pulumi-aws-kotlin/com.pulumi.aws.cognito.kotlin/UserPoolClient

UserPoolClient

class UserPoolClient : KotlinCustomResource

Provides a Cognito User Pool Client resource. To manage a User Pool Client created by another service, such as when configuring an OpenSearch Domain to use Cognito authentication, use the aws_cognito_managed_user_pool_client resource instead.

Example Usage

Create a basic user pool client

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new UserPool("pool");
        var client = new UserPoolClient("client", UserPoolClientArgs.builder()
            .userPoolId(pool.id())
            .build());
    }
}
Content copied to clipboard

Create a user pool client with no SRP authentication

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new UserPool("pool");
        var client = new UserPoolClient("client", UserPoolClientArgs.builder()
            .userPoolId(pool.id())
            .generateSecret(true)
            .explicitAuthFlows("ADMIN_NO_SRP_AUTH")
            .build());
    }
}
Content copied to clipboard

Create a user pool client with pinpoint analytics

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.pinpoint.App;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import com.pulumi.aws.cognito.inputs.UserPoolClientAnalyticsConfigurationArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var testUserPool = new UserPool("testUserPool");
        var testApp = new App("testApp");
        final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("cognito-idp.amazonaws.com")
                    .build())
                .actions("sts:AssumeRole")
                .build())
            .build());
        var testRole = new Role("testRole", RoleArgs.builder()
            .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
        var testUserPoolClient = new UserPoolClient("testUserPoolClient", UserPoolClientArgs.builder()
            .userPoolId(testUserPool.id())
            .analyticsConfiguration(UserPoolClientAnalyticsConfigurationArgs.builder()
                .applicationId(testApp.applicationId())
                .externalId("some_id")
                .roleArn(testRole.arn())
                .userDataShared(true)
                .build())
            .build());
        final var current = AwsFunctions.getCallerIdentity();
        final var testPolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .actions(
                    "mobiletargeting:UpdateEndpoint",
                    "mobiletargeting:PutEvents")
                .resources(testApp.applicationId().applyValue(applicationId -> String.format("arn:aws:mobiletargeting:*:%s:apps/%s*", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()),applicationId)))
                .build())
            .build());
        var testRolePolicy = new RolePolicy("testRolePolicy", RolePolicyArgs.builder()
            .role(testRole.id())
            .policy(testPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(testPolicyDocument -> testPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
            .build());
    }
}
Content copied to clipboard

Create a user pool client with Cognito as the identity provider

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new UserPool("pool");
        var userpoolClient = new UserPoolClient("userpoolClient", UserPoolClientArgs.builder()
            .userPoolId(pool.id())
            .callbackUrls("https://example.com")
            .allowedOauthFlowsUserPoolClient(true)
            .allowedOauthFlows(
                "code",
                "implicit")
            .allowedOauthScopes(
                "email",
                "openid")
            .supportedIdentityProviders("COGNITO")
            .build());
    }
}
Content copied to clipboard

Import

Cognito User Pool Clients can be imported using the id of the Cognito User Pool, and the id of the Cognito User Pool Client, e.g.,

$ pulumi import aws:cognito/userPoolClient:UserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko
Content copied to clipboard

Properties

Link copied to clipboard
val accessTokenValidity: Output<Int>?

Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.

Link copied to clipboard
val allowedOauthFlows: Output<List<String>>?

List of allowed OAuth flows (code, implicit, client_credentials).

Link copied to clipboard
val allowedOauthFlowsUserPoolClient: Output<Boolean>?

Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.

Link copied to clipboard
val allowedOauthScopes: Output<List<String>>?

List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).

Link copied to clipboard
val analyticsConfiguration: Output<UserPoolClientAnalyticsConfiguration>?

Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.

Link copied to clipboard
val authSessionValidity: Output<Int>?

Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between 3 and 15. Default value is 3.

Link copied to clipboard
val callbackUrls: Output<List<String>>

List of allowed callback URLs for the identity providers.

Link copied to clipboard
val clientSecret: Output<String>

Client secret of the user pool client.

Link copied to clipboard
val defaultRedirectUri: Output<String>?

Default redirect URI. Must be in the list of callback URLs.

Link copied to clipboard
val enablePropagateAdditionalUserContextData: Output<Boolean>?

Activates the propagation of additional user context data.

Link copied to clipboard
val enableTokenRevocation: Output<Boolean>

Enables or disables token revocation.

Link copied to clipboard
val explicitAuthFlows: Output<List<String>>?

List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).

Link copied to clipboard
val generateSecret: Output<Boolean>?

Should an application secret be generated.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val idTokenValidity: Output<Int>?

Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.

Link copied to clipboard
val logoutUrls: Output<List<String>>

List of allowed logout URLs for the identity providers.

Link copied to clipboard
val name: Output<String>

Name of the application client.

Link copied to clipboard
val preventUserExistenceErrors: Output<String>

Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val readAttributes: Output<List<String>>?

List of user pool attributes the application client can read from.

Link copied to clipboard
val refreshTokenValidity: Output<Int>?

Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.

Link copied to clipboard
val supportedIdentityProviders: Output<List<String>>?

List of provider names for the identity providers that are supported on this client. Uses the provider_name attribute of aws.cognito.IdentityProvider resource(s), or the equivalent string(s).

Link copied to clipboard
val tokenValidityUnits: Output<UserPoolClientTokenValidityUnits>?

Configuration block for units in which the validity times are represented in. Detailed below.

Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
val userPoolId: Output<String>

User pool the client belongs to. The following arguments are optional:

Link copied to clipboard
val writeAttributes: Output<List<String>>?

List of user pool attributes the application client can write to.