API Reference

Constructs

UserIdentity

Creates a UserPool and Identity Pool with sane defaults configured intended for usage from a web client.

Initializers

import aws.pdk.identity

aws.pdk.identity.UserIdentity(
  scope: Construct,
  id: str,
  allow_signup: bool = None,
  identity_pool_options: IdentityPoolProps = None,
  user_pool: UserPool = None
)

Name	Type	Description
`scope`	`constructs.Construct`	No description.
`id`	`str`	No description.
`allow_signup`	`bool`	Allow self sign up.
`identity_pool_options`	`aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps`	Configuration for the Identity Pool.
`user_pool`	`aws_cdk.aws_cognito.UserPool`	User provided Cognito UserPool.

`scope`^Required

Type: constructs.Construct

`id`^Required

Type: str

`allow_signup`^Optional

Type: bool
Default: false

Allow self sign up.

`identity_pool_options`^Optional

Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps

Configuration for the Identity Pool.

`user_pool`^Optional

Type: aws_cdk.aws_cognito.UserPool
Default: a userpool with mfa will be created.

User provided Cognito UserPool.

Methods

Name	Description
`to_string`	Returns a string representation of this construct.

`to_string`

def to_string() -> str

Returns a string representation of this construct.

Static Functions

Name	Description
`is_construct`	Checks if `x` is a construct.

`is_construct`

import aws.pdk.identity

aws.pdk.identity.UserIdentity.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

`x`^Required

Type: typing.Any

Any object.

Properties

Name	Type	Description
`node`	`constructs.Node`	The tree node.
`identity_pool`	`aws_cdk.aws_cognito_identitypool_alpha.IdentityPool`	No description.
`user_pool`	`aws_cdk.aws_cognito.UserPool`	No description.
`user_pool_client`	`aws_cdk.aws_cognito.UserPoolClient`	No description.

`node`^Required

node: Node

Type: constructs.Node

The tree node.

`identity_pool`^Required

identity_pool: IdentityPool

Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPool

`user_pool`^Required

user_pool: UserPool

Type: aws_cdk.aws_cognito.UserPool

`user_pool_client`^Required

user_pool_client: UserPoolClient

Type: aws_cdk.aws_cognito.UserPoolClient

UserPoolWithMfa

Configures a UserPool with MFA across SMS/TOTP using sane defaults.

Initializers

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa(
  scope: Construct,
  id: str,
  account_recovery: AccountRecovery = None,
  advanced_security_mode: AdvancedSecurityMode = None,
  auto_verify: AutoVerifiedAttrs = None,
  custom_attributes: typing.Mapping[ICustomAttribute] = None,
  custom_sender_kms_key: IKey = None,
  deletion_protection: bool = None,
  device_tracking: DeviceTracking = None,
  email: UserPoolEmail = None,
  enable_sms_role: bool = None,
  keep_original: KeepOriginalAttrs = None,
  lambda_triggers: UserPoolTriggers = None,
  mfa: Mfa = None,
  mfa_message: str = None,
  mfa_second_factor: MfaSecondFactor = None,
  password_policy: PasswordPolicy = None,
  removal_policy: RemovalPolicy = None,
  self_sign_up_enabled: bool = None,
  sign_in_aliases: SignInAliases = None,
  sign_in_case_sensitive: bool = None,
  sms_role: IRole = None,
  sms_role_external_id: str = None,
  sns_region: str = None,
  standard_attributes: StandardAttributes = None,
  user_invitation: UserInvitationConfig = None,
  user_pool_name: str = None,
  user_verification: UserVerificationConfig = None
)

Name	Type	Description
`scope`	`constructs.Construct`	No description.
`id`	`str`	No description.
`account_recovery`	`aws_cdk.aws_cognito.AccountRecovery`	How will a user be able to recover their account?
`advanced_security_mode`	`aws_cdk.aws_cognito.AdvancedSecurityMode`	The user pool's Advanced Security Mode.
`auto_verify`	`aws_cdk.aws_cognito.AutoVerifiedAttrs`	Attributes which Cognito will look to verify automatically upon user sign up.
`custom_attributes`	`typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute]`	Define a set of custom attributes that can be configured for each user in the user pool.
`custom_sender_kms_key`	`aws_cdk.aws_kms.IKey`	This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
`deletion_protection`	`bool`	Indicates whether the user pool should have deletion protection enabled.
`device_tracking`	`aws_cdk.aws_cognito.DeviceTracking`	Device tracking settings.
`email`	`aws_cdk.aws_cognito.UserPoolEmail`	Email settings for a user pool.
`enable_sms_role`	`bool`	Setting this would explicitly enable or disable SMS role creation.
`keep_original`	`aws_cdk.aws_cognito.KeepOriginalAttrs`	Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
`lambda_triggers`	`aws_cdk.aws_cognito.UserPoolTriggers`	Lambda functions to use for supported Cognito triggers.
`mfa`	`aws_cdk.aws_cognito.Mfa`	Configure whether users of this user pool can or are required use MFA to sign in.
`mfa_message`	`str`	The SMS message template sent during MFA verification.
`mfa_second_factor`	`aws_cdk.aws_cognito.MfaSecondFactor`	Configure the MFA types that users can use in this user pool.
`password_policy`	`aws_cdk.aws_cognito.PasswordPolicy`	Password policy for this user pool.
`removal_policy`	`aws_cdk.RemovalPolicy`	Policy to apply when the user pool is removed from the stack.
`self_sign_up_enabled`	`bool`	Whether self sign-up should be enabled.
`sign_in_aliases`	`aws_cdk.aws_cognito.SignInAliases`	Methods in which a user registers or signs in to a user pool.
`sign_in_case_sensitive`	`bool`	Whether sign-in aliases should be evaluated with case sensitivity.
`sms_role`	`aws_cdk.aws_iam.IRole`	The IAM role that Cognito will assume while sending SMS messages.
`sms_role_external_id`	`str`	The 'ExternalId' that Cognito service must be using when assuming the `smsRole`, if the role is restricted with an 'sts:ExternalId' conditional.
`sns_region`	`str`	The region to integrate with SNS to send SMS messages.
`standard_attributes`	`aws_cdk.aws_cognito.StandardAttributes`	The set of attributes that are required for every user in the user pool.
`user_invitation`	`aws_cdk.aws_cognito.UserInvitationConfig`	Configuration around admins signing up users into a user pool.
`user_pool_name`	`str`	Name of the user pool.
`user_verification`	`aws_cdk.aws_cognito.UserVerificationConfig`	Configuration around users signing themselves up to the user pool.

`scope`^Required

Type: constructs.Construct

`id`^Required

Type: str

`account_recovery`^Optional

Type: aws_cdk.aws_cognito.AccountRecovery
Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?

`advanced_security_mode`^Optional

Type: aws_cdk.aws_cognito.AdvancedSecurityMode
Default: no value

The user pool's Advanced Security Mode.

`auto_verify`^Optional

Type: aws_cdk.aws_cognito.AutoVerifiedAttrs
Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.

`custom_attributes`^Optional

Type: typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute]
Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.

`custom_sender_kms_key`^Optional

Type: aws_cdk.aws_kms.IKey
Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html

`deletion_protection`^Optional

Type: bool
Default: false

Indicates whether the user pool should have deletion protection enabled.

`device_tracking`^Optional

Type: aws_cdk.aws_cognito.DeviceTracking
Default: see defaults on each property of DeviceTracking.

Device tracking settings.

`email`^Optional

Type: aws_cdk.aws_cognito.UserPoolEmail
Default: cognito will use the default email configuration

Email settings for a user pool.

`enable_sms_role`^Optional

Type: bool
Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.

