Managed
data class ManagedUserPoolClientArgs(val accessTokenValidity: Output<Int>? = null, val allowedOauthFlows: Output<List<String>>? = null, val allowedOauthFlowsUserPoolClient: Output<Boolean>? = null, val allowedOauthScopes: Output<List<String>>? = null, val analyticsConfiguration: Output<ManagedUserPoolClientAnalyticsConfigurationArgs>? = null, val authSessionValidity: Output<Int>? = null, val callbackUrls: Output<List<String>>? = null, val defaultRedirectUri: Output<String>? = null, val enablePropagateAdditionalUserContextData: Output<Boolean>? = null, val enableTokenRevocation: Output<Boolean>? = null, val explicitAuthFlows: Output<List<String>>? = null, val idTokenValidity: Output<Int>? = null, val logoutUrls: Output<List<String>>? = null, val namePattern: Output<String>? = null, val namePrefix: Output<String>? = null, val preventUserExistenceErrors: Output<String>? = null, val readAttributes: Output<List<String>>? = null, val refreshTokenValidity: Output<Int>? = null, val supportedIdentityProviders: Output<List<String>>? = null, val tokenValidityUnits: Output<ManagedUserPoolClientTokenValidityUnitsArgs>? = null, val userPoolId: Output<String>? = null, val writeAttributes: Output<List<String>>? = null) : ConvertibleToJava<ManagedUserPoolClientArgs>
Use the aws.cognito.UserPoolClient resource to manage a Cognito User Pool Client. This resource is advanced and has special caveats to consider before use. Please read this document completely before using the resource. Use the aws.cognito.ManagedUserPoolClient resource to manage a Cognito User Pool Client that is automatically created by an AWS service. For instance, when configuring an OpenSearch Domain to use Cognito authentication, the OpenSearch service creates the User Pool Client during setup and removes it when it is no longer required. As a result, the aws.cognito.ManagedUserPoolClient resource does not create or delete this resource, but instead assumes management of it. Use the aws.cognito.UserPoolClient resource to manage Cognito User Pool Clients for normal use cases.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleUserPool = new aws.cognito.UserPool("example", {name: "example"});
const exampleIdentityPool = new aws.cognito.IdentityPool("example", {identityPoolName: "example"});
const current = aws.getPartition({});
const example = current.then(current => aws.iam.getPolicyDocument({
statements: [{
sid: "",
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [{
type: "Service",
identifiers: [`es.${current.dnsSuffix}`],
}],
}],
}));
const exampleRole = new aws.iam.Role("example", {
name: "example-role",
path: "/service-role/",
assumeRolePolicy: example.then(example => example.json),
});
const exampleRolePolicyAttachment = new aws.iam.RolePolicyAttachment("example", {
role: exampleRole.name,
policyArn: current.then(current => `arn:${current.partition}:iam::aws:policy/AmazonESCognitoAccess`),
});
const exampleDomain = new aws.opensearch.Domain("example", {
domainName: "example",
cognitoOptions: {
enabled: true,
userPoolId: exampleUserPool.id,
identityPoolId: exampleIdentityPool.id,
roleArn: exampleRole.arn,
},
ebsOptions: {
ebsEnabled: true,
volumeSize: 10,
},
}, {
dependsOn: [
exampleAwsCognitoUserPoolDomain,
exampleRolePolicyAttachment,
],
});
const exampleManagedUserPoolClient = new aws.cognito.ManagedUserPoolClient("example", {
namePrefix: "AmazonOpenSearchService-example",
userPoolId: exampleUserPool.id,
}, {
dependsOn: [exampleDomain],
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example_user_pool = aws.cognito.UserPool("example", name="example")
example_identity_pool = aws.cognito.IdentityPool("example", identity_pool_name="example")
current = aws.get_partition()
example = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="",
actions=["sts:AssumeRole"],
effect="Allow",
principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=[f"es.{current.dns_suffix}"],
)],
)])
example_role = aws.iam.Role("example",
name="example-role",
path="/service-role/",
assume_role_policy=example.json)
example_role_policy_attachment = aws.iam.RolePolicyAttachment("example",
role=example_role.name,
policy_arn=f"arn:{current.partition}:iam::aws:policy/AmazonESCognitoAccess")
example_domain = aws.opensearch.Domain("example",
domain_name="example",
cognito_options=aws.opensearch.DomainCognitoOptionsArgs(
enabled=True,
user_pool_id=example_user_pool.id,
identity_pool_id=example_identity_pool.id,
role_arn=example_role.arn,
),
ebs_options=aws.opensearch.DomainEbsOptionsArgs(
ebs_enabled=True,
volume_size=10,
),
opts=pulumi.ResourceOptions(depends_on=[
example_aws_cognito_user_pool_domain,
