pulumi-aws-kotlin/com.pulumi.aws.cognito.kotlin/UserPoolClient

UserPoolClient

class UserPoolClient : KotlinCustomResource

Provides a Cognito User Pool Client resource. To manage a User Pool Client created by another service, such as when configuring an OpenSearch Domain to use Cognito authentication, use the aws.cognito.ManagedUserPoolClient resource instead.

Example Usage

Create a basic user pool client

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const pool = new aws.cognito.UserPool("pool", {name: "pool"});
const client = new aws.cognito.UserPoolClient("client", {
    name: "client",
    userPoolId: pool.id,
});
Content copied to clipboard
import pulumi
import pulumi_aws as aws
pool = aws.cognito.UserPool("pool", name="pool")
client = aws.cognito.UserPoolClient("client",
    name="client",
    user_pool_id=pool.id)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var pool = new Aws.Cognito.UserPool("pool", new()
    {
        Name = "pool",
    });
    var client = new Aws.Cognito.UserPoolClient("client", new()
    {
        Name = "client",
        UserPoolId = pool.Id,
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
			Name: pulumi.String("pool"),
		})
		if err != nil {
			return err
		}
		_, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
			Name:       pulumi.String("client"),
			UserPoolId: pool.ID(),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new UserPool("pool", UserPoolArgs.builder()
            .name("pool")
            .build());
        var client = new UserPoolClient("client", UserPoolClientArgs.builder()
            .name("client")
            .userPoolId(pool.id())
            .build());
    }
}
Content copied to clipboard
resources:
  client:
    type: aws:cognito:UserPoolClient
    properties:
      name: client
      userPoolId: ${pool.id}
  pool:
    type: aws:cognito:UserPool
    properties:
      name: pool
Content copied to clipboard

Create a user pool client with no SRP authentication

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const pool = new aws.cognito.UserPool("pool", {name: "pool"});
const client = new aws.cognito.UserPoolClient("client", {
    name: "client",
    userPoolId: pool.id,
    generateSecret: true,
    explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
});
Content copied to clipboard
import pulumi
import pulumi_aws as aws
pool = aws.cognito.UserPool("pool", name="pool")
client = aws.cognito.UserPoolClient("client",
    name="client",
    user_pool_id=pool.id,
    generate_secret=True,
    explicit_auth_flows=["ADMIN_NO_SRP_AUTH"])
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var pool = new Aws.Cognito.UserPool("pool", new()
    {
        Name = "pool",
    });
    var client = new Aws.Cognito.UserPoolClient("client", new()
    {
        Name = "client",
        UserPoolId = pool.Id,
        GenerateSecret = true,
        ExplicitAuthFlows = new[]
        {
            "ADMIN_NO_SRP_AUTH",
        },
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
			Name: pulumi.String("pool"),
		})
		if err != nil {
			return err
		}
		_, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
			Name:           pulumi.String("client"),
			UserPoolId:     pool.ID(),
			GenerateSecret: pulumi.Bool(true),
			ExplicitAuthFlows: pulumi.StringArray{
				pulumi.String("ADMIN_NO_SRP_AUTH"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new UserPool("pool", UserPoolArgs.builder()
            .name("pool")
            .build());
        var client = new UserPoolClient("client", UserPoolClientArgs.builder()
            .name("client")
            .userPoolId(pool.id())
            .generateSecret(true)
            .explicitAuthFlows("ADMIN_NO_SRP_AUTH")
            .build());
    }
}
Content copied to clipboard
resources:
  client:
    type: aws:cognito:UserPoolClient
    properties:
      name: client
      userPoolId: ${pool.id}
      generateSecret: true
      explicitAuthFlows:
        - ADMIN_NO_SRP_AUTH
  pool:
    type: aws:cognito:UserPool
    properties:
      name: pool
Content copied to clipboard

Create a user pool client with pinpoint analytics

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const testUserPool = new aws.cognito.UserPool("test", {name: "pool"});
const testApp = new aws.pinpoint.App("test", {name: "pinpoint"});
const assumeRole = aws.iam.getPolicyDocument({
    statements: [{
        effect: "Allow",
        principals: [{
            type: "Service",
            identifiers: ["cognito-idp.amazonaws.com"],
        }],
        actions: ["sts:AssumeRole"],
    }],
});
const testRole = new aws.iam.Role("test", {
    name: "role",
    assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
});
const testUserPoolClient = new aws.cognito.UserPoolClient("test", {
    name: "pool_client",
    userPoolId: testUserPool.id,
    analyticsConfiguration: {
        applicationId: testApp.applicationId,
        externalId: "some_id",
        roleArn: testRole.arn,
        userDataShared: true,
    },
});
const current = aws.getCallerIdentity({});
const test = aws.iam.getPolicyDocumentOutput({
    statements: [{
        effect: "Allow",
        actions: [
            "mobiletargeting:UpdateEndpoint",
            "mobiletargeting:PutEvents",
        ],
        resources: [pulumi.all([current, testApp.applicationId]).apply(([current, applicationId]) => `arn:aws:mobiletargeting:*:${current.accountId}:apps/${applicationId}*`)],
    }],
});
const testRolePolicy = new aws.iam.RolePolicy("test", {
    name: "role_policy",
    role: testRole.id,
    policy: test.apply(test => test.json),
});
Content copied to clipboard
import pulumi
import pulumi_aws as aws
test_user_pool = aws.cognito.UserPool("test", name="pool")
test_app = aws.pinpoint.App("test", name="pinpoint")
assume_role = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    effect="Allow",
    principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
        type="Service",
        identifiers=["cognito-idp.amazonaws.com"],
    )],
    actions=["sts:AssumeRole"],
)])
test_role = aws.iam.Role("test",
    name="role",
    assume_role_policy=assume_role.json)
test_user_pool_client = aws.cognito.UserPoolClient("test",
    name="pool_client",
    user_pool_id=test_user_pool.id,
    analytics_configuration=aws.cognito.UserPoolClientAnalyticsConfigurationArgs(
        application_id=test_app.application_id,
        external_id="some_id",
        role_arn=test_role.arn,
        user_data_shared=True,
    ))
current = aws.get_caller_identity()
test = aws.iam.get_policy_document_output(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    effect="Allow",
    actions=[
        "mobiletargeting:UpdateEndpoint",
        "mobiletargeting:PutEvents",
    ],
    resources=[test_app.application_id.apply(lambda application_id: f"arn:aws:mobiletargeting:*:{current.account_id}:apps/{application_id}*")],
)])
test_role_policy = aws.iam.RolePolicy("test",
    name="role_policy",
    role=test_role.id,
    policy=test.json)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var testUserPool = new Aws.Cognito.UserPool("test", new()
    {
        Name = "pool",
    });
    var testApp = new Aws.Pinpoint.App("test", new()
    {
        Name = "pinpoint",
    });
    var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Effect = "Allow",
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Type = "Service",
                        Identifiers = new[]
                        {
                            "cognito-idp.amazonaws.com",
                        },
                    },
                },
                Actions = new[]
                {
                    "sts:AssumeRole",
                },
            },
        },
    });
    var testRole = new Aws.Iam.Role("test", new()
    {
        Name = "role",
        AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });
    var testUserPoolClient = new Aws.Cognito.UserPoolClient("test", new()
    {
        Name = "pool_client",
        UserPoolId = testUserPool.Id,
        AnalyticsConfiguration = new Aws.Cognito.Inputs.UserPoolClientAnalyticsConfigurationArgs
        {
            ApplicationId = testApp.ApplicationId,
            ExternalId = "some_id",
            RoleArn = testRole.Arn,
            UserDataShared = true,
        },
    });
    var current = Aws.GetCallerIdentity.Invoke();
    var test = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Effect = "Allow",
                Actions = new[]
                {
                    "mobiletargeting:UpdateEndpoint",
                    "mobiletargeting:PutEvents",
                },
                Resources = new[]
                {
                    $"arn:aws:mobiletargeting:*:{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:apps/{testApp.ApplicationId}*",
                },
            },
        },
    });
    var testRolePolicy = new Aws.Iam.RolePolicy("test", new()
    {
        Name = "role_policy",
        Role = testRole.Id,
        Policy = test.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });
});
Content copied to clipboard
package main
import (
	"fmt"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/pinpoint"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		testUserPool, err := cognito.NewUserPool(ctx, "test", &cognito.UserPoolArgs{
			Name: pulumi.String("pool"),
		})
		if err != nil {
			return err
		}
		testApp, err := pinpoint.NewApp(ctx, "test", &pinpoint.AppArgs{
			Name: pulumi.String("pinpoint"),
		})
		if err != nil {
			return err
		}
		assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				{
					Effect: pulumi.StringRef("Allow"),
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						{
							Type: "Service",
							Identifiers: []string{
								"cognito-idp.amazonaws.com",
							},
						},
					},
					Actions: []string{
						"sts:AssumeRole",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		testRole, err := iam.NewRole(ctx, "test", &iam.RoleArgs{
			Name:             pulumi.String("role"),
			AssumeRolePolicy: pulumi.String(assumeRole.Json),
		})
		if err != nil {
			return err
		}
		_, err = cognito.NewUserPoolClient(ctx, "test", &cognito.UserPoolClientArgs{
			Name:       pulumi.String("pool_client"),
			UserPoolId: testUserPool.ID(),
			AnalyticsConfiguration: &cognito.UserPoolClientAnalyticsConfigurationArgs{
				ApplicationId:  testApp.ApplicationId,
				ExternalId:     pulumi.String("some_id"),
				RoleArn:        testRole.Arn,
				UserDataShared: pulumi.Bool(true),
			},
		})
		if err != nil {
			return err
		}
		current, err := aws.GetCallerIdentity(ctx, nil, nil)
		if err != nil {
			return err
		}
		test := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
			Statements: iam.GetPolicyDocumentStatementArray{
				&iam.GetPolicyDocumentStatementArgs{
					Effect: pulumi.String("Allow"),
					Actions: pulumi.StringArray{
						pulumi.String("mobiletargeting:UpdateEndpoint"),
						pulumi.String("mobiletargeting:PutEvents"),
					},
					Resources: pulumi.StringArray{
						testApp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
							return fmt.Sprintf("arn:aws:mobiletargeting:*:%v:apps/%v*", current.AccountId, applicationId), nil
						}).(pulumi.StringOutput),
					},
				},
			},
		}, nil)
		_, err = iam.NewRolePolicy(ctx, "test", &iam.RolePolicyArgs{
			Name: pulumi.String("role_policy"),
			Role: testRole.ID(),
			Policy: test.ApplyT(func(test iam.GetPolicyDocumentResult) (*string, error) {
				return &test.Json, nil
			}).(pulumi.StringPtrOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.pinpoint.App;
import com.pulumi.aws.pinpoint.AppArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import com.pulumi.aws.cognito.inputs.UserPoolClientAnalyticsConfigurationArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var testUserPool = new UserPool("testUserPool", UserPoolArgs.builder()
            .name("pool")
            .build());
        var testApp = new App("testApp", AppArgs.builder()
            .name("pinpoint")
            .build());
        final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("cognito-idp.amazonaws.com")
                    .build())
                .actions("sts:AssumeRole")
                .build())
            .build());
        var testRole = new Role("testRole", RoleArgs.builder()
            .name("role")
            .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
        var testUserPoolClient = new UserPoolClient("testUserPoolClient", UserPoolClientArgs.builder()
            .name("pool_client")
            .userPoolId(testUserPool.id())
            .analyticsConfiguration(UserPoolClientAnalyticsConfigurationArgs.builder()
                .applicationId(testApp.applicationId())
                .externalId("some_id")
                .roleArn(testRole.arn())
                .userDataShared(true)
                .build())
            .build());
        final var current = AwsFunctions.getCallerIdentity();
        final var test = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .actions(
                    "mobiletargeting:UpdateEndpoint",
                    "mobiletargeting:PutEvents")
                .resources(testApp.applicationId().applyValue(applicationId -> String.format("arn:aws:mobiletargeting:*:%s:apps/%s*", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()),applicationId)))
                .build())
            .build());
        var testRolePolicy = new RolePolicy("testRolePolicy", RolePolicyArgs.builder()
            .name("role_policy")
            .role(testRole.id())
            .policy(test.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(test -> test.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
            .build());
    }
}
Content copied to clipboard
resources:
  testUserPoolClient:
    type: aws:cognito:UserPoolClient
    name: test
    properties:
      name: pool_client
      userPoolId: ${testUserPool.id}
      analyticsConfiguration:
        applicationId: ${testApp.applicationId}
        externalId: some_id
        roleArn: ${testRole.arn}
        userDataShared: true
  testUserPool:
    type: aws:cognito:UserPool
    name: test
    properties:
      name: pool
  testApp:
    type: aws:pinpoint:App
    name: test
    properties:
      name: pinpoint
  testRole:
    type: aws:iam:Role
    name: test
    properties:
      name: role
      assumeRolePolicy: ${assumeRole.json}
  testRolePolicy:
    type: aws:iam:RolePolicy
    name: test
    properties:
      name: role_policy
      role: ${testRole.id}
      policy: ${test.json}
variables:
  current:
    fn::invoke:
      Function: aws:getCallerIdentity
      Arguments: {}
  assumeRole:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - effect: Allow
            principals:
              - type: Service
                identifiers:
                  - cognito-idp.amazonaws.com
            actions:
              - sts:AssumeRole
  test:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - effect: Allow
            actions:
              - mobiletargeting:UpdateEndpoint
              - mobiletargeting:PutEvents
            resources:
              - arn:aws:mobiletargeting:*:${current.accountId}:apps/${testApp.applicationId}*
Content copied to clipboard

Create a user pool client with Cognito as the identity provider

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const pool = new aws.cognito.UserPool("pool", {name: "pool"});
const userpoolClient = new aws.cognito.UserPoolClient("userpool_client", {
    name: "client",
    userPoolId: pool.id,
    callbackUrls: ["https://example.com"],
    allowedOauthFlowsUserPoolClient: true,
    allowedOauthFlows: [
        "code",
        "implicit",
    ],
    allowedOauthScopes: [
        "email",
        "openid",
    ],
    supportedIdentityProviders: ["COGNITO"],
});
Content copied to clipboard
import pulumi
import pulumi_aws as aws
pool = aws.cognito.UserPool("pool", name="pool")
userpool_client = aws.cognito.UserPoolClient("userpool_client",
    name="client",
    user_pool_id=pool.id,
    callback_urls=["https://example.com"],
    allowed_oauth_flows_user_pool_client=True,
    allowed_oauth_flows=[
        "code",
        "implicit",
    ],
    allowed_oauth_scopes=[
        "email",
        "openid",
    ],
    supported_identity_providers=["COGNITO"])
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var pool = new Aws.Cognito.UserPool("pool", new()
    {
        Name = "pool",
    });
    var userpoolClient = new Aws.Cognito.UserPoolClient("userpool_client", new()
    {
        Name = "client",
        UserPoolId = pool.Id,
        CallbackUrls = new[]
        {
            "https://example.com",
        },
        AllowedOauthFlowsUserPoolClient = true,
        AllowedOauthFlows = new[]
        {
            "code",
            "implicit",
        },
        AllowedOauthScopes = new[]
        {
            "email",
            "openid",
        },
        SupportedIdentityProviders = new[]
        {
            "COGNITO",
        },
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
			Name: pulumi.String("pool"),
		})
		if err != nil {
			return err
		}
		_, err = cognito.NewUserPoolClient(ctx, "userpool_client", &cognito.UserPoolClientArgs{
			Name:       pulumi.String("client"),
			UserPoolId: pool.ID(),
			CallbackUrls: pulumi.StringArray{
				pulumi.String("https://example.com"),
			},
			AllowedOauthFlowsUserPoolClient: pulumi.Bool(true),
			AllowedOauthFlows: pulumi.StringArray{
				pulumi.String("code"),
				pulumi.String("implicit"),
			},
			AllowedOauthScopes: pulumi.StringArray{
				pulumi.String("email"),
				pulumi.String("openid"),
			},
			SupportedIdentityProviders: pulumi.StringArray{
				pulumi.String("COGNITO"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolArgs;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new UserPool("pool", UserPoolArgs.builder()
            .name("pool")
            .build());
        var userpoolClient = new UserPoolClient("userpoolClient", UserPoolClientArgs.builder()
            .name("client")
            .userPoolId(pool.id())
            .callbackUrls("https://example.com")
            .allowedOauthFlowsUserPoolClient(true)
            .allowedOauthFlows(
                "code",
                "implicit")
            .allowedOauthScopes(
                "email",
                "openid")
            .supportedIdentityProviders("COGNITO")
            .build());
    }
}
Content copied to clipboard
resources:
  userpoolClient:
    type: aws:cognito:UserPoolClient
    name: userpool_client
    properties:
      name: client
      userPoolId: ${pool.id}
      callbackUrls:
        - https://example.com
      allowedOauthFlowsUserPoolClient: true
      allowedOauthFlows:
        - code
        - implicit
      allowedOauthScopes:
        - email
        - openid
      supportedIdentityProviders:
        - COGNITO
  pool:
    type: aws:cognito:UserPool
    properties:
      name: pool
Content copied to clipboard

Import

Using pulumi import, import Cognito User Pool Clients using the id of the Cognito User Pool, and the id of the Cognito User Pool Client. For example:

$ pulumi import aws:cognito/userPoolClient:UserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko
Content copied to clipboard

Properties

Link copied to clipboard
val accessTokenValidity: Output<Int>

Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.

Link copied to clipboard
val allowedOauthFlows: Output<List<String>>

List of allowed OAuth flows (code, implicit, client_credentials).

Link copied to clipboard
val allowedOauthFlowsUserPoolClient: Output<Boolean>

Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.

Link copied to clipboard
val allowedOauthScopes: Output<List<String>>

List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).

Link copied to clipboard
val analyticsConfiguration: Output<UserPoolClientAnalyticsConfiguration>?

Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.

Link copied to clipboard
val authSessionValidity: Output<Int>

Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between 3 and 15. Default value is 3.

Link copied to clipboard
val callbackUrls: Output<List<String>>

List of allowed callback URLs for the identity providers.

Link copied to clipboard
val clientSecret: Output<String>

Client secret of the user pool client.

Link copied to clipboard
val defaultRedirectUri: Output<String>

Default redirect URI. Must be in the list of callback URLs.

Link copied to clipboard
val enablePropagateAdditionalUserContextData: Output<Boolean>

Activates the propagation of additional user context data.

Link copied to clipboard
val enableTokenRevocation: Output<Boolean>

Enables or disables token revocation.

Link copied to clipboard
val explicitAuthFlows: Output<List<String>>

List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).

Link copied to clipboard
val generateSecret: Output<Boolean>?

Should an application secret be generated.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val idTokenValidity: Output<Int>

Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.

Link copied to clipboard
val logoutUrls: Output<List<String>>

List of allowed logout URLs for the identity providers.

Link copied to clipboard
val name: Output<String>

Name of the application client.

Link copied to clipboard
val preventUserExistenceErrors: Output<String>

Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val readAttributes: Output<List<String>>

List of user pool attributes the application client can read from.

Link copied to clipboard
val refreshTokenValidity: Output<Int>

Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.

Link copied to clipboard
val supportedIdentityProviders: Output<List<String>>

List of provider names for the identity providers that are supported on this client. Uses the provider_name attribute of aws.cognito.IdentityProvider resource(s), or the equivalent string(s).

Link copied to clipboard
val tokenValidityUnits: Output<UserPoolClientTokenValidityUnits>?

Configuration block for units in which the validity times are represented in. Detailed below.

Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
val userPoolId: Output<String>

User pool the client belongs to. The following arguments are optional:

Link copied to clipboard
val writeAttributes: Output<List<String>>

List of user pool attributes the application client can write to.