Skip to content

API Reference

Constructs

UserIdentity

Creates a UserPool and Identity Pool with sane defaults configured intended for usage from a web client.

Initializers 

import aws.pdk.identity

aws.pdk.identity.UserIdentity(
  scope: Construct,
  id: str,
  identity_pool_options: IdentityPoolProps = None,
  user_pool: UserPool = None
)
Name Type Description
scope constructs.Construct No description.
id str No description.
identity_pool_options aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps Configuration for the Identity Pool.
user_pool aws_cdk.aws_cognito.UserPool User provided Cognito UserPool.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: str
identity_pool_optionsOptional
  • Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps

Configuration for the Identity Pool.

user_poolOptional
  • Type: aws_cdk.aws_cognito.UserPool
  • Default: a userpool with mfa will be created.

User provided Cognito UserPool.

Methods

Name Description
to_string Returns a string representation of this construct.
to_string 
def to_string() -> str

Returns a string representation of this construct.

Static Functions

Name Description
is_construct Checks if x is a construct.
is_construct 
import aws.pdk.identity

aws.pdk.identity.UserIdentity.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: typing.Any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
identity_pool aws_cdk.aws_cognito_identitypool_alpha.IdentityPool No description.
user_pool aws_cdk.aws_cognito.UserPool No description.
user_pool_client aws_cdk.aws_cognito.UserPoolClient No description.
nodeRequired 
node: Node
  • Type: constructs.Node

The tree node.

identity_poolRequired 
identity_pool: IdentityPool
  • Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPool
user_poolRequired 
user_pool: UserPool
  • Type: aws_cdk.aws_cognito.UserPool
user_pool_clientRequired 
user_pool_client: UserPoolClient
  • Type: aws_cdk.aws_cognito.UserPoolClient

UserPoolWithMfa

Configures a UserPool with MFA across SMS/TOTP using sane defaults.

Initializers 

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa(
  scope: Construct,
  id: str,
  account_recovery: AccountRecovery = None,
  advanced_security_mode: AdvancedSecurityMode = None,
  auto_verify: AutoVerifiedAttrs = None,
  custom_attributes: typing.Mapping[ICustomAttribute] = None,
  custom_sender_kms_key: IKey = None,
  deletion_protection: bool = None,
  device_tracking: DeviceTracking = None,
  email: UserPoolEmail = None,
  enable_sms_role: bool = None,
  keep_original: KeepOriginalAttrs = None,
  lambda_triggers: UserPoolTriggers = None,
  mfa: Mfa = None,
  mfa_message: str = None,
  mfa_second_factor: MfaSecondFactor = None,
  password_policy: PasswordPolicy = None,
  removal_policy: RemovalPolicy = None,
  self_sign_up_enabled: bool = None,
  sign_in_aliases: SignInAliases = None,
  sign_in_case_sensitive: bool = None,
  sms_role: IRole = None,
  sms_role_external_id: str = None,
  sns_region: str = None,
  standard_attributes: StandardAttributes = None,
  user_invitation: UserInvitationConfig = None,
  user_pool_name: str = None,
  user_verification: UserVerificationConfig = None
)
Name Type Description
scope constructs.Construct No description.
id str No description.
account_recovery aws_cdk.aws_cognito.AccountRecovery How will a user be able to recover their account?
advanced_security_mode aws_cdk.aws_cognito.AdvancedSecurityMode The user pool's Advanced Security Mode.
auto_verify aws_cdk.aws_cognito.AutoVerifiedAttrs Attributes which Cognito will look to verify automatically upon user sign up.
custom_attributes typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute] Define a set of custom attributes that can be configured for each user in the user pool.
custom_sender_kms_key aws_cdk.aws_kms.IKey This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
deletion_protection bool Indicates whether the user pool should have deletion protection enabled.
device_tracking aws_cdk.aws_cognito.DeviceTracking Device tracking settings.
email aws_cdk.aws_cognito.UserPoolEmail Email settings for a user pool.
enable_sms_role bool Setting this would explicitly enable or disable SMS role creation.
keep_original aws_cdk.aws_cognito.KeepOriginalAttrs Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
lambda_triggers aws_cdk.aws_cognito.UserPoolTriggers Lambda functions to use for supported Cognito triggers.
mfa aws_cdk.aws_cognito.Mfa Configure whether users of this user pool can or are required use MFA to sign in.
mfa_message str The SMS message template sent during MFA verification.
mfa_second_factor aws_cdk.aws_cognito.MfaSecondFactor Configure the MFA types that users can use in this user pool.
password_policy aws_cdk.aws_cognito.PasswordPolicy Password policy for this user pool.
removal_policy aws_cdk.RemovalPolicy Policy to apply when the user pool is removed from the stack.
self_sign_up_enabled bool Whether self sign-up should be enabled.
sign_in_aliases aws_cdk.aws_cognito.SignInAliases Methods in which a user registers or signs in to a user pool.
sign_in_case_sensitive bool Whether sign-in aliases should be evaluated with case sensitivity.
sms_role aws_cdk.aws_iam.IRole The IAM role that Cognito will assume while sending SMS messages.
sms_role_external_id str The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.
sns_region str The region to integrate with SNS to send SMS messages.
standard_attributes aws_cdk.aws_cognito.StandardAttributes The set of attributes that are required for every user in the user pool.
user_invitation aws_cdk.aws_cognito.UserInvitationConfig Configuration around admins signing up users into a user pool.
user_pool_name str Name of the user pool.
user_verification aws_cdk.aws_cognito.UserVerificationConfig Configuration around users signing themselves up to the user pool.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: str
account_recoveryOptional
  • Type: aws_cdk.aws_cognito.AccountRecovery
  • Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?

