aws.cognito.UserPoolClient
Explore with Pulumi AI
Provides a Cognito User Pool Client resource.
To manage a User Pool Client created by another service, such as when configuring an OpenSearch Domain to use Cognito authentication,
use the aws.cognito.ManagedUserPoolClient
resource instead.
Example Usage
Create a basic user pool client
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const pool = new aws.cognito.UserPool("pool", {name: "pool"});
const client = new aws.cognito.UserPoolClient("client", {
name: "client",
userPoolId: pool.id,
});
import pulumi
import pulumi_aws as aws
pool = aws.cognito.UserPool("pool", name="pool")
client = aws.cognito.UserPoolClient("client",
name="client",
user_pool_id=pool.id)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
Name: pulumi.String("pool"),
})
if err != nil {
return err
}
_, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
Name: pulumi.String("client"),
UserPoolId: pool.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var pool = new Aws.Cognito.UserPool("pool", new()
{
Name = "pool",
});
var client = new Aws.Cognito.UserPoolClient("client", new()
{
Name = "client",
UserPoolId = pool.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new UserPool("pool", UserPoolArgs.builder()
.name("pool")
.build());
var client = new UserPoolClient("client", UserPoolClientArgs.builder()
.name("client")
.userPoolId(pool.id())
.build());
}
}
resources:
client:
type: aws:cognito:UserPoolClient
properties:
name: client
userPoolId: ${pool.id}
pool:
type: aws:cognito:UserPool
properties:
name: pool
Create a user pool client with no SRP authentication
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const pool = new aws.cognito.UserPool("pool", {name: "pool"});
const client = new aws.cognito.UserPoolClient("client", {
name: "client",
userPoolId: pool.id,
generateSecret: true,
explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
});
import pulumi
import pulumi_aws as aws
pool = aws.cognito.UserPool("pool", name="pool")
client = aws.cognito.UserPoolClient("client",
name="client",
user_pool_id=pool.id,
generate_secret=True,
explicit_auth_flows=["ADMIN_NO_SRP_AUTH"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
Name: pulumi.String("pool"),
})
if err != nil {
return err
}
_, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
Name: pulumi.String("client"),
UserPoolId: pool.ID(),
GenerateSecret: pulumi.Bool(true),
ExplicitAuthFlows: pulumi.StringArray{
pulumi.String("ADMIN_NO_SRP_AUTH"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var pool = new Aws.Cognito.UserPool("pool", new()
{
Name = "pool",
});
var client = new Aws.Cognito.UserPoolClient("client", new()
{
Name = "client",
UserPoolId = pool.Id,
GenerateSecret = true,
ExplicitAuthFlows = new[]
{
"ADMIN_NO_SRP_AUTH",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new UserPool("pool", UserPoolArgs.builder()
.name("pool")
.build());
var client = new UserPoolClient("client", UserPoolClientArgs.builder()
.name("client")
.userPoolId(pool.id())
.generateSecret(true)
.explicitAuthFlows("ADMIN_NO_SRP_AUTH")
.build());
}
}
resources:
client:
type: aws:cognito:UserPoolClient
properties:
name: client
userPoolId: ${pool.id}
generateSecret: true
explicitAuthFlows:
- ADMIN_NO_SRP_AUTH
pool:
type: aws:cognito:UserPool
properties:
name: pool
Create a user pool client with pinpoint analytics
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const testUserPool = new aws.cognito.UserPool("test", {name: "pool"});
const testApp = new aws.pinpoint.App("test", {name: "pinpoint"});
const assumeRole = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["cognito-idp.amazonaws.com"],
}],
actions: ["sts:AssumeRole"],
}],
});
const testRole = new aws.iam.Role("test", {
name: "role",
assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
});
const testUserPoolClient = new aws.cognito.UserPoolClient("test", {
name: "pool_client",
userPoolId: testUserPool.id,
analyticsConfiguration: {
applicationId: testApp.applicationId,
externalId: "some_id",
roleArn: testRole.arn,
userDataShared: true,
},
});
const current = aws.getCallerIdentity({});
const test = aws.iam.getPolicyDocumentOutput({
statements: [{
effect: "Allow",
actions: [
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:PutEvents",
],
resources: [pulumi.all([current, testApp.applicationId]).apply(([current, applicationId]) => `arn:aws:mobiletargeting:*:${current.accountId}:apps/${applicationId}*`)],
}],
});
const testRolePolicy = new aws.iam.RolePolicy("test", {
name: "role_policy",
role: testRole.id,
policy: test.apply(test => test.json),
});
import pulumi
import pulumi_aws as aws
test_user_pool = aws.cognito.UserPool("test", name="pool")
test_app = aws.pinpoint.App("test", name="pinpoint")
assume_role = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["cognito-idp.amazonaws.com"],
}],
"actions": ["sts:AssumeRole"],
}])
test_role = aws.iam.Role("test",
name="role",
assume_role_policy=assume_role.json)
test_user_pool_client = aws.cognito.UserPoolClient("test",
name="pool_client",
user_pool_id=test_user_pool.id,
analytics_configuration={
"application_id": test_app.application_id,
"external_id": "some_id",
"role_arn": test_role.arn,
"user_data_shared": True,
})
current = aws.get_caller_identity()
test = aws.iam.get_policy_document_output(statements=[{
"effect": "Allow",
"actions": [
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:PutEvents",
],
"resources": [test_app.application_id.apply(lambda application_id: f"arn:aws:mobiletargeting:*:{current.account_id}:apps/{application_id}*")],
}])
test_role_policy = aws.iam.RolePolicy("test",
name="role_policy",
role=test_role.id,
policy=test.json)
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/pinpoint"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
testUserPool, err := cognito.NewUserPool(ctx, "test", &cognito.UserPoolArgs{
