@aws-sdk/client-cognito-identity-provider

import { ExceptionOptionType as __ExceptionOptionType } from "@smithy/smithy-client"; import { DocumentType as __DocumentType } from "@smithy/types"; import { CognitoIdentityProviderServiceException as __BaseException } from "./CognitoIdentityProviderServiceException"; /** * @public * @enum */ export declare const RecoveryOptionNameType: { readonly ADMIN_ONLY: "admin_only"; readonly VERIFIED_EMAIL: "verified_email"; readonly VERIFIED_PHONE_NUMBER: "verified_phone_number"; }; /** * @public */ export type RecoveryOptionNameType = (typeof RecoveryOptionNameType)[keyof typeof RecoveryOptionNameType]; /** * A recovery option for a user. The <code>AccountRecoverySettingType</code> data type is * an array of this object. Each <code>RecoveryOptionType</code> has a priority property * that determines whether it is a primary or secondary option. * For example, if <code>verified_email</code> has a priority of <code>1</code> and * <code>verified_phone_number</code> has a priority of <code>2</code>, your user pool * sends account-recovery messages to a verified email address but falls back to an SMS * message if the user has a verified phone number. The <code>admin_only</code> option * prevents self-service account recovery. * @public */ export interface RecoveryOptionType { /** * Your priority preference for using the specified attribute in account recovery. The * highest priority is <code>1</code>. * @public */ Priority: number | undefined; /** * The recovery method that this object sets a recovery option for. * @public */ Name: RecoveryOptionNameType | undefined; } /** * The settings for user message delivery in forgot-password operations. Contains * preference for email or SMS message delivery of password reset codes, or for admin-only * password reset. * @public */ export interface AccountRecoverySettingType { /** * The list of options and priorities for user message delivery in forgot-password * operations. Sets or displays user pool preferences for email or SMS message priority, * whether users should fall back to a second delivery method, and whether passwords should * only be reset by administrators. * @public */ RecoveryMechanisms?: RecoveryOptionType[] | undefined; } /** * @public * @enum */ export declare const AccountTakeoverEventActionType: { readonly BLOCK: "BLOCK"; readonly MFA_IF_CONFIGURED: "MFA_IF_CONFIGURED"; readonly MFA_REQUIRED: "MFA_REQUIRED"; readonly NO_ACTION: "NO_ACTION"; }; /** * @public */ export type AccountTakeoverEventActionType = (typeof AccountTakeoverEventActionType)[keyof typeof AccountTakeoverEventActionType]; /** * The automated response to a risk level for adaptive authentication in full-function, * or <code>ENFORCED</code>, mode. You can assign an action to each risk level that threat * protection evaluates. * @public */ export interface AccountTakeoverActionType { /** * Determines whether Amazon Cognito sends a user a notification message when your user pools * assesses a user's session at the associated risk level. * @public */ Notify: boolean | undefined; /** * The action to take for the attempted account takeover action for the associated risk * level. Valid values are as follows: * <ul> * <li> * * <code>BLOCK</code>: Block the request. * </li> * <li> * * <code>MFA_IF_CONFIGURED</code>: Present an MFA challenge if possible. MFA is * possible if the user pool has active MFA methods that the user can set up. For * example, if the user pool only supports SMS message MFA but the user * doesn't have a phone number attribute, MFA setup isn't possible. If MFA * setup isn't possible, allow the request. * </li> * <li> * * <code>MFA_REQUIRED</code>: Present an MFA challenge if possible. Block the * request if a user hasn't set up MFA. To sign in with required MFA, users must * have an email address or phone number attribute, or a registered TOTP * factor. * </li> * <li> * * <code>NO_ACTION</code>: Take no action. Permit sign-in. * </li> * </ul> * @public */ EventAction: AccountTakeoverEventActionType | undefined; } /** * A list of account-takeover actions for each level of risk that Amazon Cognito might assess with * threat protection features. * @public */ export interface AccountTakeoverActionsType { /** * The action that you assign to a low-risk assessment by threat protection. * @public */ LowAction?: AccountTakeoverActionType | undefined; /** * The action that you assign to a medium-risk assessment by threat protection. * @public */ MediumAction?: AccountTakeoverActionType | undefined; /** * The action that you assign to a high-risk assessment by threat protection. * @public */ HighAction?: AccountTakeoverActionType | undefined; } /** * The template for email messages that threat protection sends to a user when your * threat protection automated response has a Notify action. * @public */ export interface NotifyEmailType { /** * The subject of the threat protection email notification. * @public */ Subject: string | undefined; /** * The body of an email notification formatted in HTML. Choose an <code>HtmlBody</code> * or a <code>TextBody</code> to send an HTML-formatted or plaintext message, * respectively. * @public */ HtmlBody?: string | undefined; /** * The body of an email notification formatted in plaintext. Choose an * <code>HtmlBody</code> or a <code>TextBody</code> to send an HTML-formatted or * plaintext message, respectively. * @public */ TextBody?: string | undefined; } /** * The configuration for Amazon SES email messages that threat protection sends to a user when * your adaptive authentication automated response has a Notify * action. * @public */ export interface NotifyConfigurationType { /** * The email address that sends the email message. The address must be either * individually verified with Amazon Simple Email Service, or from a domain that has been verified with * Amazon SES. * @public */ From?: string | undefined; /** * The reply-to email address of an email template. * @public */ ReplyTo?: string | undefined; /** * The Amazon Resource Name (ARN) of the identity that is associated with the sending * authorization policy. This identity permits Amazon Cognito to send for the email address * specified in the <code>From</code> parameter. * @public */ SourceArn: string | undefined; /** * The template for the email message that your user pool sends when a detected risk * event is blocked. * @public */ BlockEmail?: NotifyEmailType | undefined; /** * The template for the email message that your user pool sends when no action is taken * in response to a detected risk. * @public */ NoActionEmail?: NotifyEmailType | undefined; /** * The template for the email message that your user pool sends when MFA is challenged in * response to a detected risk. * @public */ MfaEmail?: NotifyEmailType | undefined; } /** * The settings for automated responses and notification templates for adaptive * authentication with threat protection features. * @public */ export interface AccountTakeoverRiskConfigurationType { /** * The settings for composing and sending an email message when threat protection * assesses a risk level with adaptive authentication. When you choose to notify users in * <code>AccountTakeoverRiskConfiguration</code>, Amazon Cognito sends an email message using * the method and template that you set with this data type. * @public */ NotifyConfiguration?: NotifyConfigurationType | undefined; /** * A list of account-takeover actions for each level of risk that Amazon Cognito might assess with * threat protection. * @public */ Actions: AccountTakeoverActionsType | undefined; } /** * @public * @enum */ export declare const AttributeDataType: { readonly BOOLEAN: "Boolean"; readonly DATETIME: "DateTime"; readonly NUMBER: "Number"; readonly STRING: "String"; }; /** * @public */ export type AttributeDataType = (typeof AttributeDataType)[keyof typeof AttributeDataType]; /** * The minimum and maximum values of an attribute that is of the number type, for example * <code>custom:age</code>. * @public */ export interface NumberAttributeConstraintsType { /** * The minimum value of an attribute that is of the number data type. * @public */ MinValue?: string | undefined; /** * The maximum length of a number attribute value. Must be a number less than or equal to * <code>2^1023</code>, represented as a string with a length of 131072 characters or * fewer. * @public */ MaxValue?: string | undefined; } /** * The minimum and maximum length values of an attribute that is of the string type, for * example <code>custom:department</code>. * @public */ export interface StringAttributeConstraintsType { /** * The minimum length of a string attribute value. * @public */ MinLength?: string | undefined; /** * The maximum length of a string attribute value. Must be a number less than or equal to * <code>2^1023</code>, represented as a string with a length of 131072 characters or * fewer. * @public */ MaxLength?: string | undefined; } /** * A list of the user attributes and their properties in your user pool. The attribute * schema contains standard attributes, custom attributes with a <code>custom:</code> * prefix, and developer attributes with a <code>dev:</code> prefix. For more information, * see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html">User pool * attributes</a>. * Developer-only <code>dev:</code> attributes are a legacy feature of user pools, and * are read-only to all app clients. You can create and update developer-only attributes * only with IAM-authenticated API operations. Use app client read/write permissions * instead. * @public */ export interface SchemaAttributeType { /** * The name of your user pool attribute. When you create or update a user pool, adding a * schema attribute creates a custom or developer-only attribute. When you add an attribute * with a <code>Name</code> value of <code>MyAttribute</code>, Amazon Cognito creates the custom * attribute <code>custom:MyAttribute</code>. When <code>DeveloperOnlyAttribute</code> is * <code>true</code>, Amazon Cognito creates your attribute as <code>dev:MyAttribute</code>. In * an operation that describes a user pool, Amazon Cognito returns this value as <code>value</code> * for standard attributes, <code>custom:value</code> for custom attributes, and * <code>dev:value</code> for developer-only attributes.. * @public */ Name?: string | undefined; /** * The data format of the values for your attribute. When you choose an * <code>AttributeDataType</code>, Amazon Cognito validates the input against the data type. A * custom attribute value in your user's ID token is always a string, for example * <code>"custom:isMember" : "true"</code> or <code>"custom:YearsAsMember" : * "12"</code>. * @public */ AttributeDataType?: AttributeDataType | undefined; /** * <note> * You should use <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes">WriteAttributes</a> in the