advanced_security_modeOptional
  • Type: aws_cdk.aws_cognito.AdvancedSecurityMode
  • Default: no value

The user pool's Advanced Security Mode.

auto_verifyOptional
  • Type: aws_cdk.aws_cognito.AutoVerifiedAttrs
  • Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.

custom_attributesOptional
  • Type: typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute]
  • Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.

custom_sender_kms_keyOptional
  • Type: aws_cdk.aws_kms.IKey
  • Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html

deletion_protectionOptional
  • Type: bool
  • Default: false

Indicates whether the user pool should have deletion protection enabled.

device_trackingOptional
  • Type: aws_cdk.aws_cognito.DeviceTracking
  • Default: see defaults on each property of DeviceTracking.

Device tracking settings.

emailOptional
  • Type: aws_cdk.aws_cognito.UserPoolEmail
  • Default: cognito will use the default email configuration

Email settings for a user pool.

enable_sms_roleOptional
  • Type: bool
  • Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.

keep_originalOptional
  • Type: aws_cdk.aws_cognito.KeepOriginalAttrs
  • Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.

lambda_triggersOptional
  • Type: aws_cdk.aws_cognito.UserPoolTriggers
  • Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

mfaOptional
  • Type: aws_cdk.aws_cognito.Mfa
  • Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.

mfa_messageOptional
  • Type: str
  • Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.

mfa_second_factorOptional
  • Type: aws_cdk.aws_cognito.MfaSecondFactor
  • Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.

password_policyOptional
  • Type: aws_cdk.aws_cognito.PasswordPolicy
  • Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.

removal_policyOptional
  • Type: aws_cdk.RemovalPolicy
  • Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.

self_sign_up_enabledOptional
  • Type: bool
  • Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.

sign_in_aliasesOptional
  • Type: aws_cdk.aws_cognito.SignInAliases
  • Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

sign_in_case_sensitiveOptional
  • Type: bool
  • Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.

sms_roleOptional
  • Type: aws_cdk.aws_iam.IRole
  • Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.

sms_role_external_idOptional
  • Type: str
  • Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.

sns_regionOptional

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.

standard_attributesOptional
  • Type: aws_cdk.aws_cognito.StandardAttributes
  • Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

user_invitationOptional
  • Type: aws_cdk.aws_cognito.UserInvitationConfig
  • Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.

user_pool_nameOptional
  • Type: str
  • Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.

user_verificationOptional
  • Type: aws_cdk.aws_cognito.UserVerificationConfig
  • Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