Name: pulumi.String("pool"),
})
if err != nil {
return err
}
testApp, err := pinpoint.NewApp(ctx, "test", &pinpoint.AppArgs{
Name: pulumi.String("pinpoint"),
})
if err != nil {
return err
}
assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"cognito-idp.amazonaws.com",
},
},
},
Actions: []string{
"sts:AssumeRole",
},
},
},
}, nil)
if err != nil {
return err
}
testRole, err := iam.NewRole(ctx, "test", &iam.RoleArgs{
Name: pulumi.String("role"),
AssumeRolePolicy: pulumi.String(assumeRole.Json),
})
if err != nil {
return err
}
_, err = cognito.NewUserPoolClient(ctx, "test", &cognito.UserPoolClientArgs{
Name: pulumi.String("pool_client"),
UserPoolId: testUserPool.ID(),
AnalyticsConfiguration: &cognito.UserPoolClientAnalyticsConfigurationArgs{
ApplicationId: testApp.ApplicationId,
ExternalId: pulumi.String("some_id"),
RoleArn: testRole.Arn,
UserDataShared: pulumi.Bool(true),
},
})
if err != nil {
return err
}
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
test := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Actions: pulumi.StringArray{
pulumi.String("mobiletargeting:UpdateEndpoint"),
pulumi.String("mobiletargeting:PutEvents"),
},
Resources: pulumi.StringArray{
testApp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
return fmt.Sprintf("arn:aws:mobiletargeting:*:%v:apps/%v*", current.AccountId, applicationId), nil
}).(pulumi.StringOutput),
},
},
},
}, nil)
_, err = iam.NewRolePolicy(ctx, "test", &iam.RolePolicyArgs{
Name: pulumi.String("role_policy"),
Role: testRole.ID(),
Policy: pulumi.String(test.ApplyT(func(test iam.GetPolicyDocumentResult) (*string, error) {
return &test.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var testUserPool = new Aws.Cognito.UserPool("test", new()
{
Name = "pool",
});
var testApp = new Aws.Pinpoint.App("test", new()
{
Name = "pinpoint",
});
var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"cognito-idp.amazonaws.com",
},
},
},
Actions = new[]
{
"sts:AssumeRole",
},
},
},
});
var testRole = new Aws.Iam.Role("test", new()
{
Name = "role",
AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var testUserPoolClient = new Aws.Cognito.UserPoolClient("test", new()
{
Name = "pool_client",
UserPoolId = testUserPool.Id,
AnalyticsConfiguration = new Aws.Cognito.Inputs.UserPoolClientAnalyticsConfigurationArgs
{
ApplicationId = testApp.ApplicationId,
ExternalId = "some_id",
RoleArn = testRole.Arn,
UserDataShared = true,
},
});
var current = Aws.GetCallerIdentity.Invoke();
var test = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:PutEvents",
},
Resources = new[]
{
$"arn:aws:mobiletargeting:*:{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:apps/{testApp.ApplicationId}*",
},
},
},
});
var testRolePolicy = new Aws.Iam.RolePolicy("test", new()
{
Name = "role_policy",
Role = testRole.Id,
Policy = test.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.pinpoint.App;
import com.pulumi.aws.pinpoint.AppArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import com.pulumi.aws.cognito.inputs.UserPoolClientAnalyticsConfigurationArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var testUserPool = new UserPool("testUserPool", UserPoolArgs.builder()
.name("pool")
.build());
var testApp = new App("testApp", AppArgs.builder()
.name("pinpoint")
.build());
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("cognito-idp.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var testRole = new Role("testRole", RoleArgs.builder()
.name("role")
.assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var testUserPoolClient = new UserPoolClient("testUserPoolClient", UserPoolClientArgs.builder()
.name("pool_client")
.userPoolId(testUserPool.id())
.analyticsConfiguration(UserPoolClientAnalyticsConfigurationArgs.builder()
.applicationId(testApp.applicationId())
.externalId("some_id")
.roleArn(testRole.arn())
.userDataShared(true)
.build())
.build());
final var current = AwsFunctions.getCallerIdentity();
final var test = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:PutEvents")
.resources(testApp.applicationId().applyValue(applicationId -> String.format("arn:aws:mobiletargeting:*:%s:apps/%s*", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()),applicationId)))
.build())
.build());
var testRolePolicy = new RolePolicy("testRolePolicy", RolePolicyArgs.builder()
.name("role_policy")
.role(testRole.id())
.policy(test.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(test -> test.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
}
}
resources:
testUserPoolClient:
type: aws:cognito:UserPoolClient
name: test
properties:
name: pool_client
userPoolId: ${testUserPool.id}
analyticsConfiguration:
applicationId: ${testApp.applicationId}
externalId: some_id
roleArn: ${testRole.arn}
userDataShared: true
testUserPool:
type: aws:cognito:UserPool
name: test
properties:
name: pool
testApp:
type: aws:pinpoint:App
name: test
properties:
name: pinpoint
testRole:
type: aws:iam:Role
name: test
properties:
name: role
assumeRolePolicy: ${assumeRole.json}
testRolePolicy:
type: aws:iam:RolePolicy
name: test
properties:
name: role_policy
role: ${testRole.id}
policy: ${test.json}
variables:
current:
fn::invoke:
Function: aws:getCallerIdentity
Arguments: {}
assumeRole:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- cognito-idp.amazonaws.com
actions:
- sts:AssumeRole
test:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
actions:
- mobiletargeting:UpdateEndpoint
- mobiletargeting:PutEvents
resources:
- arn:aws:mobiletargeting:*:${current.accountId}:apps/${testApp.applicationId}*
Create a user pool client with Cognito as the identity provider
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const pool = new aws.cognito.UserPool("pool", {name: "pool"});
const userpoolClient = new aws.cognito.UserPoolClient("userpool_client", {
name: "client",
userPoolId: pool.id,
