Docs
PackagesTry AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi
aws.cognito.ManagedUserPoolClient
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi
Use the aws.cognito.UserPoolClient resource to manage a Cognito User Pool Client.
This resource is advanced and has special caveats to consider before use. Please read this document completely before using the resource.
Use the aws.cognito.ManagedUserPoolClient resource to manage a Cognito User Pool Client that is automatically created by an AWS service. For instance, when configuring an OpenSearch Domain to use Cognito authentication, the OpenSearch service creates the User Pool Client during setup and removes it when it is no longer required. As a result, the aws.cognito.ManagedUserPoolClient resource does not create or delete this resource, but instead assumes management of it.
Use the aws.cognito.UserPoolClient resource to manage Cognito User Pool Clients for normal use cases.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleUserPool = new aws.cognito.UserPool("example", {name: "example"});
const exampleIdentityPool = new aws.cognito.IdentityPool("example", {identityPoolName: "example"});
const current = aws.getPartition({});
const example = current.then(current => aws.iam.getPolicyDocument({
statements: [{
sid: "",
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [{
type: "Service",
identifiers: [`es.${current.dnsSuffix}`],
}],
}],
}));
const exampleRole = new aws.iam.Role("example", {
name: "example-role",
path: "/service-role/",
assumeRolePolicy: example.then(example => example.json),
});
const exampleRolePolicyAttachment = new aws.iam.RolePolicyAttachment("example", {
role: exampleRole.name,
policyArn: current.then(current => `arn:${current.partition}:iam::aws:policy/AmazonESCognitoAccess`),
});
const exampleDomain = new aws.opensearch.Domain("example", {
domainName: "example",
cognitoOptions: {
enabled: true,
userPoolId: exampleUserPool.id,
identityPoolId: exampleIdentityPool.id,
roleArn: exampleRole.arn,
},
ebsOptions: {
ebsEnabled: true,
volumeSize: 10,
},
}, {
dependsOn: [
exampleAwsCognitoUserPoolDomain,
exampleRolePolicyAttachment,
],
});
const exampleManagedUserPoolClient = new aws.cognito.ManagedUserPoolClient("example", {
namePrefix: "AmazonOpenSearchService-example",
userPoolId: exampleUserPool.id,
}, {
dependsOn: [exampleDomain],
});
import pulumi
import pulumi_aws as aws
example_user_pool = aws.cognito.UserPool("example", name="example")
example_identity_pool = aws.cognito.IdentityPool("example", identity_pool_name="example")
current = aws.get_partition()
example = aws.iam.get_policy_document(statements=[{
"sid": "",
"actions": ["sts:AssumeRole"],
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": [f"es.{current.dns_suffix}"],
}],
}])
example_role = aws.iam.Role("example",
name="example-role",
path="/service-role/",
assume_role_policy=example.json)
example_role_policy_attachment = aws.iam.RolePolicyAttachment("example",
role=example_role.name,
policy_arn=f"arn:{current.partition}:iam::aws:policy/AmazonESCognitoAccess")
example_domain = aws.opensearch.Domain("example",
domain_name="example",
cognito_options={
"enabled": True,
"userPoolId": example_user_pool.id,
"identityPoolId": example_identity_pool.id,
"roleArn": example_role.arn,
},
ebs_options={
"ebsEnabled": True,
"volumeSize": 10,
},
opts = pulumi.ResourceOptions(depends_on=[
example_aws_cognito_user_pool_domain,
example_role_policy_attachment,
]))
example_managed_user_pool_client = aws.cognito.ManagedUserPoolClient("example",
name_prefix="AmazonOpenSearchService-example",
user_pool_id=example_user_pool.id,
opts = pulumi.ResourceOptions(depends_on=[example_domain]))
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/opensearch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleUserPool, err := cognito.NewUserPool(ctx, "example", &cognito.UserPoolArgs{
Name: pulumi.String("example"),
})
if err != nil {
return err
}
exampleIdentityPool, err := cognito.NewIdentityPool(ctx, "example", &cognito.IdentityPoolArgs{
IdentityPoolName: pulumi.String("example"),
})
if err != nil {
return err
}
current, err := aws.GetPartition(ctx, nil, nil)
if err != nil {
return err
}
example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef(""),
Actions: []string{
"sts:AssumeRole",
},
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
fmt.Sprintf("es.%v", current.DnsSuffix),
},
},
},
},
},
}, nil)
if err != nil {
return err
}
exampleRole, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
Name: pulumi.String("example-role"),
Path: pulumi.String("/service-role/"),
AssumeRolePolicy: pulumi.String(example.Json),
})
if err != nil {
return err
}
exampleRolePolicyAttachment, err := iam.NewRolePolicyAttachment(ctx, "example", &iam.RolePolicyAttachmentArgs{
Role: exampleRole.Name,
PolicyArn: pulumi.String(fmt.Sprintf("arn:%v:iam::aws:policy/AmazonESCognitoAccess", current.Partition)),
})
if err != nil {
return err
}
exampleDomain, err := opensearch.NewDomain(ctx, "example", &opensearch.DomainArgs{
DomainName: pulumi.String("example"),
CognitoOptions: &opensearch.DomainCognitoOptionsArgs{