`keep_original`^Optional

Type: aws_cdk.aws_cognito.KeepOriginalAttrs
Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.

`lambda_triggers`^Optional

Type: aws_cdk.aws_cognito.UserPoolTriggers
Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

`mfa`^Optional

Type: aws_cdk.aws_cognito.Mfa
Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.

`mfa_message`^Optional

Type: str
Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.

`mfa_second_factor`^Optional

Type: aws_cdk.aws_cognito.MfaSecondFactor
Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.

`password_policy`^Optional

Type: aws_cdk.aws_cognito.PasswordPolicy
Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.

`removal_policy`^Optional

Type: aws_cdk.RemovalPolicy
Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.

`self_sign_up_enabled`^Optional

Type: bool
Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.

`sign_in_aliases`^Optional

Type: aws_cdk.aws_cognito.SignInAliases
Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

`sign_in_case_sensitive`^Optional

Type: bool
Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.

`sms_role`^Optional

Type: aws_cdk.aws_iam.IRole
Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.

`sms_role_external_id`^Optional

Type: str
Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.

`sns_region`^Optional

Type: str
Default: The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.

`standard_attributes`^Optional

Type: aws_cdk.aws_cognito.StandardAttributes
Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

`user_invitation`^Optional

Type: aws_cdk.aws_cognito.UserInvitationConfig
Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.

`user_pool_name`^Optional

Type: str
Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.

`user_verification`^Optional

Type: aws_cdk.aws_cognito.UserVerificationConfig
Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

Methods

Name	Description
`to_string`	Returns a string representation of this construct.
`apply_removal_policy`	Apply the given removal policy to this resource.
`add_client`	Add a new app client to this user pool.
`add_domain`	Associate a domain to this user pool.
`add_resource_server`	Add a new resource server to this user pool.
`add_trigger`	Add a lambda trigger to a user pool operation.
`grant`	Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
`register_identity_provider`	Register an identity provider with this user pool.

`to_string`

def to_string() -> str

Returns a string representation of this construct.

`apply_removal_policy`

def apply_removal_policy(
  policy: RemovalPolicy
) -> None

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

`policy`^Required

Type: aws_cdk.RemovalPolicy

`add_client`

def add_client(
  id: str,
  access_token_validity: Duration = None,
  auth_flows: AuthFlow = None,
  auth_session_validity: Duration = None,
  disable_o_auth: bool = None,
  enable_propagate_additional_user_context_data: bool = None,
  enable_token_revocation: bool = None,
  generate_secret: bool = None,
  id_token_validity: Duration = None,
  o_auth: OAuthSettings = None,
  prevent_user_existence_errors: bool = None,
  read_attributes: ClientAttributes = None,
  refresh_token_validity: Duration = None,
  supported_identity_providers: typing.List[UserPoolClientIdentityProvider] = None,
  user_pool_client_name: str = None,
  write_attributes: ClientAttributes = None
) -> UserPoolClient

Add a new app client to this user pool.

`id`^Required

Type: str

`access_token_validity`^Optional

Type: aws_cdk.Duration
Default: Duration.minutes(60)

Validity of the access token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token

`auth_flows`^Optional

Type: aws_cdk.aws_cognito.AuthFlow
Default: If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

The set of OAuth authentication flows to enable on the client.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

`auth_session_validity`^Optional

Type: aws_cdk.Duration
Default: Duration.minutes(3)

Cognito creates a session token for each API request in an authentication flow.

AuthSessionValidity is the duration, in minutes, of that session token. see defaults in AuthSessionValidity. Valid duration is from 3 to 15 minutes.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity

`disable_o_auth`^Optional

Type: bool
Default: false

Turns off all OAuth interactions for this client.

`enable_propagate_additional_user_context_data`^Optional

Type: bool
Default: false for new user pool clients

Enable the propagation of additional user context data.