callbackUrls: ["https://example.com"],
allowedOauthFlowsUserPoolClient: true,
allowedOauthFlows: [
"code",
"implicit",
],
allowedOauthScopes: [
"email",
"openid",
],
supportedIdentityProviders: ["COGNITO"],
});
import pulumi
import pulumi_aws as aws
pool = aws.cognito.UserPool("pool", name="pool")
userpool_client = aws.cognito.UserPoolClient("userpool_client",
name="client",
user_pool_id=pool.id,
callback_urls=["https://example.com"],
allowed_oauth_flows_user_pool_client=True,
allowed_oauth_flows=[
"code",
"implicit",
],
allowed_oauth_scopes=[
"email",
"openid",
],
supported_identity_providers=["COGNITO"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
Name: pulumi.String("pool"),
})
if err != nil {
return err
}
_, err = cognito.NewUserPoolClient(ctx, "userpool_client", &cognito.UserPoolClientArgs{
Name: pulumi.String("client"),
UserPoolId: pool.ID(),
CallbackUrls: pulumi.StringArray{
pulumi.String("https://example.com"),
},
AllowedOauthFlowsUserPoolClient: pulumi.Bool(true),
AllowedOauthFlows: pulumi.StringArray{
pulumi.String("code"),
pulumi.String("implicit"),
},
AllowedOauthScopes: pulumi.StringArray{
pulumi.String("email"),
pulumi.String("openid"),
},
SupportedIdentityProviders: pulumi.StringArray{
pulumi.String("COGNITO"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var pool = new Aws.Cognito.UserPool("pool", new()
{
Name = "pool",
});
var userpoolClient = new Aws.Cognito.UserPoolClient("userpool_client", new()
{
Name = "client",
UserPoolId = pool.Id,
CallbackUrls = new[]
{
"https://example.com",
},
AllowedOauthFlowsUserPoolClient = true,
AllowedOauthFlows = new[]
{
"code",
"implicit",
},
AllowedOauthScopes = new[]
{
"email",
"openid",
},
SupportedIdentityProviders = new[]
{
"COGNITO",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new UserPool("pool", UserPoolArgs.builder()
.name("pool")
.build());
var userpoolClient = new UserPoolClient("userpoolClient", UserPoolClientArgs.builder()
.name("client")
.userPoolId(pool.id())
.callbackUrls("https://example.com")
.allowedOauthFlowsUserPoolClient(true)
.allowedOauthFlows(
"code",
"implicit")
.allowedOauthScopes(
"email",
"openid")
.supportedIdentityProviders("COGNITO")
.build());
}
}
resources:
userpoolClient:
type: aws:cognito:UserPoolClient
name: userpool_client
properties:
name: client
userPoolId: ${pool.id}
callbackUrls:
- https://example.com
allowedOauthFlowsUserPoolClient: true
allowedOauthFlows:
- code
- implicit
allowedOauthScopes:
- email
- openid
supportedIdentityProviders:
- COGNITO
pool:
type: aws:cognito:UserPool
properties:
name: pool
Create UserPoolClient Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new UserPoolClient(name: string, args: UserPoolClientArgs, opts?: CustomResourceOptions);
@overload
def UserPoolClient(resource_name: str,
args: UserPoolClientArgs,
opts: Optional[ResourceOptions] = None)
@overload
def UserPoolClient(resource_name: str,
opts: Optional[ResourceOptions] = None,
user_pool_id: Optional[str] = None,
explicit_auth_flows: Optional[Sequence[str]] = None,
auth_session_validity: Optional[int] = None,
generate_secret: Optional[bool] = None,
logout_urls: Optional[Sequence[str]] = None,
id_token_validity: Optional[int] = None,
callback_urls: Optional[Sequence[str]] = None,
default_redirect_uri: Optional[str] = None,
enable_propagate_additional_user_context_data: Optional[bool] = None,
enable_token_revocation: Optional[bool] = None,
access_token_validity: Optional[int] = None,
allowed_oauth_scopes: Optional[Sequence[str]] = None,
allowed_oauth_flows_user_pool_client: Optional[bool] = None,
analytics_configuration: Optional[UserPoolClientAnalyticsConfigurationArgs] = None,
name: Optional[str] = None,
prevent_user_existence_errors: Optional[str] = None,
read_attributes: Optional[Sequence[str]] = None,
refresh_token_validity: Optional[int] = None,
supported_identity_providers: Optional[Sequence[str]] = None,
token_validity_units: Optional[UserPoolClientTokenValidityUnitsArgs] = None,
allowed_oauth_flows: Optional[Sequence[str]] = None,
write_attributes: Optional[Sequence[str]] = None)
func NewUserPoolClient(ctx *Context, name string, args UserPoolClientArgs, opts ...ResourceOption) (*UserPoolClient, error)
public UserPoolClient(string name, UserPoolClientArgs args, CustomResourceOptions? opts = null)
public UserPoolClient(String name, UserPoolClientArgs args)
public UserPoolClient(String name, UserPoolClientArgs args, CustomResourceOptions options)
type: aws:cognito:UserPoolClient
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args UserPoolClientArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args UserPoolClientArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args UserPoolClientArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args UserPoolClientArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args UserPoolClientArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var userPoolClientResource = new Aws.Cognito.UserPoolClient("userPoolClientResource", new()
{
UserPoolId = "string",
ExplicitAuthFlows = new[]
{
"string",
},
AuthSessionValidity = 0,
GenerateSecret = false,
LogoutUrls = new[]
{
"string",
},
IdTokenValidity = 0,
CallbackUrls = new[]
{
"string",
},
DefaultRedirectUri = "string",
EnablePropagateAdditionalUserContextData = false,
EnableTokenRevocation = false,
AccessTokenValidity = 0,
AllowedOauthScopes = new[]
{
"string",
},
AllowedOauthFlowsUserPoolClient = false,
AnalyticsConfiguration = new Aws.Cognito.Inputs.UserPoolClientAnalyticsConfigurationArgs
{
ApplicationArn = "string",
ApplicationId = "string",
ExternalId = "string",
RoleArn = "string",
UserDataShared = false,
},
Name = "string",
PreventUserExistenceErrors = "string",
ReadAttributes = new[]
{
"string",
},
RefreshTokenValidity = 0,
SupportedIdentityProviders = new[]
{
"string",
},
TokenValidityUnits = new Aws.Cognito.Inputs.UserPoolClientTokenValidityUnitsArgs
{
AccessToken = "string",
IdToken = "string",
RefreshToken = "string",
},
AllowedOauthFlows = new[]
{
"string",
},
WriteAttributes = new[]
{
"string",
},
});
example, err := cognito.NewUserPoolClient(ctx, "userPoolClientResource", &cognito.UserPoolClientArgs{
UserPoolId: pulumi.String("string"),
ExplicitAuthFlows: pulumi.StringArray{
pulumi.String("string"),
},
AuthSessionValidity: pulumi.Int(0),
GenerateSecret: pulumi.Bool(false),
LogoutUrls: pulumi.StringArray{
pulumi.String("string"),
},
IdTokenValidity: pulumi.Int(0),
CallbackUrls: pulumi.StringArray{
pulumi.String("string"),
},
DefaultRedirectUri: pulumi.String("string"),
EnablePropagateAdditionalUserContextData: pulumi.Bool(false),
EnableTokenRevocation: pulumi.Bool(false),
AccessTokenValidity: pulumi.Int(0),
AllowedOauthScopes: pulumi.StringArray{
pulumi.String("string"),
},
AllowedOauthFlowsUserPoolClient: pulumi.Bool(false),
AnalyticsConfiguration: &cognito.UserPoolClientAnalyticsConfigurationArgs{
ApplicationArn: pulumi.String("string"),
ApplicationId: pulumi.String("string"),
ExternalId: pulumi.String("string"),
RoleArn: pulumi.String("string"),
UserDataShared: pulumi.Bool(false),
},
Name: pulumi.String("string"),
PreventUserExistenceErrors: pulumi.String("string"),
ReadAttributes: pulumi.StringArray{
pulumi.String("string"),
},
RefreshTokenValidity: pulumi.Int(0),
SupportedIdentityProviders: pulumi.StringArray{
pulumi.String("string"),
},
TokenValidityUnits: &cognito.UserPoolClientTokenValidityUnitsArgs{
AccessToken: pulumi.String("string"),
IdToken: pulumi.String("string"),
RefreshToken: pulumi.String("string"),
},
AllowedOauthFlows: pulumi.StringArray{
pulumi.String("string"),
},
WriteAttributes: pulumi.StringArray{
pulumi.String("string"),
},
})
var userPoolClientResource = new UserPoolClient("userPoolClientResource", UserPoolClientArgs.builder()
.userPoolId("string")
.explicitAuthFlows("string")
.authSessionValidity(0)
.generateSecret(false)
.logoutUrls("string")
.idTokenValidity(0)
.callbackUrls("string")
.defaultRedirectUri("string")
.enablePropagateAdditionalUserContextData(false)
.enableTokenRevocation(false)
.accessTokenValidity(0)
.allowedOauthScopes("string")
.allowedOauthFlowsUserPoolClient(false)
.analyticsConfiguration(UserPoolClientAnalyticsConfigurationArgs.builder()
.applicationArn("string")
.applicationId("string")
.externalId("string")
.roleArn("string")
.userDataShared(false)
.build())
.name("string")
.preventUserExistenceErrors("string")
.readAttributes("string")
.refreshTokenValidity(0)
.supportedIdentityProviders("string")
.tokenValidityUnits(UserPoolClientTokenValidityUnitsArgs.builder()
.accessToken("string")
.idToken("string")
.refreshToken("string")
.build())
.allowedOauthFlows("string")
.writeAttributes("string")
.build());
user_pool_client_resource = aws.cognito.UserPoolClient("userPoolClientResource",
user_pool_id="string",
explicit_auth_flows=["string"],
auth_session_validity=0,
generate_secret=False,
logout_urls=["string"],
id_token_validity=0,
callback_urls=["string"],
default_redirect_uri="string",
enable_propagate_additional_user_context_data=False,
enable_token_revocation=False,
access_token_validity=0,
allowed_oauth_scopes=["string"],
allowed_oauth_flows_user_pool_client=False,
analytics_configuration={
"application_arn": "string",
"application_id": "string",
"external_id": "string",
"role_arn": "string",
"user_data_shared": False,
},
name="string",
prevent_user_existence_errors="string",
read_attributes=["string"],
refresh_token_validity=0,
supported_identity_providers=["string"],
token_validity_units={
"access_token": "string",
"id_token": "string",
"refresh_token": "string",
},
allowed_oauth_flows=["string"],
write_attributes=["string"])
const userPoolClientResource = new aws.cognito.UserPoolClient("userPoolClientResource", {
userPoolId: "string",
explicitAuthFlows: ["string"],
authSessionValidity: 0,
generateSecret: false,
logoutUrls: ["string"],
idTokenValidity: 0,
callbackUrls: ["string"],
defaultRedirectUri: "string",
enablePropagateAdditionalUserContextData: false,
enableTokenRevocation: false,
accessTokenValidity: 0,
allowedOauthScopes: ["string"],
allowedOauthFlowsUserPoolClient: false,
analyticsConfiguration: {
applicationArn: "string",
applicationId: "string",
externalId: "string",
roleArn: "string",
userDataShared: false,
},
name: "string",
preventUserExistenceErrors: "string",
readAttributes: ["string"],
refreshTokenValidity: 0,
supportedIdentityProviders: ["string"],
tokenValidityUnits: {
accessToken: "string",
idToken: "string",
refreshToken: "string",
},
allowedOauthFlows: ["string"],
writeAttributes: ["string"],
});
type: aws:cognito:UserPoolClient
properties:
accessTokenValidity: 0
allowedOauthFlows:
- string
allowedOauthFlowsUserPoolClient: false
allowedOauthScopes:
- string
analyticsConfiguration:
applicationArn: string
applicationId: string
externalId: string
roleArn: string
userDataShared: false
authSessionValidity: 0
callbackUrls:
- string
defaultRedirectUri: string
enablePropagateAdditionalUserContextData: false
enableTokenRevocation: false
explicitAuthFlows:
- string
generateSecret: false
idTokenValidity: 0
logoutUrls:
- string
name: string
preventUserExistenceErrors: string
readAttributes:
- string
refreshTokenValidity: 0
supportedIdentityProviders:
- string
tokenValidityUnits:
accessToken: string
idToken: string
refreshToken: string
userPoolId: string
writeAttributes:
- string
UserPoolClient Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The UserPoolClient resource accepts the following input properties:
- User
Pool stringId User pool the client belongs to.
The following arguments are optional:
- Access
Token intValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - Allowed
Oauth List<string>Flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Allowed
Oauth boolFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - Allowed
Oauth List<string>Scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Analytics
Configuration UserPool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- Auth
Session intValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - Callback
Urls List<string> - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- Enable
Propagate boolAdditional User Context Data - Enables the propagation of additional user context data.
- Enable
Token boolRevocation - Enables or disables token revocation.
- Explicit
Auth List<string>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- Generate
Secret bool - Boolean flag indicating whether an application secret should be generated.
- Id
Token intValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - Logout
Urls List<string> - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Name string
- Name of the application client.
- Prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- Read
Attributes List<string> - List of user pool attributes that the application client can read from.
- Refresh
Token intValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - Supported
Identity List<string>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - Token
Validity UserUnits Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- Write
Attributes List<string> - List of user pool attributes that the application client can write to.
- User
Pool stringId User pool the client belongs to.
The following arguments are optional:
- Access
Token intValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - Allowed
Oauth []stringFlows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Allowed
Oauth boolFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - Allowed
Oauth []stringScopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Analytics
Configuration UserPool Client Analytics Configuration Args - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- Auth
Session intValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - Callback
Urls []string - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- Enable
Propagate boolAdditional User Context Data - Enables the propagation of additional user context data.
- Enable
Token boolRevocation - Enables or disables token revocation.
- Explicit
Auth []stringFlows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- Generate
Secret bool - Boolean flag indicating whether an application secret should be generated.
- Id
Token intValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - Logout
Urls []string - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Name string
- Name of the application client.
- Prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- Read
Attributes []string - List of user pool attributes that the application client can read from.
- Refresh
Token intValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - Supported
Identity []stringProviders - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - Token
Validity UserUnits Pool Client Token Validity Units Args - Configuration block for representing the validity times in units. See details below. Detailed below.
- Write
Attributes []string - List of user pool attributes that the application client can write to.
- user
Pool StringId User pool the client belongs to.
The following arguments are optional:
- access
Token IntegerValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - allowed
Oauth List<String>Flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - allowed
Oauth BooleanFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - allowed
Oauth List<String>Scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - analytics
Configuration UserPool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session IntegerValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - callback
Urls List<String> - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - default
Redirect StringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate BooleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token BooleanRevocation - Enables or disables token revocation.
- explicit
Auth List<String>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- generate
Secret Boolean - Boolean flag indicating whether an application secret should be generated.
- id
Token IntegerValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - logout
Urls List<String> - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - name String
- Name of the application client.
- prevent
User StringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes List<String> - List of user pool attributes that the application client can read from.
- refresh
Token IntegerValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - supported
Identity List<String>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - token
Validity UserUnits Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- write
Attributes List<String> - List of user pool attributes that the application client can write to.
- user
Pool stringId User pool the client belongs to.
The following arguments are optional:
- access
Token numberValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - allowed
Oauth string[]Flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - allowed
Oauth booleanFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - allowed
Oauth string[]Scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - analytics
Configuration UserPool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session numberValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - callback
Urls string[] - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate booleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token booleanRevocation - Enables or disables token revocation.