Enabled: pulumi.Bool(true),
UserPoolId: exampleUserPool.ID(),
IdentityPoolId: exampleIdentityPool.ID(),
RoleArn: exampleRole.Arn,
},
EbsOptions: &opensearch.DomainEbsOptionsArgs{
EbsEnabled: pulumi.Bool(true),
VolumeSize: pulumi.Int(10),
},
}, pulumi.DependsOn([]pulumi.Resource{
exampleAwsCognitoUserPoolDomain,
exampleRolePolicyAttachment,
}))
if err != nil {
return err
}
_, err = cognito.NewManagedUserPoolClient(ctx, "example", &cognito.ManagedUserPoolClientArgs{
NamePrefix: pulumi.String("AmazonOpenSearchService-example"),
UserPoolId: exampleUserPool.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
exampleDomain,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleUserPool = new Aws.Cognito.UserPool("example", new()
{
Name = "example",
});
var exampleIdentityPool = new Aws.Cognito.IdentityPool("example", new()
{
IdentityPoolName = "example",
});
var current = Aws.GetPartition.Invoke();
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "",
Actions = new[]
{
"sts:AssumeRole",
},
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
$"es.{current.Apply(getPartitionResult => getPartitionResult.DnsSuffix)}",
},
},
},
},
},
});
var exampleRole = new Aws.Iam.Role("example", new()
{
Name = "example-role",
Path = "/service-role/",
AssumeRolePolicy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var exampleRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("example", new()
{
Role = exampleRole.Name,
PolicyArn = $"arn:{current.Apply(getPartitionResult => getPartitionResult.Partition)}:iam::aws:policy/AmazonESCognitoAccess",
});
var exampleDomain = new Aws.OpenSearch.Domain("example", new()
{
DomainName = "example",
CognitoOptions = new Aws.OpenSearch.Inputs.DomainCognitoOptionsArgs
{
Enabled = true,
UserPoolId = exampleUserPool.Id,
IdentityPoolId = exampleIdentityPool.Id,
RoleArn = exampleRole.Arn,
},
EbsOptions = new Aws.OpenSearch.Inputs.DomainEbsOptionsArgs
{
EbsEnabled = true,
VolumeSize = 10,
},
}, new CustomResourceOptions
{
DependsOn =
{
exampleAwsCognitoUserPoolDomain,
exampleRolePolicyAttachment,
},
});
var exampleManagedUserPoolClient = new Aws.Cognito.ManagedUserPoolClient("example", new()
{
NamePrefix = "AmazonOpenSearchService-example",
UserPoolId = exampleUserPool.Id,
}, new CustomResourceOptions
{
DependsOn =
{
exampleDomain,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.cognito.IdentityPool;
import com.pulumi.aws.cognito.IdentityPoolArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetPartitionArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.aws.opensearch.Domain;
import com.pulumi.aws.opensearch.DomainArgs;
import com.pulumi.aws.opensearch.inputs.DomainCognitoOptionsArgs;
import com.pulumi.aws.opensearch.inputs.DomainEbsOptionsArgs;
import com.pulumi.aws.cognito.ManagedUserPoolClient;
import com.pulumi.aws.cognito.ManagedUserPoolClientArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleUserPool = new UserPool("exampleUserPool", UserPoolArgs.builder()
.name("example")
.build());
var exampleIdentityPool = new IdentityPool("exampleIdentityPool", IdentityPoolArgs.builder()
.identityPoolName("example")
.build());
final var current = AwsFunctions.getPartition();
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("")
.actions("sts:AssumeRole")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers(String.format("es.%s", current.applyValue(getPartitionResult -> getPartitionResult.dnsSuffix())))
.build())
.build())
.build());
var exampleRole = new Role("exampleRole", RoleArgs.builder()
.name("example-role")
.path("/service-role/")
.assumeRolePolicy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var exampleRolePolicyAttachment = new RolePolicyAttachment("exampleRolePolicyAttachment", RolePolicyAttachmentArgs.builder()
.role(exampleRole.name())
.policyArn(String.format("arn:%s:iam::aws:policy/AmazonESCognitoAccess", current.applyValue(getPartitionResult -> getPartitionResult.partition())))
.build());
var exampleDomain = new Domain("exampleDomain", DomainArgs.builder()
.domainName("example")
.cognitoOptions(DomainCognitoOptionsArgs.builder()
.enabled(true)
.userPoolId(exampleUserPool.id())
.identityPoolId(exampleIdentityPool.id())
.roleArn(exampleRole.arn())
.build())
.ebsOptions(DomainEbsOptionsArgs.builder()
.ebsEnabled(true)
.volumeSize(10)
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(
exampleAwsCognitoUserPoolDomain,
exampleRolePolicyAttachment)
.build());
var exampleManagedUserPoolClient = new ManagedUserPoolClient("exampleManagedUserPoolClient", ManagedUserPoolClientArgs.builder()
.namePrefix("AmazonOpenSearchService-example")
.userPoolId(exampleUserPool.id())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleDomain)
.build());
}
}
resources:
exampleManagedUserPoolClient:
type: aws:cognito:ManagedUserPoolClient
name: example
properties:
namePrefix: AmazonOpenSearchService-example
userPoolId: ${exampleUserPool.id}
options:
dependson:
- ${exampleDomain}
exampleUserPool:
type: aws:cognito:UserPool
name: example
properties:
name: example
exampleIdentityPool:
type: aws:cognito:IdentityPool
name: example
properties:
