore the removal of this configuration by disabling drift detection. To force resource recreation after this configuration has been applied, see the ``up` command and use –replace <https://www.pulumi.com/docs/reference/cli/pulumi_up/>`_.
sms_verification_message (pulumi.Input[str]) – A string representing the SMS verification message. Conflicts with verification_message_template configuration block sms_message argument.
software_token_mfa_configuration (pulumi.Input[dict]) – Configuration block for software token Mult-Factor Authentication (MFA) settings. Detailed below.
tags (pulumi.Input[dict]) – A map of tags to assign to the User Pool.
user_pool_add_ons (pulumi.Input[dict]) – Configuration block for user pool add-ons to enable user pool advanced security mode features.
username_attributes (pulumi.Input[list]) – Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts with alias_attributes.
username_configuration (pulumi.Input[dict]) – The Username Configuration.
verification_message_template (pulumi.Input[dict]) – The verification message templates configuration.

The admin_create_user_config object supports the following:

allowAdminCreateUserOnly (pulumi.Input[bool]) - Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
inviteMessageTemplate (pulumi.Input[dict]) - The invite message template structure.
- emailMessage (pulumi.Input[str]) - The email message template. Must contain the {####} placeholder. Conflicts with email_verification_message argument.
- emailSubject (pulumi.Input[str]) - The subject line for the email message template. Conflicts with email_verification_subject argument.
- smsMessage (pulumi.Input[str]) - The SMS message template. Must contain the {####} placeholder. Conflicts with sms_verification_message argument.
unusedAccountValidityDays (pulumi.Input[float]) - DEPRECATED Use password_policy.temporary_password_validity_days instead - The user account expiration limit, in days, after which the account is no longer usable.

The device_configuration object supports the following:

challengeRequiredOnNewDevice (pulumi.Input[bool]) - Indicates whether a challenge is required on a new device. Only applicable to a new device.
deviceOnlyRememberedOnUserPrompt (pulumi.Input[bool]) - If true, a device is only remembered on user prompt.

The email_configuration object supports the following:

emailSendingAccount (pulumi.Input[str]) - The email delivery method to use. COGNITO_DEFAULT for the default email functionality built into Cognito or DEVELOPER to use your Amazon SES configuration.
fromEmailAddress (pulumi.Input[str]) - Sender’s email address or sender’s display name with their email address (e.g. john@example.com, John Smith <john@example.com> or "John Smith Ph.D." <john@example.com>). Escaped double quotes are required around display names that contain certain characters as specified in RFC 5322.
replyToEmailAddress (pulumi.Input[str]) - The REPLY-TO email address.
source_arn (pulumi.Input[str]) - The ARN of the SES verified email identity to to use. Required if email_sending_account is set to DEVELOPER.

The lambda_config object supports the following:

createAuthChallenge (pulumi.Input[str]) - The ARN of the lambda creating an authentication challenge.
customMessage (pulumi.Input[str]) - A custom Message AWS Lambda trigger.
defineAuthChallenge (pulumi.Input[str]) - Defines the authentication challenge.
postAuthentication (pulumi.Input[str]) - A post-authentication AWS Lambda trigger.
postConfirmation (pulumi.Input[str]) - A post-confirmation AWS Lambda trigger.
preAuthentication (pulumi.Input[str]) - A pre-authentication AWS Lambda trigger.
preSignUp (pulumi.Input[str]) - A pre-registration AWS Lambda trigger.
preTokenGeneration (pulumi.Input[str]) - Allow to customize identity token claims before token generation.
userMigration (pulumi.Input[str]) - The user migration Lambda config type.
verifyAuthChallengeResponse (pulumi.Input[str]) - Verifies the authentication challenge response.

The password_policy object supports the following:

minimumLength (pulumi.Input[float]) - The minimum length of the password policy that you have set.
requireLowercase (pulumi.Input[bool]) - Whether you have required users to use at least one lowercase letter in their password.
require_numbers (pulumi.Input[bool]) - Whether you have required users to use at least one number in their password.
require_symbols (pulumi.Input[bool]) - Whether you have required users to use at least one symbol in their password.
requireUppercase (pulumi.Input[bool]) - Whether you have required users to use at least one uppercase letter in their password.
temporaryPasswordValidityDays (pulumi.Input[float]) - In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator.

The schemas object supports the following:

attributeDataType (pulumi.Input[str]) - The attribute data type. Must be one of Boolean, Number, String, DateTime.
developerOnlyAttribute (pulumi.Input[bool]) - Specifies whether the attribute type is developer only.
mutable (pulumi.Input[bool]) - Specifies whether the attribute can be changed once it has been created.
name (pulumi.Input[str]) - The name of the attribute.
numberAttributeConstraints (pulumi.Input[dict]) - Specifies the constraints for an attribute of the number type.
- maxValue (pulumi.Input[str]) - The maximum value of an attribute that is of the number data type.
- minValue (pulumi.Input[str]) - The minimum value of an attribute that is of the number data type.
required (pulumi.Input[bool]) - Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.
stringAttributeConstraints (pulumi.Input[dict]) - -Specifies the constraints for an attribute of the string type.
- maxLength (pulumi.Input[str]) - The maximum length of an attribute value of the string type.
- minLength (pulumi.Input[str]) - The minimum length of an attribute value of the string type.

The sms_configuration object supports the following:

externalId (pulumi.Input[str]) - The external ID used in IAM role trust relationships. For more information about using external IDs, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.
snsCallerArn (pulumi.Input[str]) - The ARN of the Amazon SNS caller. This is usually the IAM role that you’ve given Cognito permission to assume.

The software_token_mfa_configuration object supports the following:

enabled (pulumi.Input[bool]) - Boolean whether to enable software token Multi-Factor (MFA) tokens, such as Time-based One-Time Password (TOTP). To disable software token MFA when sms_configuration is not present, the mfa_configuration argument must be set to OFF and the software_token_mfa_configuration configuration block must be fully removed.

The user_pool_add_ons object supports the following:

advancedSecurityMode (pulumi.Input[str]) - The mode for advanced security, must be one of OFF, AUDIT or ENFORCED.

The username_configuration object supports the following:

caseSensitive (pulumi.Input[bool]) - Specifies whether username case sensitivity will be applied for all users in the user pool through Cognito APIs.

The verification_message_template object supports the following:

defaultEmailOption (pulumi.Input[str]) - The default email option. Must be either CONFIRM_WITH_CODE or CONFIRM_WITH_LINK. Defaults to CONFIRM_WITH_CODE.
emailMessage (pulumi.Input[str]) - The email message template. Must contain the {####} placeholder. Conflicts with email_verification_message argument.
emailMessageByLink (pulumi.Input[str]) - The email message template for sending a confirmation link to the user, it must contain the {##Click Here##} placeholder.
emailSubject (pulumi.Input[str]) - The subject line for the email message template. Conflicts with email_verification_subject argument.
emailSubjectByLink (pulumi.Input[str]) - The subject line for the email message template for sending a confirmation link to the user.
smsMessage (pulumi.Input[str]) - The SMS message template. Must contain the {####} placeholder. Conflicts with sms_verification_message argument.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.cognito.UserPoolClient(resource_name, opts=None, allowed_oauth_flows=None, allowed_oauth_flows_user_pool_client=None, allowed_oauth_scopes=None, analytics_configuration=None, callback_urls=None, default_redirect_uri=None, explicit_auth_flows=None, generate_secret=None, logout_urls=None, name=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_id=None, write_attributes=None, __props__=None, __name__=None, __opts__=None)¶

Provides a Cognito User Pool Client resource.

import pulumi
import pulumi_aws as aws

pool = aws.cognito.UserPool("pool")
client = aws.cognito.UserPoolClient("client", user_pool_id=pool.id)

import pulumi
import pulumi_aws as aws

pool = aws.cognito.UserPool("pool")
client = aws.cognito.UserPoolClient("client",
    explicit_auth_flows=["ADMIN_NO_SRP_AUTH"],
    generate_secret=True,
    user_pool_id=pool.id)

import pulumi
import pulumi_aws as aws

current = aws.get_caller_identity()
test_user_pool = aws.cognito.UserPool("testUserPool")
test_app = aws.pinpoint.App("testApp")
test_role = aws.iam.Role("testRole", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "cognito-idp.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
test_role_policy = aws.iam.RolePolicy("testRolePolicy",
    policy=test_app.application_id.apply(lambda application_id: f"""{{
  "Version": "2012-10-17",
  "Statement": [
    {{
      "Action": [
        "mobiletargeting:UpdateEndpoint",
        "mobiletargeting:PutItems"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:mobiletargeting:*:{current.account_id}:apps/{application_id}*"
    }}
  ]
}}

"""),
    role=test_role.id)
test_user_pool_client = aws.cognito.UserPoolClient("testUserPoolClient",
    analytics_configuration={
        "application_id": test_app.application_id,
        "externalId": "some_id",
        "role_arn": test_role.arn,
        "userDataShared": True,
    },
    user_pool_id=test_user_pool.id)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
allowed_oauth_flows (pulumi.Input[list]) – List of allowed OAuth flows (code, implicit, client_credentials).
allowed_oauth_flows_user_pool_client (pulumi.Input[bool]) – Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
allowed_oauth_scopes (pulumi.Input[list]) – List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
analytics_configuration (pulumi.Input[dict]) – The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
callback_urls (pulumi.Input[list]) – List of allowed callback URLs for the identity providers.
default_redirect_uri (pulumi.Input[str]) – The default redirect URI. Must be in the list of callback URLs.
explicit_auth_flows (pulumi.Input[list]) – List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
generate_secret (pulumi.Input[bool]) – Should an application secret be generated.
logout_urls (pulumi.Input[list]) – List of allowed logout URLs for the identity providers.
name (pulumi.Input[str]) – The name of the application client.
prevent_user_existence_errors (pulumi.Input[str]) – Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
read_attributes (pulumi.Input[list]) – List of user pool attributes the application client can read from.
refresh_token_validity (pulumi.Input[float]) – The time limit in days refresh tokens are valid for.
supported_identity_providers (pulumi.Input[list]) – List of provider names for the identity providers that are supported on this client.
user_pool_id (pulumi.Input[str]) – The user pool the client belongs to.
write_attributes (pulumi.Input[list]) – List of user pool attributes the application client can write to.

The analytics_configuration object supports the following:

application_id (pulumi.Input[str]) - The application ID for an Amazon Pinpoint application.
externalId (pulumi.Input[str]) - An ID for the Analytics Configuration.
role_arn (pulumi.Input[str]) - The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
userDataShared (pulumi.Input[bool]) - If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

allowed_oauth_flows: pulumi.Output[list] = None¶: List of allowed OAuth flows (code, implicit, client_credentials).

allowed_oauth_flows_user_pool_client: pulumi.Output[bool] = None¶: Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.

allowed_oauth_scopes: pulumi.Output[list] = None¶: List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).

analytics_configuration: pulumi.Output[dict] = None¶

The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.

application_id (str) - The application ID for an Amazon Pinpoint application.
externalId (str) - An ID for the Analytics Configuration.
role_arn (str) - The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
userDataShared (bool) - If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

callback_urls: pulumi.Output[list] = None¶: List of allowed callback URLs for the identity providers.

client_secret: pulumi.Output[str] = None¶: The client secret of the user pool client.

default_redirect_uri: pulumi.Output[str] = None¶: The default redirect URI. Must be in the list of callback URLs.

explicit_auth_flows: pulumi.Output[list] = None¶: List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).

generate_secret: pulumi.Output[bool] = None¶: Should an application secret be generated.

logout_urls: pulumi.Output[list] = None¶: List of allowed logout URLs for the identity providers.

name: pulumi.Output[str] = None¶: The name of the application client.

prevent_user_existence_errors: pulumi.Output[str] = None¶: Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.

read_attributes: pulumi.Output[list] = None¶: List of user pool attributes the application client can read from.

refresh_token_validity: pulumi.Output[float] = None¶: The time limit in days refresh tokens are valid for.

supported_identity_providers: pulumi.Output[list] = None¶: List of provider names for the identity providers that are supported on this client.

user_pool_id: pulumi.Output[str] = None¶: The user pool the client belongs to.

write_attributes: pulumi.Output[list] = None¶: List of user pool attributes the application client can write to.

static get(resource_name, id, opts=None, allowed_oauth_flows=None, allowed_oauth_flows_user_pool_client=None, allowed_oauth_scopes=None, analytics_configuration=None, callback_urls=None, client_secret=None, default_redirect_uri=None, explicit_auth_flows=None, generate_secret=None, logout_urls=None, name=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_id=None, write_attributes=None)¶

Get an existing UserPoolClient resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
allowed_oauth_flows (pulumi.Input[list]) – List of allowed OAuth flows (code, implicit, client_credentials).
allowed_oauth_flows_user_pool_client (pulumi.Input[bool]) – Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
allowed_oauth_scopes (pulumi.Input[list]) – List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
analytics_configuration (pulumi.Input[dict]) – The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
callback_urls (pulumi.Input[list]) – List of allowed callback URLs for the identity providers.
client_secret (pulumi.Input[str]) – The client secret of the user pool client.
default_redirect_uri (pulumi.Input[str]) – The default redirect URI. Must be in the list of callback URLs.
explicit_auth_flows (pulumi.Input[list]) – List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
generate_secret (pulumi.Input[bool]) – Should an application secret be generated.
logout_urls (pulumi.Input[list]) – List of allowed logout URLs for the identity providers.
name (pulumi.Input[str]) – The name of the application client.
prevent_user_existence_errors (pulumi.Input[str]) – Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
read_attributes (pulumi.Input[list]) – List of user pool attributes the application client can read from.
refresh_token_validity (pulumi.Input[float]) – The time limit in days refresh tokens are valid for.
supported_identity_providers (pulumi.Input[list]) – List of provider names for the identity providers that are supported on this client.
user_pool_id (pulumi.Input[str]) – The user pool the client belongs to.
write_attributes (pulumi.Input[list]) – List of user pool attributes the application client can write to.

The analytics_configuration object supports the following:

application_id (pulumi.Input[str]) - The application ID for an Amazon Pinpoint application.
externalId (pulumi.Input[str]) - An ID for the Analytics Configuration.
role_arn (pulumi.Input[str]) - The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
userDataShared (pulumi.Input[bool]) - If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_aws.cognito.UserPoolDomain(resource_name, opts=None, certificate_arn=None, domain=None, user_pool_id=None, __props__=None, __name__=None, __opts__=None)¶

Provides a Cognito User Pool Domain resource.

import pulumi
import pulumi_aws as aws

example = aws.cognito.UserPool("example")
main = aws.cognito.UserPoolDomain("main",
    domain="example-domain",
    user_pool_id=example.id)

import pulumi
import pulumi_aws as aws

example = aws.cognito.UserPool("example")
main = aws.cognito.UserPoolDomain("main",
    certificate_arn=aws_acm_certificate["cert"]["arn"],
    domain="example-domain.example.com",
    user_pool_id=example.id)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
certificate_arn (pulumi.Input[str]) – The ARN of an ISSUED ACM certificate in us-east-1 for a custom domain.
domain (pulumi.Input[str]) – The domain string.
user_pool_id (pulumi.Input[str]) – The user pool ID.

aws_account_id: pulumi.Output[str] = None¶: The AWS account ID for the user pool owner.

certificate_arn: pulumi.Output[str] = None¶: The ARN of an ISSUED ACM certificate in us-east-1 for a custom domain.

cloudfront_distribution_arn: pulumi.Output[str] = None¶: The ARN of the CloudFront distribution.

domain: pulumi.Output[str] = None¶: The domain string.

s3_bucket: pulumi.Output[str] = None¶: The S3 bucket where the static files for this domain are stored.

user_pool_id: pulumi.Output[str] = None¶: The user pool ID.

version: pulumi.Output[str] = None¶: The app version.

static get(resource_name, id, opts=None, aws_account_id=None, certificate_arn=None, cloudfront_distribution_arn=None, domain=None, s3_bucket=None, user_pool_id=None, version=None)¶

Get an existing UserPoolDomain resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
aws_account_id (pulumi.Input[str]) – The AWS account ID for the user pool owner.
certificate_arn (pulumi.Input[str]) – The ARN of an ISSUED ACM certificate in us-east-1 for a custom domain.
cloudfront_distribution_arn (pulumi.Input[str]) – The ARN of the CloudFront distribution.
domain (pulumi.Input[str]) – The domain string.
s3_bucket (pulumi.Input[str]) – The S3 bucket where the static files for this domain are stored.
user_pool_id (pulumi.Input[str]) – The user pool ID.
version (pulumi.Input[str]) – The app version.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

pulumi_aws.cognito.get_user_pools(name=None, opts=None)¶

Use this data source to get a list of cognito user pools.

import pulumi
import pulumi_aws as aws

selected_rest_api = aws.apigateway.get_rest_api(name=var["api_gateway_name"])
selected_user_pools = aws.cognito.get_user_pools(name=var["cognito_user_pool_name"])
cognito = aws.apigateway.Authorizer("cognito",
    provider_arns=selected_user_pools.arns,
    rest_api=selected_rest_api.id,
    type="COGNITO_USER_POOLS")

Parameters: name (str) – Name of the cognito user pools. Name is not a unique attribute for cognito user pool, so multiple pools might be returned with given name.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

cognito¶

On This Page