You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint

`enable_token_revocation`^Optional

Type: bool
Default: true for new user pool clients

Enable token revocation for this client.

https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation

`generate_secret`^Optional

Type: bool
Default: false

Whether to generate a client secret.

`id_token_validity`^Optional

Type: aws_cdk.Duration
Default: Duration.minutes(60)

Validity of the ID token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token

`o_auth`^Optional

Type: aws_cdk.aws_cognito.OAuthSettings
Default: see defaults in OAuthSettings. meaningless if disableOAuth is set.

OAuth settings for this client to interact with the app.

An error is thrown when this is specified and disableOAuth is set.

`prevent_user_existence_errors`^Optional

Type: bool
Default: false

Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html

`read_attributes`^Optional

Type: aws_cdk.aws_cognito.ClientAttributes
Default: all standard and custom attributes

The set of attributes this client will be able to read.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes

`refresh_token_validity`^Optional

Type: aws_cdk.Duration
Default: Duration.days(30)

Validity of the refresh token.

Values between 60 minutes and 10 years are valid.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token

`supported_identity_providers`^Optional

Type: typing.List[aws_cdk.aws_cognito.UserPoolClientIdentityProvider]
Default: supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

The list of identity providers that users should be able to use to sign in using this client.

`user_pool_client_name`^Optional

Type: str
Default: cloudformation generated name

Name of the application client.

`write_attributes`^Optional

Type: aws_cdk.aws_cognito.ClientAttributes
Default: all standard and custom attributes

The set of attributes this client will be able to write.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes

`add_domain`

def add_domain(
  id: str,
  cognito_domain: CognitoDomainOptions = None,
  custom_domain: CustomDomainOptions = None
) -> UserPoolDomain

Associate a domain to this user pool.

`id`^Required

Type: str

`cognito_domain`^Optional

Type: aws_cdk.aws_cognito.CognitoDomainOptions
Default: not set if customDomain is specified, otherwise, throws an error.

Associate a cognito prefix domain with your user pool Either customDomain or cognitoDomain must be specified.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html

`custom_domain`^Optional

Type: aws_cdk.aws_cognito.CustomDomainOptions
Default: not set if cognitoDomain is specified, otherwise, throws an error.

Associate a custom domain with your user pool Either customDomain or cognitoDomain must be specified.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html

`add_resource_server`

def add_resource_server(
  id: str,
  identifier: str,
  scopes: typing.List[ResourceServerScope] = None,
  user_pool_resource_server_name: str = None
) -> UserPoolResourceServer

Add a new resource server to this user pool.

`id`^Required

Type: str

`identifier`^Required

Type: str

A unique resource server identifier for the resource server.

`scopes`^Optional

Type: typing.List[aws_cdk.aws_cognito.ResourceServerScope]
Default: No scopes will be added

Oauth scopes.

`user_pool_resource_server_name`^Optional

Type: str
Default: same as identifier

A friendly name for the resource server.

`add_trigger`

def add_trigger(
  operation: UserPoolOperation,
  fn: IFunction,
  lambda_version: LambdaVersion = None
) -> None

Add a lambda trigger to a user pool operation.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

`operation`^Required

Type: aws_cdk.aws_cognito.UserPoolOperation

`fn`^Required

Type: aws_cdk.aws_lambda.IFunction

`lambda_version`^Optional

Type: aws_cdk.aws_cognito.LambdaVersion

`grant`

def grant(
  grantee: IGrantable,
  actions: str
) -> Grant

Adds an IAM policy statement associated with this user pool to an IAM principal's policy.

`grantee`^Required

Type: aws_cdk.aws_iam.IGrantable

`actions`^Required

Type: str

`register_identity_provider`

def register_identity_provider(
  provider: IUserPoolIdentityProvider
) -> None

Register an identity provider with this user pool.

`provider`^Required

Type: aws_cdk.aws_cognito.IUserPoolIdentityProvider

Static Functions

Name	Description
`is_construct`	Checks if `x` is a construct.
`is_owned_resource`	Returns true if the construct was created by CDK, and false otherwise.
`is_resource`	Check whether the given construct is a Resource.
`from_user_pool_arn`	Import an existing user pool based on its ARN.
`from_user_pool_id`	Import an existing user pool based on its id.

`is_construct`

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

`x`^Required

Type: typing.Any

Any object.

`is_owned_resource`

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_owned_resource(
  construct: IConstruct
)

Returns true if the construct was created by CDK, and false otherwise.

`construct`^Required

Type: constructs.IConstruct

`is_resource`

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_resource(
  construct: IConstruct
)

Check whether the given construct is a Resource.

`construct`^Required

Type: constructs.IConstruct

`from_user_pool_arn`

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.from_user_pool_arn(
  scope: Construct,
  id: str,
  user_pool_arn: str
)

Import an existing user pool based on its ARN.

`scope`^Required

Type: constructs.Construct

`id`^Required

Type: str

`user_pool_arn`^Required

Type: str

`from_user_pool_id`

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.from_user_pool_id(
  scope: Construct,
  id: str,
  user_pool_id: str
)

Import an existing user pool based on its id.

`scope`^Required

Type: constructs.Construct

`id`^Required

Type: str

`user_pool_id`^Required

Type: str

Properties

Name	Type	Description
`node`	`constructs.Node`	The tree node.
`env`	`aws_cdk.ResourceEnvironment`	The environment this resource belongs to.
`stack`	`aws_cdk.Stack`	The stack in which this resource is defined.
`identity_providers`	`typing.List[aws_cdk.aws_cognito.IUserPoolIdentityProvider]`	Get all identity providers registered with this user pool.
`user_pool_arn`	`str`	The ARN of the user pool.
`user_pool_id`	`str`	The physical ID of this user pool resource.
`user_pool_provider_name`	`str`	User pool provider name.
`user_pool_provider_url`	`str`	User pool provider URL.

`node`^Required

node: Node

Type: constructs.Node

The tree node.

`env`^Required

env: ResourceEnvironment

Type: aws_cdk.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

`stack`^Required

stack: Stack

Type: aws_cdk.Stack

The stack in which this resource is defined.

`identity_providers`^Required

identity_providers: typing.List[IUserPoolIdentityProvider]

Type: typing.List[aws_cdk.aws_cognito.IUserPoolIdentityProvider]

Get all identity providers registered with this user pool.

`user_pool_arn`^Required

user_pool_arn: str

Type: str

The ARN of the user pool.

`user_pool_id`^Required

user_pool_id: str

Type: str

The physical ID of this user pool resource.

`user_pool_provider_name`^Required

user_pool_provider_name: str

Type: str

User pool provider name.

`user_pool_provider_url`^Required

user_pool_provider_url: str

Type: str

User pool provider URL.

Structs

UserIdentityProps

Properties which configures the Identity Pool.

Initializer

import aws.pdk.identity

aws.pdk.identity.UserIdentityProps(
  allow_signup: bool = None,
  identity_pool_options: IdentityPoolProps = None,
  user_pool: UserPool = None
)

Properties

Name	Type	Description
`allow_signup`	`bool`	Allow self sign up.
`identity_pool_options`	`aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps`	Configuration for the Identity Pool.
`user_pool`	`aws_cdk.aws_cognito.UserPool`	User provided Cognito UserPool.

`allow_signup`^Optional

allow_signup: bool

Type: bool
Default: false

Allow self sign up.

`identity_pool_options`^Optional

identity_pool_options: IdentityPoolProps

Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps

Configuration for the Identity Pool.

`user_pool`^Optional

user_pool: UserPool

Type: aws_cdk.aws_cognito.UserPool
Default: a userpool with mfa will be created.

User provided Cognito UserPool.

UserPoolWithMfaProps

UserPoolWithMfa props.

Initializer

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfaProps(
  account_recovery: AccountRecovery = None,
  advanced_security_mode: AdvancedSecurityMode = None,
  auto_verify: AutoVerifiedAttrs = None,
  custom_attributes: typing.Mapping[ICustomAttribute] = None,
  custom_sender_kms_key: IKey = None,
  deletion_protection: bool = None,
  device_tracking: DeviceTracking = None,
  email: UserPoolEmail = None,
  enable_sms_role: bool = None,
  keep_original: KeepOriginalAttrs = None,
  lambda_triggers: UserPoolTriggers = None,
  mfa: Mfa = None,
  mfa_message: str = None,
  mfa_second_factor: MfaSecondFactor = None,
  password_policy: PasswordPolicy = None,
  removal_policy: RemovalPolicy = None,
  self_sign_up_enabled: bool = None,
  sign_in_aliases: SignInAliases = None,
  sign_in_case_sensitive: bool = None,
  sms_role: IRole = None,
  sms_role_external_id: str = None,
  sns_region: str = None,
  standard_attributes: StandardAttributes = None,
  user_invitation: UserInvitationConfig = None,
  user_pool_name: str = None,
  user_verification: UserVerificationConfig = None
)

Properties

Name	Type	Description
`account_recovery`	`aws_cdk.aws_cognito.AccountRecovery`	How will a user be able to recover their account?
`advanced_security_mode`	`aws_cdk.aws_cognito.AdvancedSecurityMode`	The user pool's Advanced Security Mode.
`auto_verify`	`aws_cdk.aws_cognito.AutoVerifiedAttrs`	Attributes which Cognito will look to verify automatically upon user sign up.
`custom_attributes`	`typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute]`	Define a set of custom attributes that can be configured for each user in the user pool.
`custom_sender_kms_key`	`aws_cdk.aws_kms.IKey`	This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
`deletion_protection`	`bool`	Indicates whether the user pool should have deletion protection enabled.
`device_tracking`	`aws_cdk.aws_cognito.DeviceTracking`	Device tracking settings.
`email`	`aws_cdk.aws_cognito.UserPoolEmail`	Email settings for a user pool.
`enable_sms_role`	`bool`	Setting this would explicitly enable or disable SMS role creation.
`keep_original`	`aws_cdk.aws_cognito.KeepOriginalAttrs`	Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
`lambda_triggers`	`aws_cdk.aws_cognito.UserPoolTriggers`	Lambda functions to use for supported Cognito triggers.
`mfa`	`aws_cdk.aws_cognito.Mfa`	Configure whether users of this user pool can or are required use MFA to sign in.
`mfa_message`	`str`	The SMS message template sent during MFA verification.
`mfa_second_factor`	`aws_cdk.aws_cognito.MfaSecondFactor`	Configure the MFA types that users can use in this user pool.
`password_policy`	`aws_cdk.aws_cognito.PasswordPolicy`	Password policy for this user pool.
`removal_policy`	`aws_cdk.RemovalPolicy`	Policy to apply when the user pool is removed from the stack.
`self_sign_up_enabled`	`bool`	Whether self sign-up should be enabled.
`sign_in_aliases`	`aws_cdk.aws_cognito.SignInAliases`	Methods in which a user registers or signs in to a user pool.
`sign_in_case_sensitive`	`bool`	Whether sign-in aliases should be evaluated with case sensitivity.
`sms_role`	`aws_cdk.aws_iam.IRole`	The IAM role that Cognito will assume while sending SMS messages.
`sms_role_external_id`	`str`	The 'ExternalId' that Cognito service must be using when assuming the `smsRole`, if the role is restricted with an 'sts:ExternalId' conditional.
`sns_region`	`str`	The region to integrate with SNS to send SMS messages.
`standard_attributes`	`aws_cdk.aws_cognito.StandardAttributes`	The set of attributes that are required for every user in the user pool.
`user_invitation`	`aws_cdk.aws_cognito.UserInvitationConfig`	Configuration around admins signing up users into a user pool.
`user_pool_name`	`str`	Name of the user pool.
`user_verification`	`aws_cdk.aws_cognito.UserVerificationConfig`	Configuration around users signing themselves up to the user pool.

`account_recovery`^Optional

account_recovery: AccountRecovery

Type: aws_cdk.aws_cognito.AccountRecovery
Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?

`advanced_security_mode`^Optional

advanced_security_mode: AdvancedSecurityMode

Type: aws_cdk.aws_cognito.AdvancedSecurityMode
Default: no value

The user pool's Advanced Security Mode.

`auto_verify`^Optional

auto_verify: AutoVerifiedAttrs

Type: aws_cdk.aws_cognito.AutoVerifiedAttrs
Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.

`custom_attributes`^Optional

custom_attributes: typing.Mapping[ICustomAttribute]

Type: typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute]
Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.

`custom_sender_kms_key`^Optional

custom_sender_kms_key: IKey

Type: aws_cdk.aws_kms.IKey
Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html

`deletion_protection`^Optional

deletion_protection: bool

Type: bool
Default: false

Indicates whether the user pool should have deletion protection enabled.

`device_tracking`^Optional

device_tracking: DeviceTracking

Type: aws_cdk.aws_cognito.DeviceTracking
Default: see defaults on each property of DeviceTracking.

Device tracking settings.

`email`^Optional

email: UserPoolEmail

Type: aws_cdk.aws_cognito.UserPoolEmail
Default: cognito will use the default email configuration

Email settings for a user pool.

`enable_sms_role`^Optional

enable_sms_role: bool

Type: bool
Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.

`keep_original`^Optional

keep_original: KeepOriginalAttrs

Type: aws_cdk.aws_cognito.KeepOriginalAttrs
Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.

`lambda_triggers`^Optional

lambda_triggers: UserPoolTriggers

Type: aws_cdk.aws_cognito.UserPoolTriggers
Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

`mfa`^Optional

mfa: Mfa

Type: aws_cdk.aws_cognito.Mfa
Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.

`mfa_message`^Optional

mfa_message: str

Type: str
Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.

`mfa_second_factor`^Optional

mfa_second_factor: MfaSecondFactor

Type: aws_cdk.aws_cognito.MfaSecondFactor
Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.

`password_policy`^Optional

password_policy: PasswordPolicy

Type: aws_cdk.aws_cognito.PasswordPolicy
Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.

`removal_policy`^Optional

removal_policy: RemovalPolicy

Type: aws_cdk.RemovalPolicy
Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.

`self_sign_up_enabled`^Optional

self_sign_up_enabled: bool

Type: bool
Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.

`sign_in_aliases`^Optional

sign_in_aliases: SignInAliases

Type: aws_cdk.aws_cognito.SignInAliases
Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

`sign_in_case_sensitive`^Optional

sign_in_case_sensitive: bool

Type: bool
Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.

`sms_role`^Optional

sms_role: IRole

Type: aws_cdk.aws_iam.IRole
Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.

`sms_role_external_id`^Optional

sms_role_external_id: str

Type: str
Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.

`sns_region`^Optional

sns_region: str

Type: str
Default: The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.

`standard_attributes`^Optional

standard_attributes: StandardAttributes

Type: aws_cdk.aws_cognito.StandardAttributes
Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

`user_invitation`^Optional

user_invitation: UserInvitationConfig

Type: aws_cdk.aws_cognito.UserInvitationConfig
Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.

`user_pool_name`^Optional

user_pool_name: str

Type: str
Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.

`user_verification`^Optional

user_verification: UserVerificationConfig

Type: aws_cdk.aws_cognito.UserVerificationConfig
Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

Last update: 2025-07-17

API Reference

Constructs

UserIdentity

Initializers

scopeRequired

idRequired

allow_signupOptional

identity_pool_optionsOptional

user_poolOptional

Methods

to_string

Static Functions

is_construct

xRequired

Properties

nodeRequired

identity_poolRequired

user_poolRequired

user_pool_clientRequired

UserPoolWithMfa

Initializers

scopeRequired

idRequired

account_recoveryOptional

advanced_security_modeOptional

auto_verifyOptional

custom_attributesOptional

custom_sender_kms_keyOptional

deletion_protectionOptional

device_trackingOptional

emailOptional

enable_sms_roleOptional

keep_originalOptional

lambda_triggersOptional

mfaOptional

mfa_messageOptional

mfa_second_factorOptional

password_policyOptional

removal_policyOptional

self_sign_up_enabledOptional

sign_in_aliasesOptional

sign_in_case_sensitiveOptional

sms_roleOptional

sms_role_external_idOptional

sns_regionOptional

standard_attributesOptional

user_invitationOptional

user_pool_nameOptional

user_verificationOptional

Methods

to_string

apply_removal_policy

policyRequired

add_client

idRequired

access_token_validityOptional

auth_flowsOptional

auth_session_validityOptional

disable_o_authOptional

enable_propagate_additional_user_context_dataOptional

enable_token_revocationOptional

generate_secretOptional

id_token_validityOptional

o_authOptional

prevent_user_existence_errorsOptional

read_attributesOptional

refresh_token_validityOptional

supported_identity_providersOptional

user_pool_client_nameOptional

write_attributesOptional

add_domain

idRequired

cognito_domainOptional

custom_domainOptional

add_resource_server

idRequired

identifierRequired

scopesOptional

user_pool_resource_server_nameOptional

add_trigger

`scope`^Required

`id`^Required

`allow_signup`^Optional

`identity_pool_options`^Optional

`user_pool`^Optional

`to_string`

`is_construct`

`x`^Required

`node`^Required

`identity_pool`^Required

`user_pool`^Required

`user_pool_client`^Required

`scope`^Required

`id`^Required

`account_recovery`^Optional

`advanced_security_mode`^Optional

`auto_verify`^Optional

`custom_attributes`^Optional

`custom_sender_kms_key`^Optional

`deletion_protection`^Optional

`device_tracking`^Optional

`email`^Optional

`enable_sms_role`^Optional

`keep_original`^Optional

`lambda_triggers`^Optional

`mfa`^Optional

`mfa_message`^Optional

`mfa_second_factor`^Optional

`password_policy`^Optional

`removal_policy`^Optional

`self_sign_up_enabled`^Optional

`sign_in_aliases`^Optional

`sign_in_case_sensitive`^Optional

`sms_role`^Optional

`sms_role_external_id`^Optional

`sns_region`^Optional

`standard_attributes`^Optional

`user_invitation`^Optional

`user_pool_name`^Optional

`user_verification`^Optional

`to_string`

`apply_removal_policy`

`policy`^Required

`add_client`

`id`^Required

`access_token_validity`^Optional

`auth_flows`^Optional

`auth_session_validity`^Optional

`disable_o_auth`^Optional

`enable_propagate_additional_user_context_data`^Optional

`enable_token_revocation`^Optional

`generate_secret`^Optional

`id_token_validity`^Optional

`o_auth`^Optional

`prevent_user_existence_errors`^Optional

`read_attributes`^Optional

`refresh_token_validity`^Optional

`supported_identity_providers`^Optional

`user_pool_client_name`^Optional

`write_attributes`^Optional

`add_domain`

`id`^Required

`cognito_domain`^Optional

`custom_domain`^Optional

`add_resource_server`

`id`^Required

`identifier`^Required

`scopes`^Optional

`user_pool_resource_server_name`^Optional

`add_trigger`

`operation`^Required

`fn`^Required

`lambda_version`^Optional

`grant`

`grantee`^Required

`actions`^Required

`register_identity_provider`

`provider`^Required

`is_construct`

`x`^Required