identityPoolName: example
exampleDomain:
type: aws:opensearch:Domain
name: example
properties:
domainName: example
cognitoOptions:
enabled: true
userPoolId: ${exampleUserPool.id}
identityPoolId: ${exampleIdentityPool.id}
roleArn: ${exampleRole.arn}
ebsOptions:
ebsEnabled: true
volumeSize: 10
options:
dependson:
- ${exampleAwsCognitoUserPoolDomain}
- ${exampleRolePolicyAttachment}
exampleRole:
type: aws:iam:Role
name: example
properties:
name: example-role
path: /service-role/
assumeRolePolicy: ${example.json}
exampleRolePolicyAttachment:
type: aws:iam:RolePolicyAttachment
name: example
properties:
role: ${exampleRole.name}
policyArn: arn:${current.partition}:iam::aws:policy/AmazonESCognitoAccess
variables:
example:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid:
actions:
- sts:AssumeRole
effect: Allow
principals:
- type: Service
identifiers:
- es.${current.dnsSuffix}
current:
fn::invoke:
Function: aws:getPartition
Arguments: {}
Create ManagedUserPoolClient Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ManagedUserPoolClient(name: string, args: ManagedUserPoolClientArgs, opts?: CustomResourceOptions);@overload
def ManagedUserPoolClient(resource_name: str,
args: ManagedUserPoolClientArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ManagedUserPoolClient(resource_name: str,
opts: Optional[ResourceOptions] = None,
user_pool_id: Optional[str] = None,
explicit_auth_flows: Optional[Sequence[str]] = None,
auth_session_validity: Optional[int] = None,
id_token_validity: Optional[int] = None,
name_pattern: Optional[str] = None,
logout_urls: Optional[Sequence[str]] = None,
callback_urls: Optional[Sequence[str]] = None,
default_redirect_uri: Optional[str] = None,
enable_propagate_additional_user_context_data: Optional[bool] = None,
enable_token_revocation: Optional[bool] = None,
access_token_validity: Optional[int] = None,
allowed_oauth_scopes: Optional[Sequence[str]] = None,
allowed_oauth_flows_user_pool_client: Optional[bool] = None,
analytics_configuration: Optional[ManagedUserPoolClientAnalyticsConfigurationArgs] = None,
name_prefix: Optional[str] = None,
prevent_user_existence_errors: Optional[str] = None,
read_attributes: Optional[Sequence[str]] = None,
refresh_token_validity: Optional[int] = None,
supported_identity_providers: Optional[Sequence[str]] = None,
token_validity_units: Optional[ManagedUserPoolClientTokenValidityUnitsArgs] = None,
allowed_oauth_flows: Optional[Sequence[str]] = None,
write_attributes: Optional[Sequence[str]] = None)func NewManagedUserPoolClient(ctx *Context, name string, args ManagedUserPoolClientArgs, opts ...ResourceOption) (*ManagedUserPoolClient, error)public ManagedUserPoolClient(string name, ManagedUserPoolClientArgs args, CustomResourceOptions? opts = null)
public ManagedUserPoolClient(String name, ManagedUserPoolClientArgs args)
public ManagedUserPoolClient(String name, ManagedUserPoolClientArgs args, CustomResourceOptions options)
type: aws:cognito:ManagedUserPoolClient
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ManagedUserPoolClientArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ManagedUserPoolClientArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ManagedUserPoolClientArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ManagedUserPoolClientArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ManagedUserPoolClientArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var managedUserPoolClientResource = new Aws.Cognito.ManagedUserPoolClient("managedUserPoolClientResource", new()
{
UserPoolId = "string",
ExplicitAuthFlows = new[]
{
"string",
},
AuthSessionValidity = 0,
IdTokenValidity = 0,
NamePattern = "string",
LogoutUrls = new[]
{
"string",
},
CallbackUrls = new[]
{
"string",
},
DefaultRedirectUri = "string",
EnablePropagateAdditionalUserContextData = false,
EnableTokenRevocation = false,
AccessTokenValidity = 0,
AllowedOauthScopes = new[]
{
"string",
},
AllowedOauthFlowsUserPoolClient = false,
AnalyticsConfiguration = new Aws.Cognito.Inputs.ManagedUserPoolClientAnalyticsConfigurationArgs
{
ApplicationArn = "string",
ApplicationId = "string",
ExternalId = "string",
RoleArn = "string",
UserDataShared = false,
},
NamePrefix = "string",
PreventUserExistenceErrors = "string",
ReadAttributes = new[]
{
"string",
},
RefreshTokenValidity = 0,
SupportedIdentityProviders = new[]
{
"string",
},
TokenValidityUnits = new Aws.Cognito.Inputs.ManagedUserPoolClientTokenValidityUnitsArgs
{
AccessToken = "string",
IdToken = "string",
RefreshToken = "string",
},
AllowedOauthFlows = new[]
{
"string",
},
WriteAttributes = new[]
{
"string",
},
});
example, err := cognito.NewManagedUserPoolClient(ctx, "managedUserPoolClientResource", &cognito.ManagedUserPoolClientArgs{
UserPoolId: pulumi.String("string"),
ExplicitAuthFlows: pulumi.StringArray{
pulumi.String("string"),
},
AuthSessionValidity: pulumi.Int(0),
IdTokenValidity: pulumi.Int(0),
NamePattern: pulumi.String("string"),
LogoutUrls: pulumi.StringArray{
pulumi.String("string"),
},
CallbackUrls: pulumi.StringArray{
pulumi.String("string"),
},
DefaultRedirectUri: pulumi.String("string"),
