API Reference

Constructs

UserIdentity

Creates a UserPool and Identity Pool with sane defaults configured intended for usage from a web client.

Initializers

import { UserIdentity } from '@aws/pdk/identity'

new UserIdentity(scope: Construct, id: string, props?: UserIdentityProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	UserIdentityProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Optional

• Type: UserIdentityProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.

---

toString

public toString(): string

Returns a string representation of this construct.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { UserIdentity } from '@aws/pdk/identity'

UserIdentity.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
identityPool	aws-cdk/aws-cognito-identitypool-alpha.IdentityPool	No description.
userPool	aws-cdk-lib.aws_cognito.UserPool	No description.
userPoolClient	aws-cdk-lib.aws_cognito.UserPoolClient	No description.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

identityPool^Required

public readonly identityPool: IdentityPool;

• Type: aws-cdk/aws-cognito-identitypool-alpha.IdentityPool

---

userPool^Required

public readonly userPool: UserPool;

• Type: aws-cdk-lib.aws_cognito.UserPool

---

userPoolClient^Required

public readonly userPoolClient: UserPoolClient;

• Type: aws-cdk-lib.aws_cognito.UserPoolClient

---

UserPoolWithMfa

Configures a UserPool with MFA across SMS/TOTP using sane defaults.

Initializers

import { UserPoolWithMfa } from '@aws/pdk/identity'

new UserPoolWithMfa(scope: Construct, id: string, props?: UserPoolWithMfaProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	UserPoolWithMfaProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Optional

• Type: UserPoolWithMfaProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
applyRemovalPolicy	Apply the given removal policy to this resource.
addClient	Add a new app client to this user pool.
addDomain	Associate a domain to this user pool.
addResourceServer	Add a new resource server to this user pool.
addTrigger	Add a lambda trigger to a user pool operation.
grant	Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
registerIdentityProvider	Register an identity provider with this user pool.

---

toString

public toString(): string

Returns a string representation of this construct.

applyRemovalPolicy

public applyRemovalPolicy(policy: RemovalPolicy): void

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policy^Required

• Type: aws-cdk-lib.RemovalPolicy

---

addClient

public addClient(id: string, options?: UserPoolClientOptions): UserPoolClient

Add a new app client to this user pool.

id^Required

• Type: string

---

options^Optional

• Type: aws-cdk-lib.aws_cognito.UserPoolClientOptions

---

addDomain

public addDomain(id: string, options: UserPoolDomainOptions): UserPoolDomain

Associate a domain to this user pool.

id^Required

• Type: string

---

options^Required

• Type: aws-cdk-lib.aws_cognito.UserPoolDomainOptions

---

addResourceServer

public addResourceServer(id: string, options: UserPoolResourceServerOptions): UserPoolResourceServer

Add a new resource server to this user pool.

id^Required

• Type: string

---

options^Required

• Type: aws-cdk-lib.aws_cognito.UserPoolResourceServerOptions

---

addTrigger

public addTrigger(operation: UserPoolOperation, fn: IFunction, lambdaVersion?: LambdaVersion): void

Add a lambda trigger to a user pool operation.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

operation^Required

• Type: aws-cdk-lib.aws_cognito.UserPoolOperation

---

fn^Required

• Type: aws-cdk-lib.aws_lambda.IFunction

---

lambdaVersion^Optional

• Type: aws-cdk-lib.aws_cognito.LambdaVersion

---

grant

public grant(grantee: IGrantable, actions: string): Grant

Adds an IAM policy statement associated with this user pool to an IAM principal's policy.

grantee^Required

• Type: aws-cdk-lib.aws_iam.IGrantable

---

actions^Required

• Type: string

---

registerIdentityProvider

public registerIdentityProvider(provider: IUserPoolIdentityProvider): void

Register an identity provider with this user pool.

provider^Required

• Type: aws-cdk-lib.aws_cognito.IUserPoolIdentityProvider

---

Static Functions

Name	Description
isConstruct	Checks if x is a construct.
isOwnedResource	Returns true if the construct was created by CDK, and false otherwise.
isResource	Check whether the given construct is a Resource.
fromUserPoolArn	Import an existing user pool based on its ARN.
fromUserPoolId	Import an existing user pool based on its id.

---

isConstruct

import { UserPoolWithMfa } from '@aws/pdk/identity'

UserPoolWithMfa.isConstruct(x: any)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

x^Required

• Type: any

Any object.

---

isOwnedResource

import { UserPoolWithMfa } from '@aws/pdk/identity'

UserPoolWithMfa.isOwnedResource(construct: IConstruct)

Returns true if the construct was created by CDK, and false otherwise.

construct^Required

• Type: constructs.IConstruct

---

isResource

import { UserPoolWithMfa } from '@aws/pdk/identity'

UserPoolWithMfa.isResource(construct: IConstruct)

Check whether the given construct is a Resource.

construct^Required

• Type: constructs.IConstruct

---

fromUserPoolArn

import { UserPoolWithMfa } from '@aws/pdk/identity'

UserPoolWithMfa.fromUserPoolArn(scope: Construct, id: string, userPoolArn: string)

Import an existing user pool based on its ARN.

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

userPoolArn^Required

• Type: string

---

fromUserPoolId

import { UserPoolWithMfa } from '@aws/pdk/identity'

UserPoolWithMfa.fromUserPoolId(scope: Construct, id: string, userPoolId: string)

Import an existing user pool based on its id.

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

userPoolId^Required

• Type: string

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
env	aws-cdk-lib.ResourceEnvironment	The environment this resource belongs to.
stack	aws-cdk-lib.Stack	The stack in which this resource is defined.
identityProviders	aws-cdk-lib.aws_cognito.IUserPoolIdentityProvider[]	Get all identity providers registered with this user pool.
userPoolArn	string	The ARN of the user pool.
userPoolId	string	The physical ID of this user pool resource.
userPoolProviderName	string	User pool provider name.
userPoolProviderUrl	string	User pool provider URL.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

env^Required

public readonly env: ResourceEnvironment;

• Type: aws-cdk-lib.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

---

stack^Required

public readonly stack: Stack;

• Type: aws-cdk-lib.Stack

The stack in which this resource is defined.

---

identityProviders^Required

public readonly identityProviders: IUserPoolIdentityProvider[];

• Type: aws-cdk-lib.aws_cognito.IUserPoolIdentityProvider[]

Get all identity providers registered with this user pool.

---

userPoolArn^Required

public readonly userPoolArn: string;

• Type: string

The ARN of the user pool.

---

userPoolId^Required

public readonly userPoolId: string;

• Type: string

The physical ID of this user pool resource.

---

userPoolProviderName^Required

public readonly userPoolProviderName: string;

• Type: string

User pool provider name.

---

userPoolProviderUrl^Required

public readonly userPoolProviderUrl: string;

• Type: string

User pool provider URL.

---

Structs

UserIdentityProps

Properties which configures the Identity Pool.

Initializer

import { UserIdentityProps } from '@aws/pdk/identity'

const userIdentityProps: UserIdentityProps = { ... }

Properties

Name	Type	Description
allowSignup	boolean	Allow self sign up.
identityPoolOptions	aws-cdk/aws-cognito-identitypool-alpha.IdentityPoolProps	Configuration for the Identity Pool.
userPool	aws-cdk-lib.aws_cognito.UserPool	User provided Cognito UserPool.

---

allowSignup^Optional

public readonly allowSignup: boolean;

• Type: boolean
• Default: false

Allow self sign up.

---

identityPoolOptions^Optional

public readonly identityPoolOptions: IdentityPoolProps;

• Type: aws-cdk/aws-cognito-identitypool-alpha.IdentityPoolProps

Configuration for the Identity Pool.

---

userPool^Optional

public readonly userPool: UserPool;

• Type: aws-cdk-lib.aws_cognito.UserPool
• Default: a userpool with mfa will be created.

User provided Cognito UserPool.

---

UserPoolWithMfaProps

UserPoolWithMfa props.

Initializer

import { UserPoolWithMfaProps } from '@aws/pdk/identity'

const userPoolWithMfaProps: UserPoolWithMfaProps = { ... }

Properties

Name	Type	Description
accountRecovery	aws-cdk-lib.aws_cognito.AccountRecovery	How will a user be able to recover their account?
advancedSecurityMode	aws-cdk-lib.aws_cognito.AdvancedSecurityMode	The user pool's Advanced Security Mode.
autoVerify	aws-cdk-lib.aws_cognito.AutoVerifiedAttrs	Attributes which Cognito will look to verify automatically upon user sign up.
customAttributes	{[ key: string ]: aws-cdk-lib.aws_cognito.ICustomAttribute}	Define a set of custom attributes that can be configured for each user in the user pool.
customSenderKmsKey	aws-cdk-lib.aws_kms.IKey	This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
deletionProtection	boolean	Indicates whether the user pool should have deletion protection enabled.
deviceTracking	aws-cdk-lib.aws_cognito.DeviceTracking	Device tracking settings.
email	aws-cdk-lib.aws_cognito.UserPoolEmail	Email settings for a user pool.
enableSmsRole	boolean	Setting this would explicitly enable or disable SMS role creation.
keepOriginal	aws-cdk-lib.aws_cognito.KeepOriginalAttrs	Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
lambdaTriggers	aws-cdk-lib.aws_cognito.UserPoolTriggers	Lambda functions to use for supported Cognito triggers.
mfa	aws-cdk-lib.aws_cognito.Mfa	Configure whether users of this user pool can or are required use MFA to sign in.
mfaMessage	string	The SMS message template sent during MFA verification.
mfaSecondFactor	aws-cdk-lib.aws_cognito.MfaSecondFactor	Configure the MFA types that users can use in this user pool.
passwordPolicy	aws-cdk-lib.aws_cognito.PasswordPolicy	Password policy for this user pool.
removalPolicy	aws-cdk-lib.RemovalPolicy	Policy to apply when the user pool is removed from the stack.
selfSignUpEnabled	boolean	Whether self sign-up should be enabled.
signInAliases	aws-cdk-lib.aws_cognito.SignInAliases	Methods in which a user registers or signs in to a user pool.
signInCaseSensitive	boolean	Whether sign-in aliases should be evaluated with case sensitivity.
smsRole	aws-cdk-lib.aws_iam.IRole	The IAM role that Cognito will assume while sending SMS messages.
smsRoleExternalId	string	The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.
snsRegion	string	The region to integrate with SNS to send SMS messages.
standardAttributes	aws-cdk-lib.aws_cognito.StandardAttributes	The set of attributes that are required for every user in the user pool.
userInvitation	aws-cdk-lib.aws_cognito.UserInvitationConfig	Configuration around admins signing up users into a user pool.
userPoolName	string	Name of the user pool.
userVerification	aws-cdk-lib.aws_cognito.UserVerificationConfig	Configuration around users signing themselves up to the user pool.

---

accountRecovery^Optional

public readonly accountRecovery: AccountRecovery;

• Type: aws-cdk-lib.aws_cognito.AccountRecovery
• Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?

---

advancedSecurityMode^Optional

public readonly advancedSecurityMode: AdvancedSecurityMode;

• Type: aws-cdk-lib.aws_cognito.AdvancedSecurityMode
• Default: no value

The user pool's Advanced Security Mode.

---

autoVerify^Optional

public readonly autoVerify: AutoVerifiedAttrs;

• Type: aws-cdk-lib.aws_cognito.AutoVerifiedAttrs
• Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.

---

customAttributes^Optional

public readonly customAttributes: {[ key: string ]: ICustomAttribute};

• Type: {[ key: string ]: aws-cdk-lib.aws_cognito.ICustomAttribute}
• Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.

---

customSenderKmsKey^Optional

public readonly customSenderKmsKey: IKey;

• Type: aws-cdk-lib.aws_kms.IKey
• Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html

---

deletionProtection^Optional

public readonly deletionProtection: boolean;

• Type: boolean
• Default: false

Indicates whether the user pool should have deletion protection enabled.

---

deviceTracking^Optional

public readonly deviceTracking: DeviceTracking;

• Type: aws-cdk-lib.aws_cognito.DeviceTracking
• Default: see defaults on each property of DeviceTracking.

Device tracking settings.

---

email^Optional

public readonly email: UserPoolEmail;

• Type: aws-cdk-lib.aws_cognito.UserPoolEmail
• Default: cognito will use the default email configuration

Email settings for a user pool.

---

enableSmsRole^Optional

public readonly enableSmsRole: boolean;

• Type: boolean
• Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.

---

keepOriginal^Optional

public readonly keepOriginal: KeepOriginalAttrs;

• Type: aws-cdk-lib.aws_cognito.KeepOriginalAttrs
• Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.

---

lambdaTriggers^Optional

public readonly lambdaTriggers: UserPoolTriggers;

• Type: aws-cdk-lib.aws_cognito.UserPoolTriggers
• Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

---

mfa^Optional

public readonly mfa: Mfa;

• Type: aws-cdk-lib.aws_cognito.Mfa
• Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.

---

mfaMessage^Optional

public readonly mfaMessage: string;

• Type: string
• Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.

---

mfaSecondFactor^Optional

public readonly mfaSecondFactor: MfaSecondFactor;

• Type: aws-cdk-lib.aws_cognito.MfaSecondFactor
• Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.

---

passwordPolicy^Optional

public readonly passwordPolicy: PasswordPolicy;

• Type: aws-cdk-lib.aws_cognito.PasswordPolicy
• Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.

---

removalPolicy^Optional

public readonly removalPolicy: RemovalPolicy;

• Type: aws-cdk-lib.RemovalPolicy
• Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.

---

selfSignUpEnabled^Optional

public readonly selfSignUpEnabled: boolean;

• Type: boolean
• Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.

---

signInAliases^Optional

public readonly signInAliases: SignInAliases;

• Type: aws-cdk-lib.aws_cognito.SignInAliases
• Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

---

signInCaseSensitive^Optional

public readonly signInCaseSensitive: boolean;

• Type: boolean
• Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.

---

smsRole^Optional

public readonly smsRole: IRole;

• Type: aws-cdk-lib.aws_iam.IRole
• Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.

---

smsRoleExternalId^Optional

public readonly smsRoleExternalId: string;

• Type: string
• Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.

---

snsRegion^Optional

public readonly snsRegion: string;

• Type: string
• Default: The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.

---

standardAttributes^Optional

public readonly standardAttributes: StandardAttributes;

• Type: aws-cdk-lib.aws_cognito.StandardAttributes
• Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

---

userInvitation^Optional

public readonly userInvitation: UserInvitationConfig;

• Type: aws-cdk-lib.aws_cognito.UserInvitationConfig
• Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.

---

userPoolName^Optional

public readonly userPoolName: string;

• Type: string
• Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.

---

userVerification^Optional

public readonly userVerification: UserVerificationConfig;

• Type: aws-cdk-lib.aws_cognito.UserVerificationConfig
• Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

---

---

Last update: 2025-07-17