example_role_policy_attachment,
]))
example_managed_user_pool_client = aws.cognito.ManagedUserPoolClient("example",
name_prefix="AmazonOpenSearchService-example",
user_pool_id=example_user_pool.id,
opts=pulumi.ResourceOptions(depends_on=[example_domain]))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleUserPool = new Aws.Cognito.UserPool("example", new()
{
Name = "example",
});
var exampleIdentityPool = new Aws.Cognito.IdentityPool("example", new()
{
IdentityPoolName = "example",
});
var current = Aws.GetPartition.Invoke();
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "",
Actions = new[]
{
"sts:AssumeRole",
},
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
$"es.{current.Apply(getPartitionResult => getPartitionResult.DnsSuffix)}",
},
},
},
},
},
});
var exampleRole = new Aws.Iam.Role("example", new()
{
Name = "example-role",
Path = "/service-role/",
AssumeRolePolicy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var exampleRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("example", new()
{
Role = exampleRole.Name,
PolicyArn = $"arn:{current.Apply(getPartitionResult => getPartitionResult.Partition)}:iam::aws:policy/AmazonESCognitoAccess",
});
var exampleDomain = new Aws.OpenSearch.Domain("example", new()
{
DomainName = "example",
CognitoOptions = new Aws.OpenSearch.Inputs.DomainCognitoOptionsArgs
{
Enabled = true,
UserPoolId = exampleUserPool.Id,
IdentityPoolId = exampleIdentityPool.Id,
RoleArn = exampleRole.Arn,
},
EbsOptions = new Aws.OpenSearch.Inputs.DomainEbsOptionsArgs
{
EbsEnabled = true,
VolumeSize = 10,
},
}, new CustomResourceOptions
{
DependsOn =
{
exampleAwsCognitoUserPoolDomain,
exampleRolePolicyAttachment,
},
});
var exampleManagedUserPoolClient = new Aws.Cognito.ManagedUserPoolClient("example", new()
{
NamePrefix = "AmazonOpenSearchService-example",
UserPoolId = exampleUserPool.Id,
}, new CustomResourceOptions
{
DependsOn =
{
exampleDomain,
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/opensearch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleUserPool, err := cognito.NewUserPool(ctx, "example", &cognito.UserPoolArgs{
Name: pulumi.String("example"),
})
if err != nil {
return err
}
exampleIdentityPool, err := cognito.NewIdentityPool(ctx, "example", &cognito.IdentityPoolArgs{
IdentityPoolName: pulumi.String("example"),
})
if err != nil {
return err
}
current, err := aws.GetPartition(ctx, nil, nil)
if err != nil {
return err
}
example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef(""),
Actions: []string{
"sts:AssumeRole",
},
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
fmt.Sprintf("es.%v", current.DnsSuffix),
},
},
},
},
},
}, nil)
if err != nil {
return err
}
exampleRole, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
Name: pulumi.String("example-role"),
Path: pulumi.String("/service-role/"),
AssumeRolePolicy: pulumi.String(example.Json),
})
if err != nil {
return err
}
exampleRolePolicyAttachment, err := iam.NewRolePolicyAttachment(ctx, "example", &iam.RolePolicyAttachmentArgs{
Role: exampleRole.Name,
PolicyArn: pulumi.String(fmt.Sprintf("arn:%v:iam::aws:policy/AmazonESCognitoAccess", current.Partition)),
})
if err != nil {
return err
}
exampleDomain, err := opensearch.NewDomain(ctx, "example", &opensearch.DomainArgs{
DomainName: pulumi.String("example"),
CognitoOptions: &opensearch.DomainCognitoOptionsArgs{
Enabled: pulumi.Bool(true),
UserPoolId: exampleUserPool.ID(),
IdentityPoolId: exampleIdentityPool.ID(),
RoleArn: exampleRole.Arn,
},
EbsOptions: &opensearch.DomainEbsOptionsArgs{
EbsEnabled: pulumi.Bool(true),
VolumeSize: pulumi.Int(10),
},
}, pulumi.DependsOn([]pulumi.Resource{
exampleAwsCognitoUserPoolDomain,
exampleRolePolicyAttachment,
}))
if err != nil {
return err
}
_, err = cognito.NewManagedUserPoolClient(ctx, "example", &cognito.ManagedUserPoolClientArgs{
NamePrefix: pulumi.String("AmazonOpenSearchService-example"),
UserPoolId: exampleUserPool.ID(),
}, pulumi.DependsOn([]pulumi.Resource{
exampleDomain,
}))
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.cognito.IdentityPool;
import com.pulumi.aws.cognito.IdentityPoolArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetPartitionArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.aws.opensearch.Domain;
import com.pulumi.aws.opensearch.DomainArgs;
import com.pulumi.aws.opensearch.inputs.DomainCognitoOptionsArgs;
import com.pulumi.aws.opensearch.inputs.DomainEbsOptionsArgs;
import com.pulumi.aws.cognito.ManagedUserPoolClient;
import com.pulumi.aws.cognito.ManagedUserPoolClientArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleUserPool = new UserPool("exampleUserPool", UserPoolArgs.builder()
.name("example")