EnablePropagateAdditionalUserContextData: pulumi.Bool(false),
EnableTokenRevocation: pulumi.Bool(false),
AccessTokenValidity: pulumi.Int(0),
AllowedOauthScopes: pulumi.StringArray{
pulumi.String("string"),
},
AllowedOauthFlowsUserPoolClient: pulumi.Bool(false),
AnalyticsConfiguration: &cognito.ManagedUserPoolClientAnalyticsConfigurationArgs{
ApplicationArn: pulumi.String("string"),
ApplicationId: pulumi.String("string"),
ExternalId: pulumi.String("string"),
RoleArn: pulumi.String("string"),
UserDataShared: pulumi.Bool(false),
},
NamePrefix: pulumi.String("string"),
PreventUserExistenceErrors: pulumi.String("string"),
ReadAttributes: pulumi.StringArray{
pulumi.String("string"),
},
RefreshTokenValidity: pulumi.Int(0),
SupportedIdentityProviders: pulumi.StringArray{
pulumi.String("string"),
},
TokenValidityUnits: &cognito.ManagedUserPoolClientTokenValidityUnitsArgs{
AccessToken: pulumi.String("string"),
IdToken: pulumi.String("string"),
RefreshToken: pulumi.String("string"),
},
AllowedOauthFlows: pulumi.StringArray{
pulumi.String("string"),
},
WriteAttributes: pulumi.StringArray{
pulumi.String("string"),
},
})
var managedUserPoolClientResource = new ManagedUserPoolClient("managedUserPoolClientResource", ManagedUserPoolClientArgs.builder()
.userPoolId("string")
.explicitAuthFlows("string")
.authSessionValidity(0)
.idTokenValidity(0)
.namePattern("string")
.logoutUrls("string")
.callbackUrls("string")
.defaultRedirectUri("string")
.enablePropagateAdditionalUserContextData(false)
.enableTokenRevocation(false)
.accessTokenValidity(0)
.allowedOauthScopes("string")
.allowedOauthFlowsUserPoolClient(false)
.analyticsConfiguration(ManagedUserPoolClientAnalyticsConfigurationArgs.builder()
.applicationArn("string")
.applicationId("string")
.externalId("string")
.roleArn("string")
.userDataShared(false)
.build())
.namePrefix("string")
.preventUserExistenceErrors("string")
.readAttributes("string")
.refreshTokenValidity(0)
.supportedIdentityProviders("string")
.tokenValidityUnits(ManagedUserPoolClientTokenValidityUnitsArgs.builder()
.accessToken("string")
.idToken("string")
.refreshToken("string")
.build())
.allowedOauthFlows("string")
.writeAttributes("string")
.build());
managed_user_pool_client_resource = aws.cognito.ManagedUserPoolClient("managedUserPoolClientResource",
user_pool_id="string",
explicit_auth_flows=["string"],
auth_session_validity=0,
id_token_validity=0,
name_pattern="string",
logout_urls=["string"],
callback_urls=["string"],
default_redirect_uri="string",
enable_propagate_additional_user_context_data=False,
enable_token_revocation=False,
access_token_validity=0,
allowed_oauth_scopes=["string"],
allowed_oauth_flows_user_pool_client=False,
analytics_configuration={
"applicationArn": "string",
"applicationId": "string",
"externalId": "string",
"roleArn": "string",
"userDataShared": False,
},
name_prefix="string",
prevent_user_existence_errors="string",
read_attributes=["string"],
refresh_token_validity=0,
supported_identity_providers=["string"],
token_validity_units={
"accessToken": "string",
"idToken": "string",
"refreshToken": "string",
},
allowed_oauth_flows=["string"],
write_attributes=["string"])
const managedUserPoolClientResource = new aws.cognito.ManagedUserPoolClient("managedUserPoolClientResource", {
userPoolId: "string",
explicitAuthFlows: ["string"],
authSessionValidity: 0,
idTokenValidity: 0,
namePattern: "string",
logoutUrls: ["string"],
callbackUrls: ["string"],
defaultRedirectUri: "string",
enablePropagateAdditionalUserContextData: false,
enableTokenRevocation: false,
accessTokenValidity: 0,
allowedOauthScopes: ["string"],
allowedOauthFlowsUserPoolClient: false,
analyticsConfiguration: {
applicationArn: "string",
applicationId: "string",
externalId: "string",
roleArn: "string",
userDataShared: false,
},
namePrefix: "string",
preventUserExistenceErrors: "string",
readAttributes: ["string"],
refreshTokenValidity: 0,
supportedIdentityProviders: ["string"],
tokenValidityUnits: {
accessToken: "string",
idToken: "string",
refreshToken: "string",
},
allowedOauthFlows: ["string"],
writeAttributes: ["string"],
});
type: aws:cognito:ManagedUserPoolClient
properties:
accessTokenValidity: 0
allowedOauthFlows:
- string
allowedOauthFlowsUserPoolClient: false
allowedOauthScopes:
- string
analyticsConfiguration:
applicationArn: string
applicationId: string
externalId: string
roleArn: string
userDataShared: false
authSessionValidity: 0
callbackUrls:
- string
defaultRedirectUri: string
enablePropagateAdditionalUserContextData: false
enableTokenRevocation: false
explicitAuthFlows:
- string
idTokenValidity: 0
logoutUrls:
- string
namePattern: string
namePrefix: string
preventUserExistenceErrors: string
readAttributes:
- string
refreshTokenValidity: 0
supportedIdentityProviders:
- string
tokenValidityUnits:
accessToken: string
idToken: string
refreshToken: string
userPoolId: string
writeAttributes:
- string
ManagedUserPoolClient Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ManagedUserPoolClient resource accepts the following input properties:
- User
Pool stringId - User pool that the client belongs to.
- Access
Token intValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - Allowed
Oauth List<string>Flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- Allowed
Oauth boolFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- Allowed
Oauth List<string>Scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- Analytics
Configuration ManagedUser Pool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- Auth
Session intValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - Callback
Urls List<string> - List of allowed callback URLs for the identity providers.
- Default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- Enable
Propagate boolAdditional User Context Data - Enables the propagation of additional user context data.
- Enable
Token boolRevocation - Enables or disables token revocation.
- Explicit
Auth List<string>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- Id
Token intValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - Logout
Urls List<string> - List of allowed logout URLs for the identity providers.
- Name
Pattern string - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- Name
Prefix string String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- Prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- Read
Attributes List<string> - List of user pool attributes that the application client can read from.
- Refresh
Token intValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - Supported
Identity List<string>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - Token
Validity ManagedUnits User Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- Write
Attributes List<string> - List of user pool attributes that the application client can write to.
- User
Pool stringId - User pool that the client belongs to.
- Access
Token intValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - Allowed
Oauth []stringFlows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- Allowed
Oauth boolFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- Allowed
Oauth []stringScopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- Analytics
Configuration ManagedUser Pool Client Analytics Configuration Args - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- Auth
Session intValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - Callback
Urls []string - List of allowed callback URLs for the identity providers.
- Default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- Enable
Propagate boolAdditional User Context Data - Enables the propagation of additional user context data.
- Enable
Token boolRevocation - Enables or disables token revocation.
- Explicit
Auth []stringFlows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- Id
Token intValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - Logout
Urls []string - List of allowed logout URLs for the identity providers.
- Name
Pattern string - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- Name
Prefix string String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- Prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- Read
Attributes []string - List of user pool attributes that the application client can read from.
- Refresh
Token intValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - Supported
Identity []stringProviders - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - Token
Validity ManagedUnits User Pool Client Token Validity Units Args - Configuration block for representing the validity times in units. See details below. Detailed below.
- Write
Attributes []string - List of user pool attributes that the application client can write to.
- user
Pool StringId - User pool that the client belongs to.
- access
Token IntegerValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - allowed
Oauth List<String>Flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- allowed
Oauth BooleanFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- allowed
Oauth List<String>Scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- analytics
Configuration ManagedUser Pool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session IntegerValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - callback
Urls List<String> - List of allowed callback URLs for the identity providers.
- default
Redirect StringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate BooleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token BooleanRevocation - Enables or disables token revocation.
- explicit
Auth List<String>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- id
Token IntegerValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - logout
Urls List<String> - List of allowed logout URLs for the identity providers.
- name
Pattern String - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- name
Prefix String String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- prevent
User StringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes List<String> - List of user pool attributes that the application client can read from.
- refresh
Token IntegerValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - supported
Identity List<String>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - token
Validity ManagedUnits User Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- write
Attributes List<String> - List of user pool attributes that the application client can write to.
- user
Pool stringId - User pool that the client belongs to.
- access
Token numberValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - allowed
Oauth string[]Flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- allowed
Oauth booleanFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- allowed
Oauth string[]Scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- analytics
Configuration ManagedUser Pool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session numberValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - callback
Urls string[] - List of allowed callback URLs for the identity providers.
- default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate booleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token booleanRevocation - Enables or disables token revocation.
- explicit
Auth string[]Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- id
Token numberValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - logout
Urls string[] - List of allowed logout URLs for the identity providers.
- name
Pattern string - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- name
Prefix string String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes string[] - List of user pool attributes that the application client can read from.
- refresh
Token numberValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - supported
Identity string[]Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - token
Validity ManagedUnits User Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- write
Attributes string[] - List of user pool attributes that the application client can write to.
- user_
pool_ strid - User pool that the client belongs to.
- access_
token_ intvalidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - allowed_
oauth_ Sequence[str]flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- allowed_
oauth_ boolflows_ user_ pool_ client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- allowed_
oauth_ Sequence[str]scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- analytics_
configuration ManagedUser Pool Client Analytics Configuration Args - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth_
session_ intvalidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - callback_
urls Sequence[str] - List of allowed callback URLs for the identity providers.
- default_
redirect_ struri - Default redirect URI and must be included in the list of callback URLs.
- enable_
propagate_ booladditional_ user_ context_ data - Enables the propagation of additional user context data.
- enable_
token_ boolrevocation - Enables or disables token revocation.
- explicit_
auth_ Sequence[str]flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- id_
token_ intvalidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - logout_
urls Sequence[str] - List of allowed logout URLs for the identity providers.
- name_
pattern str - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- name_
prefix str String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- prevent_
user_ strexistence_ errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read_
attributes Sequence[str] - List of user pool attributes that the application client can read from.
- refresh_
token_ intvalidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - supported_
identity_ Sequence[str]providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - token_
validity_ Managedunits User Pool Client Token Validity Units Args - Configuration block for representing the validity times in units. See details below. Detailed below.
- write_
attributes Sequence[str] - List of user pool attributes that the application client can write to.
- user
Pool StringId - User pool that the client belongs to.
- access
Token NumberValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - allowed
Oauth List<String>Flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- allowed
Oauth BooleanFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- allowed
Oauth List<String>Scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- analytics
Configuration Property Map - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session NumberValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - callback
Urls List<String> - List of allowed callback URLs for the identity providers.
- default
Redirect StringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate BooleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token BooleanRevocation - Enables or disables token revocation.
- explicit
Auth List<String>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- id
Token NumberValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - logout
Urls List<String> - List of allowed logout URLs for the identity providers.
- name
Pattern String - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- name
Prefix String String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- prevent
User StringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes List<String> - List of user pool attributes that the application client can read from.
- refresh
Token NumberValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - supported
Identity List<String>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - token
Validity Property MapUnits - Configuration block for representing the validity times in units. See details below. Detailed below.
- write
Attributes List<String> - List of user pool attributes that the application client can write to.
Outputs
All input properties are implicitly available as output properties. Additionally, the ManagedUserPoolClient resource produces the following output properties:
- Client
Secret string - Client secret of the user pool client.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Name of the user pool client.
- Client
Secret string - Client secret of the user pool client.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Name of the user pool client.
- client
Secret String - Client secret of the user pool client.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Name of the user pool client.
- client
Secret string - Client secret of the user pool client.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- Name of the user pool client.
- client_
secret str - Client secret of the user pool client.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- Name of the user pool client.
- client
Secret String - Client secret of the user pool client.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Name of the user pool client.
Look up Existing ManagedUserPoolClient Resource
Get an existing ManagedUserPoolClient resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ManagedUserPoolClientState, opts?: CustomResourceOptions): ManagedUserPoolClient@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_token_validity: Optional[int] = None,
allowed_oauth_flows: Optional[Sequence[str]] = None,
allowed_oauth_flows_user_pool_client: Optional[bool] = None,
allowed_oauth_scopes: Optional[Sequence[str]] = None,
analytics_configuration: Optional[ManagedUserPoolClientAnalyticsConfigurationArgs] = None,
auth_session_validity: Optional[int] = None,
callback_urls: Optional[Sequence[str]] = None,
client_secret: Optional[str] = None,
default_redirect_uri: Optional[str] = None,
enable_propagate_additional_user_context_data: Optional[bool] = None,
enable_token_revocation: Optional[bool] = None,
explicit_auth_flows: Optional[Sequence[str]] = None,
id_token_validity: Optional[int] = None,
logout_urls: Optional[Sequence[str]] = None,
name: Optional[str] = None,
name_pattern: Optional[str] = None,
name_prefix: Optional[str] = None,
prevent_user_existence_errors: Optional[str] = None,
read_attributes: Optional[Sequence[str]] = None,
refresh_token_validity: Optional[int] = None,
supported_identity_providers: Optional[Sequence[str]] = None,
token_validity_units: Optional[ManagedUserPoolClientTokenValidityUnitsArgs] = None,
user_pool_id: Optional[str] = None,
write_attributes: Optional[Sequence[str]] = None) -> ManagedUserPoolClientfunc GetManagedUserPoolClient(ctx *Context, name string, id IDInput, state *ManagedUserPoolClientState, opts ...ResourceOption) (*ManagedUserPoolClient, error)public static ManagedUserPoolClient Get(string name, Input<string> id, ManagedUserPoolClientState? state, CustomResourceOptions? opts = null)public static ManagedUserPoolClient get(String name, Output<String> id, ManagedUserPoolClientState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Token intValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - Allowed
Oauth List<string>Flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- Allowed
Oauth boolFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- Allowed
Oauth List<string>Scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- Analytics
Configuration ManagedUser Pool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- Auth
Session intValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - Callback
Urls List<string> - List of allowed callback URLs for the identity providers.
- Client
Secret string - Client secret of the user pool client.
- Default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- Enable
Propagate boolAdditional User Context Data - Enables the propagation of additional user context data.
- Enable
Token boolRevocation - Enables or disables token revocation.
- Explicit
Auth List<string>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- Id
Token intValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - Logout
Urls List<string> - List of allowed logout URLs for the identity providers.
- Name string
- Name of the user pool client.
- Name
Pattern string - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- Name
Prefix string String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- Prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- Read
Attributes List<string> - List of user pool attributes that the application client can read from.
- Refresh
Token intValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - Supported
Identity List<string>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - Token
Validity ManagedUnits User Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- User
Pool stringId - User pool that the client belongs to.
- Write
Attributes List<string> - List of user pool attributes that the application client can write to.
- Access
Token intValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - Allowed
Oauth []stringFlows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- Allowed
Oauth boolFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- Allowed
Oauth []stringScopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- Analytics
Configuration ManagedUser Pool Client Analytics Configuration Args - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- Auth
Session intValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - Callback
Urls []string - List of allowed callback URLs for the identity providers.
- Client
Secret string - Client secret of the user pool client.
- Default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- Enable
Propagate boolAdditional User Context Data - Enables the propagation of additional user context data.
- Enable
Token boolRevocation - Enables or disables token revocation.
- Explicit
Auth []stringFlows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- Id
Token intValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - Logout
Urls []string - List of allowed logout URLs for the identity providers.
- Name string
- Name of the user pool client.
- Name
Pattern string - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- Name
Prefix string String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- Prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- Read
Attributes []string - List of user pool attributes that the application client can read from.
- Refresh
Token intValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - Supported
Identity []stringProviders - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - Token
Validity ManagedUnits User Pool Client Token Validity Units Args - Configuration block for representing the validity times in units. See details below. Detailed below.
- User
Pool stringId - User pool that the client belongs to.
- Write
Attributes []string - List of user pool attributes that the application client can write to.
- access
Token IntegerValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - allowed
Oauth List<String>Flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- allowed
Oauth BooleanFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- allowed
Oauth List<String>Scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- analytics
Configuration ManagedUser Pool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session IntegerValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - callback
Urls List<String> - List of allowed callback URLs for the identity providers.
- client
Secret String - Client secret of the user pool client.
- default
Redirect StringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate BooleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token BooleanRevocation - Enables or disables token revocation.
- explicit
Auth List<String>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- id
Token IntegerValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - logout
Urls List<String> - List of allowed logout URLs for the identity providers.
- name String
- Name of the user pool client.
- name
Pattern String - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- name
Prefix String String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- prevent
User StringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes List<String> - List of user pool attributes that the application client can read from.
- refresh
Token IntegerValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - supported
Identity List<String>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - token
Validity ManagedUnits User Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- user
Pool StringId - User pool that the client belongs to.
- write
Attributes List<String> - List of user pool attributes that the application client can write to.
- access
Token numberValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - allowed
Oauth string[]Flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- allowed
Oauth booleanFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- allowed
Oauth string[]Scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- analytics
Configuration ManagedUser Pool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session numberValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - callback
Urls string[] - List of allowed callback URLs for the identity providers.
- client
Secret string - Client secret of the user pool client.
- default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate booleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token booleanRevocation - Enables or disables token revocation.
- explicit
Auth string[]Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- id
Token numberValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - logout
Urls string[] - List of allowed logout URLs for the identity providers.
- name string
- Name of the user pool client.
- name
Pattern string - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- name
Prefix string String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes string[] - List of user pool attributes that the application client can read from.
- refresh
Token numberValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - supported
Identity string[]Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - token
Validity ManagedUnits User Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- user
Pool stringId - User pool that the client belongs to.
- write
Attributes string[] - List of user pool attributes that the application client can write to.
- access_
token_ intvalidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - allowed_
oauth_ Sequence[str]flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- allowed_
oauth_ boolflows_ user_ pool_ client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- allowed_
oauth_ Sequence[str]scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- analytics_
configuration ManagedUser Pool Client Analytics Configuration Args - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth_
session_ intvalidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - callback_
urls Sequence[str] - List of allowed callback URLs for the identity providers.
- client_
secret str - Client secret of the user pool client.
- default_
redirect_ struri - Default redirect URI and must be included in the list of callback URLs.
- enable_
propagate_ booladditional_ user_ context_ data - Enables the propagation of additional user context data.
- enable_
token_ boolrevocation - Enables or disables token revocation.
- explicit_
auth_ Sequence[str]flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- id_
token_ intvalidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - logout_
urls Sequence[str] - List of allowed logout URLs for the identity providers.
- name str
- Name of the user pool client.
- name_
pattern str - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- name_
prefix str String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- prevent_
user_ strexistence_ errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read_
attributes Sequence[str] - List of user pool attributes that the application client can read from.
- refresh_
token_ intvalidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - supported_
identity_ Sequence[str]providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - token_
validity_ Managedunits User Pool Client Token Validity Units Args - Configuration block for representing the validity times in units. See details below. Detailed below.
- user_
pool_ strid - User pool that the client belongs to.
- write_
attributes Sequence[str] - List of user pool attributes that the application client can write to.
- access
Token NumberValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token. - allowed
Oauth List<String>Flows - List of allowed OAuth flows, including code, implicit, and client_credentials.
- allowed
Oauth BooleanFlows User Pool Client - Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
- allowed
Oauth List<String>Scopes - List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
- analytics
Configuration Property Map - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session NumberValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validityare between3and15, with a default value of3. - callback
Urls List<String> - List of allowed callback URLs for the identity providers.
- client
Secret String - Client secret of the user pool client.
- default
Redirect StringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate BooleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token BooleanRevocation - Enables or disables token revocation.
- explicit
Auth List<String>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- id
Token NumberValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token. - logout
Urls List<String> - List of allowed logout URLs for the identity providers.
- name String
- Name of the user pool client.
- name
Pattern String - Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
- name
Prefix String String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
The following arguments are optional:
- prevent
User StringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes List<String> - List of user pool attributes that the application client can read from.
- refresh
Token NumberValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token. - supported
Identity List<String>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_nameattribute of theaws.cognito.IdentityProviderresource(s), or the equivalent string(s). - token
Validity Property MapUnits - Configuration block for representing the validity times in units. See details below. Detailed below.
- user
Pool StringId - User pool that the client belongs to.
- write
Attributes List<String> - List of user pool attributes that the application client can write to.
Supporting Types
ManagedUserPoolClientAnalyticsConfiguration, ManagedUserPoolClientAnalyticsConfigurationArgs
- Application
Arn string - Application ARN for an Amazon Pinpoint application. It conflicts with
external_idandrole_arn. - Application
Id string - Unique identifier for an Amazon Pinpoint application.
- External
Id string - ID for the Analytics Configuration and conflicts with
application_arn. - Role
Arn string - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with
application_arn. - bool
- If
user_data_sharedis set totrue, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- Application
Arn string - Application ARN for an Amazon Pinpoint application. It conflicts with
external_idandrole_arn. - Application
Id string - Unique identifier for an Amazon Pinpoint application.
- External
Id string - ID for the Analytics Configuration and conflicts with
application_arn. - Role
Arn string - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with
application_arn. - bool
- If
user_data_sharedis set totrue, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- application
Arn String - Application ARN for an Amazon Pinpoint application. It conflicts with
external_idandrole_arn. - application
Id String - Unique identifier for an Amazon Pinpoint application.
- external
Id String - ID for the Analytics Configuration and conflicts with
application_arn. - role
Arn String - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with
application_arn. - Boolean
- If
user_data_sharedis set totrue, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- application
Arn string - Application ARN for an Amazon Pinpoint application. It conflicts with
external_idandrole_arn. - application
Id string - Unique identifier for an Amazon Pinpoint application.
- external
Id string - ID for the Analytics Configuration and conflicts with
application_arn. - role
Arn string - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with
application_arn. - boolean
- If
user_data_sharedis set totrue, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- application_
arn str - Application ARN for an Amazon Pinpoint application. It conflicts with
external_idandrole_arn. - application_
id str - Unique identifier for an Amazon Pinpoint application.
- external_
id str - ID for the Analytics Configuration and conflicts with
application_arn. - role_
arn str - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with
application_arn. - bool
- If
user_data_sharedis set totrue, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- application
Arn String - Application ARN for an Amazon Pinpoint application. It conflicts with
external_idandrole_arn. - application
Id String - Unique identifier for an Amazon Pinpoint application.
- external
Id String - ID for the Analytics Configuration and conflicts with
application_arn. - role
Arn String - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with
application_arn. - Boolean
- If
user_data_sharedis set totrue, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
ManagedUserPoolClientTokenValidityUnits, ManagedUserPoolClientTokenValidityUnitsArgs
- Access
Token string - Time unit for the value in
access_token_validityand defaults tohours. - Id
Token string - Time unit for the value in
id_token_validity, and it defaults tohours. - Refresh
Token string - Time unit for the value in
refresh_token_validityand defaults todays.
- Access
Token string - Time unit for the value in
access_token_validityand defaults tohours. - Id
Token string - Time unit for the value in
id_token_validity, and it defaults tohours. - Refresh
Token string - Time unit for the value in
refresh_token_validityand defaults todays.
- access
Token String - Time unit for the value in
access_token_validityand defaults tohours. - id
Token String - Time unit for the value in
id_token_validity, and it defaults tohours. - refresh
Token String - Time unit for the value in
refresh_token_validityand defaults todays.
- access
Token string - Time unit for the value in
access_token_validityand defaults tohours. - id
Token string - Time unit for the value in
id_token_validity, and it defaults tohours. - refresh
Token string - Time unit for the value in
refresh_token_validityand defaults todays.
- access_
token str - Time unit for the value in
access_token_validityand defaults tohours. - id_
token str - Time unit for the value in
id_token_validity, and it defaults tohours. - refresh_
token str - Time unit for the value in
refresh_token_validityand defaults todays.
- access
Token String - Time unit for the value in
access_token_validityand defaults tohours. - id
Token String - Time unit for the value in
id_token_validity, and it defaults tohours. - refresh
Token String - Time unit for the value in
refresh_token_validityand defaults todays.
Import
Using pulumi import, import Cognito User Pool Clients using the id of the Cognito User Pool and the id of the Cognito User Pool Client. For example:
$ pulumi import aws:cognito/managedUserPoolClient:ManagedUserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
Try AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi