Skip to content

API Reference

Constructs

UserIdentity

Creates a UserPool and Identity Pool with sane defaults configured intended for usage from a web client.

Initializers

import aws.pdk.identity

aws.pdk.identity.UserIdentity(
  scope: Construct,
  id: str,
  allow_signup: bool = None,
  identity_pool_options: IdentityPoolProps = None,
  user_pool: UserPool = None
)
Name Type Description
scope constructs.Construct No description.
id str No description.
allow_signup bool Allow self sign up.
identity_pool_options aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps Configuration for the Identity Pool.
user_pool aws_cdk.aws_cognito.UserPool User provided Cognito UserPool.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: str

allow_signupOptional
  • Type: bool
  • Default: false

Allow self sign up.


identity_pool_optionsOptional
  • Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps

Configuration for the Identity Pool.


user_poolOptional
  • Type: aws_cdk.aws_cognito.UserPool
  • Default: a userpool with mfa will be created.

User provided Cognito UserPool.


Methods

Name Description
to_string Returns a string representation of this construct.

to_string
def to_string() -> str

Returns a string representation of this construct.

Static Functions

Name Description
is_construct Checks if x is a construct.

is_construct
import aws.pdk.identity

aws.pdk.identity.UserIdentity.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: typing.Any

Any object.


Properties

Name Type Description
node constructs.Node The tree node.
identity_pool aws_cdk.aws_cognito_identitypool_alpha.IdentityPool No description.
user_pool aws_cdk.aws_cognito.UserPool No description.
user_pool_client aws_cdk.aws_cognito.UserPoolClient No description.

nodeRequired
node: Node
  • Type: constructs.Node

The tree node.


identity_poolRequired
identity_pool: IdentityPool
  • Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPool

user_poolRequired
user_pool: UserPool
  • Type: aws_cdk.aws_cognito.UserPool

user_pool_clientRequired
user_pool_client: UserPoolClient
  • Type: aws_cdk.aws_cognito.UserPoolClient

UserPoolWithMfa

Configures a UserPool with MFA across SMS/TOTP using sane defaults.

Initializers

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa(
  scope: Construct,
  id: str,
  account_recovery: AccountRecovery = None,
  advanced_security_mode: AdvancedSecurityMode = None,
  auto_verify: AutoVerifiedAttrs = None,
  custom_attributes: typing.Mapping[ICustomAttribute] = None,
  custom_sender_kms_key: IKey = None,
  deletion_protection: bool = None,
  device_tracking: DeviceTracking = None,
  email: UserPoolEmail = None,
  enable_sms_role: bool = None,
  keep_original: KeepOriginalAttrs = None,
  lambda_triggers: UserPoolTriggers = None,
  mfa: Mfa = None,
  mfa_message: str = None,
  mfa_second_factor: MfaSecondFactor = None,
  password_policy: PasswordPolicy = None,
  removal_policy: RemovalPolicy = None,
  self_sign_up_enabled: bool = None,
  sign_in_aliases: SignInAliases = None,
  sign_in_case_sensitive: bool = None,
  sms_role: IRole = None,
  sms_role_external_id: str = None,
  sns_region: str = None,
  standard_attributes: StandardAttributes = None,
  user_invitation: UserInvitationConfig = None,
  user_pool_name: str = None,
  user_verification: UserVerificationConfig = None
)
Name Type Description
scope constructs.Construct No description.
id str No description.
account_recovery aws_cdk.aws_cognito.AccountRecovery How will a user be able to recover their account?
advanced_security_mode aws_cdk.aws_cognito.AdvancedSecurityMode The user pool's Advanced Security Mode.
auto_verify aws_cdk.aws_cognito.AutoVerifiedAttrs Attributes which Cognito will look to verify automatically upon user sign up.
custom_attributes typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute] Define a set of custom attributes that can be configured for each user in the user pool.
custom_sender_kms_key aws_cdk.aws_kms.IKey This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
deletion_protection bool Indicates whether the user pool should have deletion protection enabled.
device_tracking aws_cdk.aws_cognito.DeviceTracking Device tracking settings.
email aws_cdk.aws_cognito.UserPoolEmail Email settings for a user pool.
enable_sms_role bool Setting this would explicitly enable or disable SMS role creation.
keep_original aws_cdk.aws_cognito.KeepOriginalAttrs Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
lambda_triggers aws_cdk.aws_cognito.UserPoolTriggers Lambda functions to use for supported Cognito triggers.
mfa aws_cdk.aws_cognito.Mfa Configure whether users of this user pool can or are required use MFA to sign in.
mfa_message str The SMS message template sent during MFA verification.
mfa_second_factor aws_cdk.aws_cognito.MfaSecondFactor Configure the MFA types that users can use in this user pool.
password_policy aws_cdk.aws_cognito.PasswordPolicy Password policy for this user pool.
removal_policy aws_cdk.RemovalPolicy Policy to apply when the user pool is removed from the stack.
self_sign_up_enabled bool Whether self sign-up should be enabled.
sign_in_aliases aws_cdk.aws_cognito.SignInAliases Methods in which a user registers or signs in to a user pool.
sign_in_case_sensitive bool Whether sign-in aliases should be evaluated with case sensitivity.
sms_role aws_cdk.aws_iam.IRole The IAM role that Cognito will assume while sending SMS messages.
sms_role_external_id str The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.
sns_region str The region to integrate with SNS to send SMS messages.
standard_attributes aws_cdk.aws_cognito.StandardAttributes The set of attributes that are required for every user in the user pool.
user_invitation aws_cdk.aws_cognito.UserInvitationConfig Configuration around admins signing up users into a user pool.
user_pool_name str Name of the user pool.
user_verification aws_cdk.aws_cognito.UserVerificationConfig Configuration around users signing themselves up to the user pool.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: str