.build());
var exampleIdentityPool = new IdentityPool("exampleIdentityPool", IdentityPoolArgs.builder()
.identityPoolName("example")
.build());
final var current = AwsFunctions.getPartition();
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("")
.actions("sts:AssumeRole")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers(String.format("es.%s", current.applyValue(getPartitionResult -> getPartitionResult.dnsSuffix())))
.build())
.build())
.build());
var exampleRole = new Role("exampleRole", RoleArgs.builder()
.name("example-role")
.path("/service-role/")
.assumeRolePolicy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var exampleRolePolicyAttachment = new RolePolicyAttachment("exampleRolePolicyAttachment", RolePolicyAttachmentArgs.builder()
.role(exampleRole.name())
.policyArn(String.format("arn:%s:iam::aws:policy/AmazonESCognitoAccess", current.applyValue(getPartitionResult -> getPartitionResult.partition())))
.build());
var exampleDomain = new Domain("exampleDomain", DomainArgs.builder()
.domainName("example")
.cognitoOptions(DomainCognitoOptionsArgs.builder()
.enabled(true)
.userPoolId(exampleUserPool.id())
.identityPoolId(exampleIdentityPool.id())
.roleArn(exampleRole.arn())
.build())
.ebsOptions(DomainEbsOptionsArgs.builder()
.ebsEnabled(true)
.volumeSize(10)
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(
exampleAwsCognitoUserPoolDomain,
exampleRolePolicyAttachment)
.build());
var exampleManagedUserPoolClient = new ManagedUserPoolClient("exampleManagedUserPoolClient", ManagedUserPoolClientArgs.builder()
.namePrefix("AmazonOpenSearchService-example")
.userPoolId(exampleUserPool.id())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleDomain)
.build());
}
}Content copied to clipboard
resources:
exampleManagedUserPoolClient:
type: aws:cognito:ManagedUserPoolClient
name: example
properties:
namePrefix: AmazonOpenSearchService-example
userPoolId: ${exampleUserPool.id}
options:
dependson:
- ${exampleDomain}
exampleUserPool:
type: aws:cognito:UserPool
name: example
properties:
name: example
exampleIdentityPool:
type: aws:cognito:IdentityPool
name: example
properties:
identityPoolName: example
exampleDomain:
type: aws:opensearch:Domain
name: example
properties:
domainName: example
cognitoOptions:
enabled: true
userPoolId: ${exampleUserPool.id}
identityPoolId: ${exampleIdentityPool.id}
roleArn: ${exampleRole.arn}
ebsOptions:
ebsEnabled: true
volumeSize: 10
options:
dependson:
- ${exampleAwsCognitoUserPoolDomain}
- ${exampleRolePolicyAttachment}
exampleRole:
type: aws:iam:Role
name: example
properties:
name: example-role
path: /service-role/
assumeRolePolicy: ${example.json}
exampleRolePolicyAttachment:
type: aws:iam:RolePolicyAttachment
name: example
properties:
role: ${exampleRole.name}
policyArn: arn:${current.partition}:iam::aws:policy/AmazonESCognitoAccess
variables:
example:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid:
actions:
- sts:AssumeRole
effect: Allow
principals:
- type: Service
identifiers:
- es.${current.dnsSuffix}
current:
fn::invoke:
Function: aws:getPartition
Arguments: {}Content copied to clipboard
Import
Using pulumi import, import Cognito User Pool Clients using the id of the Cognito User Pool and the id of the Cognito User Pool Client. For example:
$ pulumi import aws:cognito/managedUserPoolClient:ManagedUserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpkoContent copied to clipboard
Constructors
Link copied to clipboard
fun ManagedUserPoolClientArgs(accessTokenValidity: Output<Int>? = null, allowedOauthFlows: Output<List<String>>? = null, allowedOauthFlowsUserPoolClient: Output<Boolean>? = null, allowedOauthScopes: Output<List<String>>? = null, analyticsConfiguration: Output<ManagedUserPoolClientAnalyticsConfigurationArgs>? = null, authSessionValidity: Output<Int>? = null, callbackUrls: Output<List<String>>? = null, defaultRedirectUri: Output<String>? = null, enablePropagateAdditionalUserContextData: Output<Boolean>? = null, enableTokenRevocation: Output<Boolean>? = null, explicitAuthFlows: Output<List<String>>? = null, idTokenValidity: Output<Int>? = null, logoutUrls: Output<List<String>>? = null, namePattern: Output<String>? = null, namePrefix: Output<String>? = null, preventUserExistenceErrors: Output<String>? = null, readAttributes: Output<List<String>>? = null, refreshTokenValidity: Output<Int>? = null, supportedIdentityProviders: Output<List<String>>? = null, tokenValidityUnits: Output<ManagedUserPoolClientTokenValidityUnitsArgs>? = null, userPoolId: Output<String>? = null, writeAttributes: Output<List<String>>? = null)
Functions
Properties
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard