aws-cdk-lib.aws_cognito.UserPool

class UserPool (construct)

LanguageType name
.NETAmazon.CDK.AWS.Cognito.UserPool
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awscognito#UserPool
Javasoftware.amazon.awscdk.services.cognito.UserPool
Pythonaws_cdk.aws_cognito.UserPool
TypeScript (source)aws-cdk-lib » aws_cognito » UserPool

Implements IConstruct, IDependable, IResource, IUserPool

Define a Cognito User Pool.

Example

const pool = new cognito.UserPool(this, 'Pool');
pool.addClient('app-client', {
  oAuth: {
    flows: {
      authorizationCodeGrant: true,
    },
    scopes: [ cognito.OAuthScope.OPENID ],
    callbackUrls: [ 'https://my-app-domain.com/welcome' ],
    logoutUrls: [ 'https://my-app-domain.com/signin' ],
  },
});

Initializer

new UserPool(scope: Construct, id: string, props?: UserPoolProps)

Parameters

  • scope Construct
  • id string
  • props UserPoolProps

Construct Props

NameTypeDescription
accountRecovery?AccountRecoveryHow will a user be able to recover their account?
advancedSecurityMode?AdvancedSecurityModeThe user pool's Advanced Security Mode.
autoVerify?AutoVerifiedAttrsAttributes which Cognito will look to verify automatically upon user sign up.
customAttributes?{ [string]: ICustomAttribute }Define a set of custom attributes that can be configured for each user in the user pool.
customSenderKmsKey?IKeyThis key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
deletionProtection?booleanIndicates whether the user pool should have deletion protection enabled.
deviceTracking?DeviceTrackingDevice tracking settings.
email?UserPoolEmailEmail settings for a user pool.
enableSmsRole?booleanSetting this would explicitly enable or disable SMS role creation.
keepOriginal?KeepOriginalAttrsAttributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
lambdaTriggers?UserPoolTriggersLambda functions to use for supported Cognito triggers.
mfa?MfaConfigure whether users of this user pool can or are required use MFA to sign in.
mfaMessage?stringThe SMS message template sent during MFA verification.
mfaSecondFactor?MfaSecondFactorConfigure the MFA types that users can use in this user pool.
passwordPolicy?PasswordPolicyPassword policy for this user pool.
removalPolicy?RemovalPolicyPolicy to apply when the user pool is removed from the stack.
selfSignUpEnabled?booleanWhether self sign up should be enabled.
signInAliases?SignInAliasesMethods in which a user registers or signs in to a user pool.
signInCaseSensitive?booleanWhether sign-in aliases should be evaluated with case sensitivity.
smsRole?IRoleThe IAM role that Cognito will assume while sending SMS messages.
smsRoleExternalId?stringThe 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.
snsRegion?stringThe region to integrate with SNS to send SMS messages.
standardAttributes?StandardAttributesThe set of attributes that are required for every user in the user pool.
userInvitation?UserInvitationConfigConfiguration around admins signing up users into a user pool.
userPoolName?stringName of the user pool.
userVerification?UserVerificationConfigConfiguration around users signing themselves up to the user pool.

accountRecovery?

Type: AccountRecovery (optional, default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL)

How will a user be able to recover their account?


advancedSecurityMode?

Type: AdvancedSecurityMode (optional, default: no value)

The user pool's Advanced Security Mode.


autoVerify?

Type: AutoVerifiedAttrs (optional, default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.)

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.


customAttributes?

Type: { [string]: ICustomAttribute } (optional, default: No custom attributes.)

Define a set of custom attributes that can be configured for each user in the user pool.


customSenderKmsKey?

Type: IKey (optional, default: no key ID configured)

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html


deletionProtection?

Type: boolean (optional, default: false)

Indicates whether the user pool should have deletion protection enabled.


deviceTracking?

Type: DeviceTracking (optional, default: see defaults on each property of DeviceTracking.)

Device tracking settings.


email?

Type: UserPoolEmail (optional, default: cognito will use the default email configuration)

Email settings for a user pool.


enableSmsRole?

Type: boolean (optional, default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.)

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.


keepOriginal?

Type: KeepOriginalAttrs (optional, default: Nothing is kept.)

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.


lambdaTriggers?

Type: UserPoolTriggers (optional, default: No Lambda triggers.)

Lambda functions to use for supported Cognito triggers.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html


mfa?

Type: Mfa (optional, default: Mfa.OFF)

Configure whether users of this user pool can or are required use MFA to sign in.


mfaMessage?

Type: string (optional, default: 'Your authentication code is {####}.')

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.


mfaSecondFactor?

Type: MfaSecondFactor (optional, default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise)

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.


passwordPolicy?

Type: PasswordPolicy (optional, default: see defaults on each property of PasswordPolicy.)

Password policy for this user pool.


removalPolicy?

Type: RemovalPolicy (optional, default: RemovalPolicy.RETAIN)

Policy to apply when the user pool is removed from the stack.


selfSignUpEnabled?

Type: boolean (optional, default: false)

Whether self sign up should be enabled.

This can be further configured via the selfSignUp property.


signInAliases?

Type: SignInAliases (optional, default: { username: true })

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.


signInCaseSensitive?

Type: boolean (optional, default: true)

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.


smsRole?

Type: IRole (optional, default: a new IAM role is created)

The IAM role that Cognito will assume while sending SMS messages.


smsRoleExternalId?

Type: string (optional, default: No external id will be configured)

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.


snsRegion?

Type: string (optional, default: The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time)

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured


standardAttributes?

Type: StandardAttributes (optional, default: All standard attributes are optional and mutable.)

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html


userInvitation?

Type: UserInvitationConfig (optional, default: see defaults in UserInvitationConfig)

Configuration around admins signing up users into a user pool.


userPoolName?

Type: string (optional, default: automatically generated name by CloudFormation at deploy time)

Name of the user pool.


userVerification?

Type: UserVerificationConfig (optional, default: see defaults in UserVerificationConfig)

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

Properties

NameTypeDescription
envResourceEnvironmentThe environment this resource belongs to.
identityProvidersIUserPoolIdentityProvider[]Get all identity providers registered with this user pool.
nodeNodeThe tree node.
stackStackThe stack in which this resource is defined.
userPoolArnstringThe ARN of the user pool.
userPoolIdstringThe physical ID of this user pool resource.
userPoolProviderNamestringUser pool provider name.
userPoolProviderUrlstringUser pool provider URL.

env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


identityProviders

Type: IUserPoolIdentityProvider[]

Get all identity providers registered with this user pool.


node

Type: Node

The tree node.


stack

Type: Stack

The stack in which this resource is defined.


userPoolArn

Type: string

The ARN of the user pool.


userPoolId

Type: string

The physical ID of this user pool resource.


userPoolProviderName

Type: string

User pool provider name.


userPoolProviderUrl

Type: string

User pool provider URL.

Methods

NameDescription
addClient(id, options?)Add a new app client to this user pool.
addDomain(id, options)Associate a domain to this user pool.
addResourceServer(id, options)Add a new resource server to this user pool.
addTrigger(operation, fn)Add a lambda trigger to a user pool operation.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
grant(grantee, ...actions)Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
registerIdentityProvider(provider)Register an identity provider with this user pool.
toString()Returns a string representation of this construct.
static fromUserPoolArn(scope, id, userPoolArn)Import an existing user pool based on its ARN.
static fromUserPoolId(scope, id, userPoolId)Import an existing user pool based on its id.

addClient(id, options?)

public addClient(id: string, options?: UserPoolClientOptions): UserPoolClient

Parameters

  • id string
  • options UserPoolClientOptions

Returns

  • UserPoolClient

Add a new app client to this user pool.


addDomain(id, options)

public addDomain(id: string, options: UserPoolDomainOptions): UserPoolDomain

Parameters

  • id string
  • options UserPoolDomainOptions

Returns

  • UserPoolDomain

Associate a domain to this user pool.


addResourceServer(id, options)

public addResourceServer(id: string, options: UserPoolResourceServerOptions): UserPoolResourceServer

Parameters

  • id string
  • options UserPoolResourceServerOptions

Returns

  • UserPoolResourceServer

Add a new resource server to this user pool.


addTrigger(operation, fn)

public addTrigger(operation: UserPoolOperation, fn: IFunction): void

Parameters

  • operation UserPoolOperation
  • fn IFunction

Add a lambda trigger to a user pool operation.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


grant(grantee, ...actions)

public grant(grantee: IGrantable, ...actions: string[]): Grant

Parameters

  • grantee IGrantable
  • actions string

Returns

  • Grant

Adds an IAM policy statement associated with this user pool to an IAM principal's policy.


registerIdentityProvider(provider)

public registerIdentityProvider(provider: IUserPoolIdentityProvider): void

Parameters

  • provider IUserPoolIdentityProvider

Register an identity provider with this user pool.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


static fromUserPoolArn(scope, id, userPoolArn)

public static fromUserPoolArn(scope: Construct, id: string, userPoolArn: string): IUserPool

Parameters

  • scope Construct
  • id string
  • userPoolArn string

Returns

  • IUserPool

Import an existing user pool based on its ARN.


static fromUserPoolId(scope, id, userPoolId)

public static fromUserPoolId(scope: Construct, id: string, userPoolId: string): IUserPool

Parameters

  • scope Construct
  • id string
  • userPoolId string

Returns

  • IUserPool

Import an existing user pool based on its id.