Methods

Name Description
to_string Returns a string representation of this construct.
apply_removal_policy Apply the given removal policy to this resource.
add_client Add a new app client to this user pool.
add_domain Associate a domain to this user pool.
add_resource_server Add a new resource server to this user pool.
add_trigger Add a lambda trigger to a user pool operation.
grant Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
register_identity_provider Register an identity provider with this user pool.
to_string 
def to_string() -> str

Returns a string representation of this construct.

apply_removal_policy 
def apply_removal_policy(
  policy: RemovalPolicy
) -> None

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: aws_cdk.RemovalPolicy
add_client 
def add_client(
  id: str,
  access_token_validity: Duration = None,
  auth_flows: AuthFlow = None,
  auth_session_validity: Duration = None,
  disable_o_auth: bool = None,
  enable_token_revocation: bool = None,
  generate_secret: bool = None,
  id_token_validity: Duration = None,
  o_auth: OAuthSettings = None,
  prevent_user_existence_errors: bool = None,
  read_attributes: ClientAttributes = None,
  refresh_token_validity: Duration = None,
  supported_identity_providers: typing.List[UserPoolClientIdentityProvider] = None,
  user_pool_client_name: str = None,
  write_attributes: ClientAttributes = None
) -> UserPoolClient

Add a new app client to this user pool.

idRequired
  • Type: str
access_token_validityOptional
  • Type: aws_cdk.Duration
  • Default: Duration.minutes(60)

Validity of the access token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token

auth_flowsOptional
  • Type: aws_cdk.aws_cognito.AuthFlow
  • Default: If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

The set of OAuth authentication flows to enable on the client.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

auth_session_validityOptional
  • Type: aws_cdk.Duration
  • Default: Duration.minutes(3)

Cognito creates a session token for each API request in an authentication flow.

AuthSessionValidity is the duration, in minutes, of that session token. see defaults in AuthSessionValidity. Valid duration is from 3 to 15 minutes.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity

disable_o_authOptional
  • Type: bool
  • Default: false

Turns off all OAuth interactions for this client.

enable_token_revocationOptional
  • Type: bool
  • Default: true for new user pool clients

Enable token revocation for this client.

https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation

generate_secretOptional
  • Type: bool
  • Default: false

Whether to generate a client secret.

id_token_validityOptional
  • Type: aws_cdk.Duration
  • Default: Duration.minutes(60)

Validity of the ID token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token

o_authOptional
  • Type: aws_cdk.aws_cognito.OAuthSettings
  • Default: see defaults in OAuthSettings. meaningless if disableOAuth is set.

OAuth settings for this client to interact with the app.

An error is thrown when this is specified and disableOAuth is set.

prevent_user_existence_errorsOptional
  • Type: bool
  • Default: false

Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html

read_attributesOptional
  • Type: aws_cdk.aws_cognito.ClientAttributes
  • Default: all standard and custom attributes

The set of attributes this client will be able to read.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes

refresh_token_validityOptional
  • Type: aws_cdk.Duration
  • Default: Duration.days(30)

Validity of the refresh token.

Values between 60 minutes and 10 years are valid.

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token

supported_identity_providersOptional
  • Type: typing.List[aws_cdk.aws_cognito.UserPoolClientIdentityProvider]
  • Default: supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

The list of identity providers that users should be able to use to sign in using this client.

user_pool_client_nameOptional
  • Type: str
  • Default: cloudformation generated name

Name of the application client.

write_attributesOptional
  • Type: aws_cdk.aws_cognito.ClientAttributes
  • Default: all standard and custom attributes

The set of attributes this client will be able to write.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes

add_domain 
def add_domain(
  id: str,
  cognito_domain: CognitoDomainOptions = None,
  custom_domain: CustomDomainOptions = None
) -> UserPoolDomain

Associate a domain to this user pool.

idRequired
  • Type: str
cognito_domainOptional
  • Type: aws_cdk.aws_cognito.CognitoDomainOptions
  • Default: not set if customDomain is specified, otherwise, throws an error.

Associate a cognito prefix domain with your user pool Either customDomain or cognitoDomain must be specified.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html

custom_domainOptional
  • Type: aws_cdk.aws_cognito.CustomDomainOptions
  • Default: not set if cognitoDomain is specified, otherwise, throws an error.

Associate a custom domain with your user pool Either customDomain or cognitoDomain must be specified.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html

add_resource_server 
def add_resource_server(
  id: str,
  identifier: str,
  scopes: typing.List[ResourceServerScope] = None,
  user_pool_resource_server_name: str = None
) -> UserPoolResourceServer

Add a new resource server to this user pool.

idRequired
  • Type: str
identifierRequired
  • Type: str

A unique resource server identifier for the resource server.

scopesOptional
  • Type: typing.List[aws_cdk.aws_cognito.ResourceServerScope]
  • Default: No scopes will be added

Oauth scopes.

user_pool_resource_server_nameOptional
  • Type: str
  • Default: same as identifier

A friendly name for the resource server.

add_trigger 
def add_trigger(
  operation: UserPoolOperation,
  fn: IFunction,
  lambda_version: LambdaVersion = None
) -> None

Add a lambda trigger to a user pool operation.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

operationRequired
  • Type: aws_cdk.aws_cognito.UserPoolOperation
fnRequired
  • Type: aws_cdk.aws_lambda.IFunction
lambda_versionOptional
  • Type: aws_cdk.aws_cognito.LambdaVersion
grant 
def grant(
  grantee: IGrantable,
  actions: str
) -> Grant

Adds an IAM policy statement associated with this user pool to an IAM principal's policy.

granteeRequired
  • Type: aws_cdk.aws_iam.IGrantable
actionsRequired
  • Type: str
register_identity_provider 
def register_identity_provider(
  provider: IUserPoolIdentityProvider
) -> None

Register an identity provider with this user pool.

providerRequired
  • Type: aws_cdk.aws_cognito.IUserPoolIdentityProvider

Static Functions

Name Description
is_construct Checks if x is a construct.
is_owned_resource Returns true if the construct was created by CDK, and false otherwise.
is_resource Check whether the given construct is a Resource.
from_user_pool_arn Import an existing user pool based on its ARN.
from_user_pool_id Import an existing user pool based on its id.
is_construct 
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: typing.Any

Any object.

is_owned_resource 
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_owned_resource(
  construct: IConstruct
)

Returns true if the construct was created by CDK, and false otherwise.

constructRequired
  • Type: constructs.IConstruct
is_resource 
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.is_resource(
  construct: IConstruct
)

Check whether the given construct is a Resource.

constructRequired
  • Type: constructs.IConstruct
from_user_pool_arn 
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.from_user_pool_arn(
  scope: Construct,
  id: str,
  user_pool_arn: str
)

Import an existing user pool based on its ARN.

scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: str
user_pool_arnRequired
  • Type: str
from_user_pool_id 
import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfa.from_user_pool_id(
  scope: Construct,
  id: str,
  user_pool_id: str
)

Import an existing user pool based on its id.

scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: str
user_pool_idRequired
  • Type: str

Properties

Name Type Description
node constructs.Node The tree node.
env aws_cdk.ResourceEnvironment The environment this resource belongs to.
stack aws_cdk.Stack The stack in which this resource is defined.
identity_providers typing.List[aws_cdk.aws_cognito.IUserPoolIdentityProvider] Get all identity providers registered with this user pool.
user_pool_arn str The ARN of the user pool.
user_pool_id str The physical ID of this user pool resource.
user_pool_provider_name str User pool provider name.
user_pool_provider_url str User pool provider URL.
nodeRequired 
node: Node
  • Type: constructs.Node

The tree node.

envRequired 
env: ResourceEnvironment
  • Type: aws_cdk.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
stack: Stack
  • Type: aws_cdk.Stack

The stack in which this resource is defined.

identity_providersRequired 
identity_providers: typing.List[IUserPoolIdentityProvider]
  • Type: typing.List[aws_cdk.aws_cognito.IUserPoolIdentityProvider]

Get all identity providers registered with this user pool.

user_pool_arnRequired 
user_pool_arn: str
  • Type: str

The ARN of the user pool.

user_pool_idRequired 
user_pool_id: str
  • Type: str

The physical ID of this user pool resource.

user_pool_provider_nameRequired 
user_pool_provider_name: str
  • Type: str

User pool provider name.

user_pool_provider_urlRequired 
user_pool_provider_url: str
  • Type: str

User pool provider URL.

Structs

UserIdentityProps

Properties which configures the Identity Pool.

Initializer 

import aws.pdk.identity

aws.pdk.identity.UserIdentityProps(
  identity_pool_options: IdentityPoolProps = None,
  user_pool: UserPool = None
)

Properties

Name Type Description
identity_pool_options aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps Configuration for the Identity Pool.
user_pool aws_cdk.aws_cognito.UserPool User provided Cognito UserPool.
identity_pool_optionsOptional 
identity_pool_options: IdentityPoolProps
  • Type: aws_cdk.aws_cognito_identitypool_alpha.IdentityPoolProps

Configuration for the Identity Pool.

user_poolOptional 
user_pool: UserPool
  • Type: aws_cdk.aws_cognito.UserPool
  • Default: a userpool with mfa will be created.

User provided Cognito UserPool.

UserPoolWithMfaProps

UserPoolWithMfa props.

Initializer 

import aws.pdk.identity

aws.pdk.identity.UserPoolWithMfaProps(
  account_recovery: AccountRecovery = None,
  advanced_security_mode: AdvancedSecurityMode = None,
  auto_verify: AutoVerifiedAttrs = None,
  custom_attributes: typing.Mapping[ICustomAttribute] = None,
  custom_sender_kms_key: IKey = None,
  deletion_protection: bool = None,
  device_tracking: DeviceTracking = None,
  email: UserPoolEmail = None,
  enable_sms_role: bool = None,
  keep_original: KeepOriginalAttrs = None,
  lambda_triggers: UserPoolTriggers = None,
  mfa: Mfa = None,
  mfa_message: str = None,
  mfa_second_factor: MfaSecondFactor = None,
  password_policy: PasswordPolicy = None,
  removal_policy: RemovalPolicy = None,
  self_sign_up_enabled: bool = None,
  sign_in_aliases: SignInAliases = None,
  sign_in_case_sensitive: bool = None,
  sms_role: IRole = None,
  sms_role_external_id: str = None,
  sns_region: str = None,
  standard_attributes: StandardAttributes = None,
  user_invitation: UserInvitationConfig = None,
  user_pool_name: str = None,
  user_verification: UserVerificationConfig = None
)

Properties

Name Type Description
account_recovery aws_cdk.aws_cognito.AccountRecovery How will a user be able to recover their account?
advanced_security_mode aws_cdk.aws_cognito.AdvancedSecurityMode The user pool's Advanced Security Mode.
auto_verify aws_cdk.aws_cognito.AutoVerifiedAttrs Attributes which Cognito will look to verify automatically upon user sign up.
custom_attributes typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute] Define a set of custom attributes that can be configured for each user in the user pool.
custom_sender_kms_key aws_cdk.aws_kms.IKey This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
deletion_protection bool Indicates whether the user pool should have deletion protection enabled.
device_tracking aws_cdk.aws_cognito.DeviceTracking Device tracking settings.
email aws_cdk.aws_cognito.UserPoolEmail Email settings for a user pool.
enable_sms_role bool Setting this would explicitly enable or disable SMS role creation.
keep_original aws_cdk.aws_cognito.KeepOriginalAttrs Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
lambda_triggers aws_cdk.aws_cognito.UserPoolTriggers Lambda functions to use for supported Cognito triggers.
mfa aws_cdk.aws_cognito.Mfa Configure whether users of this user pool can or are required use MFA to sign in.
mfa_message str The SMS message template sent during MFA verification.
mfa_second_factor aws_cdk.aws_cognito.MfaSecondFactor Configure the MFA types that users can use in this user pool.
password_policy aws_cdk.aws_cognito.PasswordPolicy Password policy for this user pool.
removal_policy aws_cdk.RemovalPolicy Policy to apply when the user pool is removed from the stack.
self_sign_up_enabled bool Whether self sign-up should be enabled.
sign_in_aliases aws_cdk.aws_cognito.SignInAliases Methods in which a user registers or signs in to a user pool.
sign_in_case_sensitive bool Whether sign-in aliases should be evaluated with case sensitivity.
sms_role aws_cdk.aws_iam.IRole The IAM role that Cognito will assume while sending SMS messages.
sms_role_external_id str The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.
sns_region str The region to integrate with SNS to send SMS messages.
standard_attributes aws_cdk.aws_cognito.StandardAttributes The set of attributes that are required for every user in the user pool.
user_invitation aws_cdk.aws_cognito.UserInvitationConfig Configuration around admins signing up users into a user pool.
user_pool_name str Name of the user pool.
user_verification aws_cdk.aws_cognito.UserVerificationConfig Configuration around users signing themselves up to the user pool.
account_recoveryOptional 
account_recovery: AccountRecovery
  • Type: aws_cdk.aws_cognito.AccountRecovery
  • Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?

advanced_security_modeOptional 
advanced_security_mode: AdvancedSecurityMode
  • Type: aws_cdk.aws_cognito.AdvancedSecurityMode
  • Default: no value

The user pool's Advanced Security Mode.

auto_verifyOptional 
auto_verify: AutoVerifiedAttrs
  • Type: aws_cdk.aws_cognito.AutoVerifiedAttrs
  • Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.

custom_attributesOptional 
custom_attributes: typing.Mapping[ICustomAttribute]
  • Type: typing.Mapping[aws_cdk.aws_cognito.ICustomAttribute]
  • Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.

custom_sender_kms_keyOptional 
custom_sender_kms_key: IKey
  • Type: aws_cdk.aws_kms.IKey
  • Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html

deletion_protectionOptional 
deletion_protection: bool
  • Type: bool
  • Default: false

Indicates whether the user pool should have deletion protection enabled.

device_trackingOptional 
device_tracking: DeviceTracking
  • Type: aws_cdk.aws_cognito.DeviceTracking
  • Default: see defaults on each property of DeviceTracking.

Device tracking settings.

emailOptional 
email: UserPoolEmail
  • Type: aws_cdk.aws_cognito.UserPoolEmail
  • Default: cognito will use the default email configuration

Email settings for a user pool.

enable_sms_roleOptional 
enable_sms_role: bool
  • Type: bool
  • Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.

keep_originalOptional 
keep_original: KeepOriginalAttrs
  • Type: aws_cdk.aws_cognito.KeepOriginalAttrs
  • Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.

lambda_triggersOptional 
lambda_triggers: UserPoolTriggers
  • Type: aws_cdk.aws_cognito.UserPoolTriggers
  • Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

mfaOptional 
mfa: Mfa
  • Type: aws_cdk.aws_cognito.Mfa
  • Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.

mfa_messageOptional 
mfa_message: str
  • Type: str
  • Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.

mfa_second_factorOptional 
mfa_second_factor: MfaSecondFactor
  • Type: aws_cdk.aws_cognito.MfaSecondFactor
  • Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.

password_policyOptional 
password_policy: PasswordPolicy
  • Type: aws_cdk.aws_cognito.PasswordPolicy
  • Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.

removal_policyOptional 
removal_policy: RemovalPolicy
  • Type: aws_cdk.RemovalPolicy
  • Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.

self_sign_up_enabledOptional 
self_sign_up_enabled: bool
  • Type: bool
  • Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.

sign_in_aliasesOptional 
sign_in_aliases: SignInAliases
  • Type: aws_cdk.aws_cognito.SignInAliases
  • Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

sign_in_case_sensitiveOptional 
sign_in_case_sensitive: bool
  • Type: bool
  • Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.

sms_roleOptional 
sms_role: IRole
  • Type: aws_cdk.aws_iam.IRole
  • Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.

sms_role_external_idOptional 
sms_role_external_id: str
  • Type: str
  • Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.

sns_regionOptional 
sns_region: str

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.

standard_attributesOptional 
standard_attributes: StandardAttributes
  • Type: aws_cdk.aws_cognito.StandardAttributes
  • Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

user_invitationOptional 
user_invitation: UserInvitationConfig
  • Type: aws_cdk.aws_cognito.UserInvitationConfig
  • Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.

user_pool_nameOptional 
user_pool_name: str
  • Type: str
  • Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.

user_verificationOptional 
user_verification: UserVerificationConfig
  • Type: aws_cdk.aws_cognito.UserVerificationConfig
  • Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

Last update: 2024-05-08