- explicit
Auth string[]Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- generate
Secret boolean - Boolean flag indicating whether an application secret should be generated.
- id
Token numberValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - logout
Urls string[] - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - name string
- Name of the application client.
- prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes string[] - List of user pool attributes that the application client can read from.
- refresh
Token numberValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - supported
Identity string[]Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - token
Validity UserUnits Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- write
Attributes string[] - List of user pool attributes that the application client can write to.
- user_
pool_ strid User pool the client belongs to.
The following arguments are optional:
- access_
token_ intvalidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - allowed_
oauth_ Sequence[str]flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - allowed_
oauth_ boolflows_ user_ pool_ client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - allowed_
oauth_ Sequence[str]scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - analytics_
configuration UserPool Client Analytics Configuration Args - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth_
session_ intvalidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - callback_
urls Sequence[str] - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - default_
redirect_ struri - Default redirect URI and must be included in the list of callback URLs.
- enable_
propagate_ booladditional_ user_ context_ data - Enables the propagation of additional user context data.
- enable_
token_ boolrevocation - Enables or disables token revocation.
- explicit_
auth_ Sequence[str]flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- generate_
secret bool - Boolean flag indicating whether an application secret should be generated.
- id_
token_ intvalidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - logout_
urls Sequence[str] - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - name str
- Name of the application client.
- prevent_
user_ strexistence_ errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read_
attributes Sequence[str] - List of user pool attributes that the application client can read from.
- refresh_
token_ intvalidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - supported_
identity_ Sequence[str]providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - token_
validity_ Userunits Pool Client Token Validity Units Args - Configuration block for representing the validity times in units. See details below. Detailed below.
- write_
attributes Sequence[str] - List of user pool attributes that the application client can write to.
- user
Pool StringId User pool the client belongs to.
The following arguments are optional:
- access
Token NumberValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - allowed
Oauth List<String>Flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - allowed
Oauth BooleanFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - allowed
Oauth List<String>Scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - analytics
Configuration Property Map - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session NumberValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - callback
Urls List<String> - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - default
Redirect StringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate BooleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token BooleanRevocation - Enables or disables token revocation.
- explicit
Auth List<String>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- generate
Secret Boolean - Boolean flag indicating whether an application secret should be generated.
- id
Token NumberValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - logout
Urls List<String> - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - name String
- Name of the application client.
- prevent
User StringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes List<String> - List of user pool attributes that the application client can read from.
- refresh
Token NumberValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - supported
Identity List<String>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - token
Validity Property MapUnits - Configuration block for representing the validity times in units. See details below. Detailed below.
- write
Attributes List<String> - List of user pool attributes that the application client can write to.
Outputs
All input properties are implicitly available as output properties. Additionally, the UserPoolClient resource produces the following output properties:
- Client
Secret string - Client secret of the user pool client.
- Id string
- The provider-assigned unique ID for this managed resource.
- Client
Secret string - Client secret of the user pool client.
- Id string
- The provider-assigned unique ID for this managed resource.
- client
Secret String - Client secret of the user pool client.
- id String
- The provider-assigned unique ID for this managed resource.
- client
Secret string - Client secret of the user pool client.
- id string
- The provider-assigned unique ID for this managed resource.
- client_
secret str - Client secret of the user pool client.
- id str
- The provider-assigned unique ID for this managed resource.
- client
Secret String - Client secret of the user pool client.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing UserPoolClient Resource
Get an existing UserPoolClient resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: UserPoolClientState, opts?: CustomResourceOptions): UserPoolClient
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_token_validity: Optional[int] = None,
allowed_oauth_flows: Optional[Sequence[str]] = None,
allowed_oauth_flows_user_pool_client: Optional[bool] = None,
allowed_oauth_scopes: Optional[Sequence[str]] = None,
analytics_configuration: Optional[UserPoolClientAnalyticsConfigurationArgs] = None,
auth_session_validity: Optional[int] = None,
callback_urls: Optional[Sequence[str]] = None,
client_secret: Optional[str] = None,
default_redirect_uri: Optional[str] = None,
enable_propagate_additional_user_context_data: Optional[bool] = None,
enable_token_revocation: Optional[bool] = None,
explicit_auth_flows: Optional[Sequence[str]] = None,
generate_secret: Optional[bool] = None,
id_token_validity: Optional[int] = None,
logout_urls: Optional[Sequence[str]] = None,
name: Optional[str] = None,
prevent_user_existence_errors: Optional[str] = None,
read_attributes: Optional[Sequence[str]] = None,
refresh_token_validity: Optional[int] = None,
supported_identity_providers: Optional[Sequence[str]] = None,
token_validity_units: Optional[UserPoolClientTokenValidityUnitsArgs] = None,
user_pool_id: Optional[str] = None,
write_attributes: Optional[Sequence[str]] = None) -> UserPoolClient
func GetUserPoolClient(ctx *Context, name string, id IDInput, state *UserPoolClientState, opts ...ResourceOption) (*UserPoolClient, error)
public static UserPoolClient Get(string name, Input<string> id, UserPoolClientState? state, CustomResourceOptions? opts = null)
public static UserPoolClient get(String name, Output<String> id, UserPoolClientState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Token intValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - Allowed
Oauth List<string>Flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Allowed
Oauth boolFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - Allowed
Oauth List<string>Scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Analytics
Configuration UserPool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- Auth
Session intValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - Callback
Urls List<string> - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Client
Secret string - Client secret of the user pool client.
- Default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- Enable
Propagate boolAdditional User Context Data - Enables the propagation of additional user context data.
- Enable
Token boolRevocation - Enables or disables token revocation.
- Explicit
Auth List<string>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- Generate
Secret bool - Boolean flag indicating whether an application secret should be generated.
- Id
Token intValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - Logout
Urls List<string> - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Name string
- Name of the application client.
- Prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- Read
Attributes List<string> - List of user pool attributes that the application client can read from.
- Refresh
Token intValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - Supported
Identity List<string>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - Token
Validity UserUnits Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- User
Pool stringId User pool the client belongs to.
The following arguments are optional:
- Write
Attributes List<string> - List of user pool attributes that the application client can write to.
- Access
Token intValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - Allowed
Oauth []stringFlows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Allowed
Oauth boolFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - Allowed
Oauth []stringScopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Analytics
Configuration UserPool Client Analytics Configuration Args - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- Auth
Session intValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - Callback
Urls []string - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Client
Secret string - Client secret of the user pool client.
- Default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- Enable
Propagate boolAdditional User Context Data - Enables the propagation of additional user context data.
- Enable
Token boolRevocation - Enables or disables token revocation.
- Explicit
Auth []stringFlows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- Generate
Secret bool - Boolean flag indicating whether an application secret should be generated.
- Id
Token intValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - Logout
Urls []string - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - Name string
- Name of the application client.
- Prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- Read
Attributes []string - List of user pool attributes that the application client can read from.
- Refresh
Token intValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - Supported
Identity []stringProviders - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - Token
Validity UserUnits Pool Client Token Validity Units Args - Configuration block for representing the validity times in units. See details below. Detailed below.
- User
Pool stringId User pool the client belongs to.
The following arguments are optional:
- Write
Attributes []string - List of user pool attributes that the application client can write to.
- access
Token IntegerValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - allowed
Oauth List<String>Flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - allowed
Oauth BooleanFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - allowed
Oauth List<String>Scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - analytics
Configuration UserPool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session IntegerValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - callback
Urls List<String> - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - client
Secret String - Client secret of the user pool client.
- default
Redirect StringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate BooleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token BooleanRevocation - Enables or disables token revocation.
- explicit
Auth List<String>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- generate
Secret Boolean - Boolean flag indicating whether an application secret should be generated.
- id
Token IntegerValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - logout
Urls List<String> - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - name String
- Name of the application client.
- prevent
User StringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes List<String> - List of user pool attributes that the application client can read from.
- refresh
Token IntegerValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - supported
Identity List<String>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - token
Validity UserUnits Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- user
Pool StringId User pool the client belongs to.
The following arguments are optional:
- write
Attributes List<String> - List of user pool attributes that the application client can write to.
- access
Token numberValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - allowed
Oauth string[]Flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - allowed
Oauth booleanFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - allowed
Oauth string[]Scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - analytics
Configuration UserPool Client Analytics Configuration - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session numberValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - callback
Urls string[] - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - client
Secret string - Client secret of the user pool client.
- default
Redirect stringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate booleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token booleanRevocation - Enables or disables token revocation.
- explicit
Auth string[]Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- generate
Secret boolean - Boolean flag indicating whether an application secret should be generated.
- id
Token numberValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - logout
Urls string[] - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - name string
- Name of the application client.
- prevent
User stringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes string[] - List of user pool attributes that the application client can read from.
- refresh
Token numberValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - supported
Identity string[]Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - token
Validity UserUnits Pool Client Token Validity Units - Configuration block for representing the validity times in units. See details below. Detailed below.
- user
Pool stringId User pool the client belongs to.
The following arguments are optional:
- write
Attributes string[] - List of user pool attributes that the application client can write to.
- access_
token_ intvalidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - allowed_
oauth_ Sequence[str]flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - allowed_
oauth_ boolflows_ user_ pool_ client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - allowed_
oauth_ Sequence[str]scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - analytics_
configuration UserPool Client Analytics Configuration Args - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth_
session_ intvalidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - callback_
urls Sequence[str] - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - client_
secret str - Client secret of the user pool client.
- default_
redirect_ struri - Default redirect URI and must be included in the list of callback URLs.
- enable_
propagate_ booladditional_ user_ context_ data - Enables the propagation of additional user context data.
- enable_
token_ boolrevocation - Enables or disables token revocation.
- explicit_
auth_ Sequence[str]flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- generate_
secret bool - Boolean flag indicating whether an application secret should be generated.
- id_
token_ intvalidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - logout_
urls Sequence[str] - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - name str
- Name of the application client.
- prevent_
user_ strexistence_ errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read_
attributes Sequence[str] - List of user pool attributes that the application client can read from.
- refresh_
token_ intvalidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - supported_
identity_ Sequence[str]providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - token_
validity_ Userunits Pool Client Token Validity Units Args - Configuration block for representing the validity times in units. See details below. Detailed below.
- user_
pool_ strid User pool the client belongs to.
The following arguments are optional:
- write_
attributes Sequence[str] - List of user pool attributes that the application client can write to.
- access
Token NumberValidity - Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.access_token
. - allowed
Oauth List<String>Flows - List of allowed OAuth flows, including
code
,implicit
, andclient_credentials
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - allowed
Oauth BooleanFlows User Pool Client - Whether the client is allowed to use OAuth 2.0 features.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure the following arguments:callback_urls
,logout_urls
,allowed_oauth_scopes
andallowed_oauth_flows
. - allowed
Oauth List<String>Scopes - List of allowed OAuth scopes, including
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
.allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - analytics
Configuration Property Map - Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
- auth
Session NumberValidity - Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for
auth_session_validity
are between3
and15
, with a default value of3
. - callback
Urls List<String> - List of allowed callback URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - client
Secret String - Client secret of the user pool client.
- default
Redirect StringUri - Default redirect URI and must be included in the list of callback URLs.
- enable
Propagate BooleanAdditional User Context Data - Enables the propagation of additional user context data.
- enable
Token BooleanRevocation - Enables or disables token revocation.
- explicit
Auth List<String>Flows - List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
- generate
Secret Boolean - Boolean flag indicating whether an application secret should be generated.
- id
Token NumberValidity - Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in
token_validity_units.id_token
. - logout
Urls List<String> - List of allowed logout URLs for the identity providers.
allowed_oauth_flows_user_pool_client
must be set totrue
before you can configure this option. - name String
- Name of the application client.
- prevent
User StringExistence Errors - Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
- read
Attributes List<String> - List of user pool attributes that the application client can read from.
- refresh
Token NumberValidity - Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in
token_validity_units.refresh_token
. - supported
Identity List<String>Providers - List of provider names for the identity providers that are supported on this client. It uses the
provider_name
attribute of theaws.cognito.IdentityProvider
resource(s), or the equivalent string(s). - token
Validity Property MapUnits - Configuration block for representing the validity times in units. See details below. Detailed below.
- user
Pool StringId User pool the client belongs to.
The following arguments are optional:
- write
Attributes List<String> - List of user pool attributes that the application client can write to.
Supporting Types
UserPoolClientAnalyticsConfiguration, UserPoolClientAnalyticsConfigurationArgs
- Application
Arn string - Application ARN for an Amazon Pinpoint application. Conflicts with
external_id
androle_arn
. - Application
Id string - Application ID for an Amazon Pinpoint application.
- External
Id string - ID for the Analytics Configuration. Conflicts with
application_arn
. - Role
Arn string - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with
application_arn
. - bool
- If set to
true
, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- Application
Arn string - Application ARN for an Amazon Pinpoint application. Conflicts with
external_id
androle_arn
. - Application
Id string - Application ID for an Amazon Pinpoint application.
- External
Id string - ID for the Analytics Configuration. Conflicts with
application_arn
. - Role
Arn string - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with
application_arn
. - bool
- If set to
true
, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- application
Arn String - Application ARN for an Amazon Pinpoint application. Conflicts with
external_id
androle_arn
. - application
Id String - Application ID for an Amazon Pinpoint application.
- external
Id String - ID for the Analytics Configuration. Conflicts with
application_arn
. - role
Arn String - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with
application_arn
. - Boolean
- If set to
true
, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- application
Arn string - Application ARN for an Amazon Pinpoint application. Conflicts with
external_id
androle_arn
. - application
Id string - Application ID for an Amazon Pinpoint application.
- external
Id string - ID for the Analytics Configuration. Conflicts with
application_arn
. - role
Arn string - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with
application_arn
. - boolean
- If set to
true
, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- application_
arn str - Application ARN for an Amazon Pinpoint application. Conflicts with
external_id
androle_arn
. - application_
id str - Application ID for an Amazon Pinpoint application.
- external_
id str - ID for the Analytics Configuration. Conflicts with
application_arn
. - role_
arn str - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with
application_arn
. - bool
- If set to
true
, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
- application
Arn String - Application ARN for an Amazon Pinpoint application. Conflicts with
external_id
androle_arn
. - application
Id String - Application ID for an Amazon Pinpoint application.
- external
Id String - ID for the Analytics Configuration. Conflicts with
application_arn
. - role
Arn String - ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with
application_arn
. - Boolean
- If set to
true
, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
UserPoolClientTokenValidityUnits, UserPoolClientTokenValidityUnitsArgs
- Access
Token string - Time unit in for the value in
access_token_validity
, defaults tohours
. - Id
Token string - Time unit in for the value in
id_token_validity
, defaults tohours
. - Refresh
Token string - Time unit in for the value in
refresh_token_validity
, defaults todays
.
- Access
Token string - Time unit in for the value in
access_token_validity
, defaults tohours
. - Id
Token string - Time unit in for the value in
id_token_validity
, defaults tohours
. - Refresh
Token string - Time unit in for the value in
refresh_token_validity
, defaults todays
.
- access
Token String - Time unit in for the value in
access_token_validity
, defaults tohours
. - id
Token String - Time unit in for the value in
id_token_validity
, defaults tohours
. - refresh
Token String - Time unit in for the value in
refresh_token_validity
, defaults todays
.
- access
Token string - Time unit in for the value in
access_token_validity
, defaults tohours
. - id
Token string - Time unit in for the value in
id_token_validity
, defaults tohours
. - refresh
Token string - Time unit in for the value in
refresh_token_validity
, defaults todays
.
- access_
token str - Time unit in for the value in
access_token_validity
, defaults tohours
. - id_
token str - Time unit in for the value in
id_token_validity
, defaults tohours
. - refresh_
token str - Time unit in for the value in
refresh_token_validity
, defaults todays
.
- access
Token String - Time unit in for the value in
access_token_validity
, defaults tohours
. - id
Token String - Time unit in for the value in
id_token_validity
, defaults tohours
. - refresh
Token String - Time unit in for the value in
refresh_token_validity
, defaults todays
.
Import
Using pulumi import
, import Cognito User Pool Clients using the id
of the Cognito User Pool, and the id
of the Cognito User Pool Client. For example:
$ pulumi import aws:cognito/userPoolClient:UserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aws
Terraform Provider.