account_recoveryOptional
  • Type: aws_cdk.aws_cognito.AccountRecovery
  • Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?


advanced_security_modeOptional
  • Type: aws_cdk.aws_cognito.AdvancedSecurityMode
  • Default: no value

The user pool's Advanced Security Mode.


auto_verifyOptional
  • Type: aws_cdk.aws_cognito.AutoVerifiedAttrs
  • Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.


custom_attributesOptional
  • Type: typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute]
  • Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.


custom_sender_kms_keyOptional
  • Type: aws_cdk.aws_kms.IKey
  • Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html


deletion_protectionOptional
  • Type: bool
  • Default: false

Indicates whether the user pool should have deletion protection enabled.


device_trackingOptional
  • Type: aws_cdk.aws_cognito.DeviceTracking
  • Default: see defaults on each property of DeviceTracking.

Device tracking settings.


emailOptional
  • Type: aws_cdk.aws_cognito.UserPoolEmail
  • Default: cognito will use the default email configuration

Email settings for a user pool.


enable_sms_roleOptional
  • Type: bool
  • Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.


keep_originalOptional
  • Type: aws_cdk.aws_cognito.KeepOriginalAttrs
  • Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.


lambda_triggersOptional
  • Type: aws_cdk.aws_cognito.UserPoolTriggers
  • Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html


mfaOptional
  • Type: aws_cdk.aws_cognito.Mfa
  • Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.


mfa_messageOptional
  • Type: str
  • Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.


mfa_second_factorOptional
  • Type: aws_cdk.aws_cognito.MfaSecondFactor
  • Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.


password_policyOptional
  • Type: aws_cdk.aws_cognito.PasswordPolicy
  • Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.


removal_policyOptional
  • Type: aws_cdk.RemovalPolicy
  • Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.


self_sign_up_enabledOptional
  • Type: bool
  • Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.


sign_in_aliasesOptional
  • Type: aws_cdk.aws_cognito.SignInAliases
  • Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.


sign_in_case_sensitiveOptional
  • Type: bool
  • Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.


sms_roleOptional
  • Type: aws_cdk.aws_iam.IRole
  • Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.


sms_role_external_idOptional
  • Type: str
  • Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.


sns_regionOptional

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.


standard_attributesOptional
  • Type: aws_cdk.aws_cognito.StandardAttributes
  • Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html


user_invitationOptional
  • Type: aws_cdk.aws_cognito.UserInvitationConfig
  • Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.


user_pool_nameOptional
  • Type: str
  • Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.


user_verificationOptional
  • Type: aws_cdk.aws_cognito.UserVerificationConfig
  • Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.


Methods

Name Description
to_string Returns a string representation of this construct.
apply_removal_policy Apply the given removal policy to this resource.
add_client Add a new app client to this user pool.
add_domain Associate a domain to this user pool.
add_resource_server Add a new resource server to this user pool.
add_trigger Add a lambda trigger to a user pool operation.
grant Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
register_identity_provider Register an identity provider with this user pool.

to_string
def to_string() -> str

Returns a string representation of this construct.

apply_removal_policy
def apply_removal_policy(
  policy: RemovalPolicy
) -> None

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws_cdk.RemovalPolicy

add_client
def add_client(
  id: str,
  access_token_validity: Duration = None,
  auth_flows: AuthFlow = None,
  auth_session_validity: Duration = None,
  disable_o_auth: bool = None,
  enable_propagate_additional_user_context_data: bool = None,
  enable_token_revocation: bool = None,
  generate_secret: bool = None,
  id_token_validity: Duration = None,
  o_auth: OAuthSettings = None,
  prevent_user_existence_errors: bool = None,
  read_attributes: ClientAttributes = None,
  refresh_token_validity: Duration = None,
  supported_identity_providers: typing.List[UserPoolClientIdentityProvider] = None,
  user_pool_client_name: str = None,
  write_attributes: ClientAttributes = None
) -> UserPoolClient

Add a new app client to this user pool.

idRequired
  • Type: str

access_token_validityOptional
  • Type: aws_cdk.Duration
  • Default: Duration.minutes(60)

Validity of the access token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token


auth_flowsOptional
  • Type: aws_cdk.aws_cognito.AuthFlow
  • Default: If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

The set of OAuth authentication flows to enable on the client.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html


auth_session_validityOptional
  • Type: aws_cdk.Duration
  • Default: Duration.minutes(3)

Cognito creates a session token for each API request in an authentication flow.

AuthSessionValidity is the duration, in minutes, of that session token. see defaults in AuthSessionValidity. Valid duration is from 3 to 15 minutes.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity


disable_o_authOptional
  • Type: bool
  • Default: false

Turns off all OAuth interactions for this client.


enable_propagate_additional_user_context_dataOptional
  • Type: bool
  • Default: false for new user pool clients

Enable the propagation of additional user context data.

You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint


enable_token_revocationOptional
  • Type: bool
  • Default: true for new user pool clients

Enable token revocation for this client.

https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation


generate_secretOptional
  • Type: bool
  • Default: false

Whether to generate a client secret.


id_token_validityOptional
  • Type: aws_cdk.Duration
  • Default: Duration.minutes(60)

Validity of the ID token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token


o_authOptional
  • Type: aws_cdk.aws_cognito.OAuthSettings
  • Default: see defaults in OAuthSettings. meaningless if disableOAuth is set.

OAuth settings for this client to interact with the app.

An error is thrown when this is specified and disableOAuth is set.


prevent_user_existence_errorsOptional
  • Type: bool
  • Default: false

Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html


read_attributesOptional
  • Type: aws_cdk.aws_cognito.ClientAttributes
  • Default: all standard and custom attributes

The set of attributes this client will be able to read.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes


refresh_token_validityOptional
  • Type: aws_cdk.Duration
  • Default: Duration.days(30)

Validity of the refresh token.

Values between 60 minutes and 10 years are valid.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token


supported_identity_providersOptional
  • Type: typing.List[aws_cdk.aws_cognito.UserPoolClientIdentityProvider]
  • Default: supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

The list of identity providers that users should be able to use to sign in using this client.


user_pool_client_nameOptional
  • Type: str
  • Default: cloudformation generated name

Name of the application client.


write_attributesOptional
  • Type: aws_cdk.aws_cognito.ClientAttributes
  • Default: all standard and custom attributes

The set of attributes this client will be able to write.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes


add_domain
def add_domain(
  id: str,
  cognito_domain: CognitoDomainOptions = None,
  custom_domain: CustomDomainOptions = None
) -> UserPoolDomain

Associate a domain to this user pool.

idRequired
  • Type: str

cognito_domainOptional
  • Type: aws_cdk.aws_cognito.CognitoDomainOptions
  • Default: not set if customDomain is specified, otherwise, throws an error.

Associate a cognito prefix domain with your user pool Either customDomain or cognitoDomain must be specified.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html


custom_domainOptional
  • Type: aws_cdk.aws_cognito.CustomDomainOptions
  • Default: not set if cognitoDomain is specified, otherwise, throws an error.

Associate a custom domain with your user pool Either customDomain or cognitoDomain must be specified.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html


add_resource_server
def add_resource_server(
  id: str,
  identifier: str,
  scopes: typing.List[ResourceServerScope] = None,
  user_pool_resource_server_name: str = None
) -> UserPoolResourceServer

Add a new resource server to this user pool.

idRequired
  • Type: str

identifierRequired
  • Type: str

A unique resource server identifier for the resource server.


scopesOptional
  • Type: typing.List[aws_cdk.aws_cognito.ResourceServerScope]
  • Default: No scopes will be added

Oauth scopes.


user_pool_resource_server_nameOptional
  • Type: str
  • Default: same as identifier

A friendly name for the resource server.


add_trigger
def add_trigger(
  operation: UserPoolOperation,
  fn: IFunction,
  lambda_version: LambdaVersion = None
) -> None

Add a lambda trigger to a user pool operation.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

operationRequired
  • Type: aws_cdk.aws_cognito.UserPoolOperation

fnRequired
  • Type: aws_cdk.aws_lambda.IFunction

lambda_versionOptional
  • Type: aws_cdk.aws_cognito.LambdaVersion

grant
def grant(
  grantee: IGrantable,
  actions: str
) -> Grant

Adds an IAM policy statement associated with this user pool to an IAM principal's policy.

granteeRequired
  • Type: aws_cdk.aws_iam.IGrantable

actionsRequired
  • Type: str

register_identity_provider
def register_identity_provider(
  provider: IUserPoolIdentityProvider
) -> None

Register an identity provider with this user pool.

providerRequired
  • Type: aws_cdk.aws_cognito.IUserPoolIdentityProvider

Static Functions

Name Description
is_construct Checks if x is a construct.
is_owned_resource Returns true if the construct was created by CDK, and false otherwise.
is_resource Check whether the given construct is a Resource.
from_user_pool_arn Import an existing user pool based on its ARN.
from_user_pool_id Import an existing user pool based on its id.

is_construct
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: typing.Any

Any object.


is_owned_resource
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_owned_resource(
  construct: IConstruct
)

Returns true if the construct was created by CDK, and false otherwise.

constructRequired
  • Type: constructs.IConstruct

is_resource
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_resource(
  construct: IConstruct
)

Check whether the given construct is a Resource.

constructRequired
  • Type: constructs.IConstruct

from_user_pool_arn
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.from_user_pool_arn(
  scope: Construct,
  id: str,
  user_pool_arn: str
)

Import an existing user pool based on its ARN.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: str

user_pool_arnRequired
  • Type: str

from_user_pool_id
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.from_user_pool_id(
  scope: Construct,
  id: str,
  user_pool_id: str
)

Import an existing user pool based on its id.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: str

user_pool_idRequired
  • Type: str

Properties

Name Type Description
node constructs.Node The tree node.
env aws_cdk.ResourceEnvironment The environment this resource belongs to.
stack aws_cdk.Stack The stack in which this resource is defined.
identity_providers typing.List[aws_cdk.aws_cognito.IUserPoolIdentityProvider] Get all identity providers registered with this user pool.
user_pool_arn str The ARN of the user pool.
user_pool_id str The physical ID of this user pool resource.
user_pool_provider_name str User pool provider name.
user_pool_provider_url str User pool provider URL.

nodeRequired
node: Node
  • Type: constructs.Node

The tree node.


envRequired
env: ResourceEnvironment
  • Type: aws_cdk.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


stackRequired
stack: Stack
  • Type: aws_cdk.Stack

The stack in which this resource is defined.


identity_providersRequired
identity_providers: typing.List[IUserPoolIdentityProvider]
  • Type: typing.List[aws_cdk.aws_cognito.IUserPoolIdentityProvider]

Get all identity providers registered with this user pool.


user_pool_arnRequired
user_pool_arn: str
  • Type: str

The ARN of the user pool.


user_pool_idRequired
user_pool_id: str
  • Type: str

The physical ID of this user pool resource.


user_pool_provider_nameRequired
user_pool_provider_name: str
  • Type: str

User pool provider name.


user_pool_provider_urlRequired
user_pool_provider_url: str
  • Type: str

User pool provider URL.


Structs

UserIdentityProps

Properties which configures the Identity Pool.

Initializer

import aws.pdk.identity

aws.pdk.identity.UserIdentityProps(
  allow_signup: bool = None,
  identity_pool_options: IdentityPoolProps = None,
  user_pool: UserPool = None
)

Properties

Name Type Description
allow_signup bool Allow self sign up.
identity_pool_options aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps Configuration for the Identity Pool.
user_pool aws_cdk.aws_cognito.UserPool User provided Cognito UserPool.

allow_signupOptional
allow_signup: bool
  • Type: bool
  • Default: false

Allow self sign up.


identity_pool_optionsOptional
identity_pool_options: IdentityPoolProps
  • Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps

Configuration for the Identity Pool.


user_poolOptional
user_pool: UserPool
  • Type: aws_cdk.aws_cognito.UserPool
  • Default: a userpool with mfa will be created.

User provided Cognito UserPool.


UserPoolWithMfaProps

UserPoolWithMfa props.

Initializer

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfaProps(
  account_recovery: AccountRecovery = None,
  advanced_security_mode: AdvancedSecurityMode = None,
  auto_verify: AutoVerifiedAttrs = None,
  custom_attributes: typing.Mapping[ICustomAttribute] = None,
  custom_sender_kms_key: IKey = None,
  deletion_protection: bool = None,
  device_tracking: DeviceTracking = None,
  email: UserPoolEmail = None,
  enable_sms_role: bool = None,
  keep_original: KeepOriginalAttrs = None,
  lambda_triggers: UserPoolTriggers = None,
  mfa: Mfa = None,
  mfa_message: str = None,
  mfa_second_factor: MfaSecondFactor = None,
  password_policy: PasswordPolicy = None,
  removal_policy: RemovalPolicy = None,
  self_sign_up_enabled: bool = None,
  sign_in_aliases: SignInAliases = None,
  sign_in_case_sensitive: bool = None,
  sms_role: IRole = None,
  sms_role_external_id: str = None,
  sns_region: str = None,
  standard_attributes: StandardAttributes = None,
  user_invitation: UserInvitationConfig = None,
  user_pool_name: str = None,
  user_verification: UserVerificationConfig = None
)

Properties

Name Type Description
account_recovery aws_cdk.aws_cognito.AccountRecovery How will a user be able to recover their account?
advanced_security_mode aws_cdk.aws_cognito.AdvancedSecurityMode The user pool's Advanced Security Mode.
auto_verify aws_cdk.aws_cognito.AutoVerifiedAttrs Attributes which Cognito will look to verify automatically upon user sign up.
custom_attributes typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute] Define a set of custom attributes that can be configured for each user in the user pool.
custom_sender_kms_key aws_cdk.aws_kms.IKey This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
deletion_protection bool Indicates whether the user pool should have deletion protection enabled.
device_tracking aws_cdk.aws_cognito.DeviceTracking Device tracking settings.
email aws_cdk.aws_cognito.UserPoolEmail Email settings for a user pool.
enable_sms_role bool Setting this would explicitly enable or disable SMS role creation.
keep_original aws_cdk.aws_cognito.KeepOriginalAttrs Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
lambda_triggers aws_cdk.aws_cognito.UserPoolTriggers Lambda functions to use for supported Cognito triggers.
mfa aws_cdk.aws_cognito.Mfa Configure whether users of this user pool can or are required use MFA to sign in.
mfa_message str The SMS message template sent during MFA verification.
mfa_second_factor aws_cdk.aws_cognito.MfaSecondFactor Configure the MFA types that users can use in this user pool.
password_policy aws_cdk.aws_cognito.PasswordPolicy Password policy for this user pool.
removal_policy aws_cdk.RemovalPolicy Policy to apply when the user pool is removed from the stack.
self_sign_up_enabled bool Whether self sign-up should be enabled.
sign_in_aliases aws_cdk.aws_cognito.SignInAliases Methods in which a user registers or signs in to a user pool.
sign_in_case_sensitive bool Whether sign-in aliases should be evaluated with case sensitivity.
sms_role aws_cdk.aws_iam.IRole The IAM role that Cognito will assume while sending SMS messages.
sms_role_external_id str The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.
sns_region str The region to integrate with SNS to send SMS messages.
standard_attributes aws_cdk.aws_cognito.StandardAttributes The set of attributes that are required for every user in the user pool.
user_invitation aws_cdk.aws_cognito.UserInvitationConfig Configuration around admins signing up users into a user pool.
user_pool_name str Name of the user pool.
user_verification aws_cdk.aws_cognito.UserVerificationConfig Configuration around users signing themselves up to the user pool.

account_recoveryOptional
account_recovery: AccountRecovery
  • Type: aws_cdk.aws_cognito.AccountRecovery
  • Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?


advanced_security_modeOptional
advanced_security_mode: AdvancedSecurityMode
  • Type: aws_cdk.aws_cognito.AdvancedSecurityMode
  • Default: no value

The user pool's Advanced Security Mode.


auto_verifyOptional
auto_verify: AutoVerifiedAttrs
  • Type: aws_cdk.aws_cognito.AutoVerifiedAttrs
  • Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.


custom_attributesOptional
custom_attributes: typing.Mapping[ICustomAttribute]
  • Type: typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute]
  • Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.


custom_sender_kms_keyOptional
custom_sender_kms_key: IKey
  • Type: aws_cdk.aws_kms.IKey
  • Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html


deletion_protectionOptional
deletion_protection: bool
  • Type: bool
  • Default: false

Indicates whether the user pool should have deletion protection enabled.


device_trackingOptional
device_tracking: DeviceTracking
  • Type: aws_cdk.aws_cognito.DeviceTracking
  • Default: see defaults on each property of DeviceTracking.

Device tracking settings.


emailOptional
email: UserPoolEmail
  • Type: aws_cdk.aws_cognito.UserPoolEmail
  • Default: cognito will use the default email configuration

Email settings for a user pool.


enable_sms_roleOptional
enable_sms_role: bool
  • Type: bool
  • Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.


keep_originalOptional
keep_original: KeepOriginalAttrs
  • Type: aws_cdk.aws_cognito.KeepOriginalAttrs
  • Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.


lambda_triggersOptional
lambda_triggers: UserPoolTriggers
  • Type: aws_cdk.aws_cognito.UserPoolTriggers
  • Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html


mfaOptional
mfa: Mfa
  • Type: aws_cdk.aws_cognito.Mfa
  • Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.


mfa_messageOptional
mfa_message: str
  • Type: str
  • Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.


mfa_second_factorOptional
mfa_second_factor: MfaSecondFactor
  • Type: aws_cdk.aws_cognito.MfaSecondFactor
  • Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.


password_policyOptional
password_policy: PasswordPolicy
  • Type: aws_cdk.aws_cognito.PasswordPolicy
  • Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.


removal_policyOptional
removal_policy: RemovalPolicy
  • Type: aws_cdk.RemovalPolicy
  • Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.


self_sign_up_enabledOptional
self_sign_up_enabled: bool
  • Type: bool
  • Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.


sign_in_aliasesOptional
sign_in_aliases: SignInAliases
  • Type: aws_cdk.aws_cognito.SignInAliases
  • Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.


sign_in_case_sensitiveOptional
sign_in_case_sensitive: bool
  • Type: bool
  • Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.


sms_roleOptional
sms_role: IRole
  • Type: aws_cdk.aws_iam.IRole
  • Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.


sms_role_external_idOptional
sms_role_external_id: str
  • Type: str
  • Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.


sns_regionOptional
sns_region: str

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.


standard_attributesOptional
standard_attributes: StandardAttributes
  • Type: aws_cdk.aws_cognito.StandardAttributes
  • Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html


user_invitationOptional
user_invitation: UserInvitationConfig
  • Type: aws_cdk.aws_cognito.UserInvitationConfig
  • Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.


user_pool_nameOptional
user_pool_name: str
  • Type: str
  • Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.


user_verificationOptional
user_verification: UserVerificationConfig
  • Type: aws_cdk.aws_cognito.UserVerificationConfig
  • Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.



Last update: 2024-12-20