user pool client to control how attributes can * be mutated for new use cases instead of using * <code>DeveloperOnlyAttribute</code>. * </note> * Specifies whether the attribute type is developer only. This attribute can only be * modified by an administrator. Users won't be able to modify this attribute using their * access token. For example, <code>DeveloperOnlyAttribute</code> can be modified using * AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes. * @public */ DeveloperOnlyAttribute?: boolean | undefined; /** * Specifies whether the value of the attribute can be changed. * Any user pool attribute whose value you map from an IdP attribute must be mutable, * with a parameter value of <code>true</code>. Amazon Cognito updates mapped attributes when users * sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws * an error when it attempts to update the attribute. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html">Specifying Identity Provider Attribute Mappings for Your User * Pool</a>. * @public */ Mutable?: boolean | undefined; /** * Specifies whether a user pool attribute is required. If the attribute is required and * the user doesn't provide a value, registration or sign-in will fail. * @public */ Required?: boolean | undefined; /** * Specifies the constraints for an attribute of the number type. * @public */ NumberAttributeConstraints?: NumberAttributeConstraintsType | undefined; /** * Specifies the constraints for an attribute of the string type. * @public */ StringAttributeConstraints?: StringAttributeConstraintsType | undefined; } /** * Represents the request to add custom attributes. * @public */ export interface AddCustomAttributesRequest { /** * The ID of the user pool where you want to add custom attributes. * @public */ UserPoolId: string | undefined; /** * An array of custom attribute names and other properties. Sets the following * characteristics: * <dl> * <dt>AttributeDataType</dt> * <dd> * The expected data type. Can be a string, a number, a date and time, or a * boolean. * </dd> * <dt>Mutable</dt> * <dd> * If true, you can grant app clients write access to the attribute value. If * false, the attribute value can only be set up on sign-up or administrator * creation of users. * </dd> * <dt>Name</dt> * <dd> * The attribute name. For an attribute like <code>custom:myAttribute</code>, * enter <code>myAttribute</code> for this field. * </dd> * <dt>Required</dt> * <dd> * When true, users who sign up or are created must set a value for the * attribute. * </dd> * <dt>NumberAttributeConstraints</dt> * <dd> * The minimum and maximum length of accepted values for a * <code>Number</code>-type attribute. * </dd> * <dt>StringAttributeConstraints</dt> * <dd> * The minimum and maximum length of accepted values for a * <code>String</code>-type attribute. * </dd> * <dt>DeveloperOnlyAttribute</dt> * <dd> * This legacy option creates an attribute with a <code>dev:</code> prefix. * You can only set the value of a developer-only attribute with administrative * IAM credentials. * </dd> * </dl> * @public */ CustomAttributes: SchemaAttributeType[] | undefined; } /** * Represents the response from the server for the request to add custom * attributes. * @public */ export interface AddCustomAttributesResponse { } /** * This exception is thrown when Amazon Cognito encounters an internal error. * @public */ export declare class InternalErrorException extends __BaseException { readonly name: "InternalErrorException"; readonly $fault: "server"; /** * @internal */ constructor(opts: __ExceptionOptionType<InternalErrorException, __BaseException>); } /** * This exception is thrown when the Amazon Cognito service encounters an invalid * parameter. * @public */ export declare class InvalidParameterException extends __BaseException { readonly name: "InvalidParameterException"; readonly $fault: "client"; /** * The reason code of the exception. * @public */ reasonCode?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidParameterException, __BaseException>); } /** * This exception is thrown when a user isn't authorized. * @public */ export declare class NotAuthorizedException extends __BaseException { readonly name: "NotAuthorizedException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<NotAuthorizedException, __BaseException>); } /** * This exception is thrown when the Amazon Cognito service can't find the requested * resource. * @public */ export declare class ResourceNotFoundException extends __BaseException { readonly name: "ResourceNotFoundException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<ResourceNotFoundException, __BaseException>); } /** * This exception is thrown when the user has made too many requests for a given * operation. * @public */ export declare class TooManyRequestsException extends __BaseException { readonly name: "TooManyRequestsException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<TooManyRequestsException, __BaseException>); } /** * This exception is thrown when you're trying to modify a user pool while a user import * job is in progress for that pool. * @public */ export declare class UserImportInProgressException extends __BaseException { readonly name: "UserImportInProgressException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UserImportInProgressException, __BaseException>); } /** * @public */ export interface AdminAddUserToGroupRequest { /** * The ID of the user pool that contains the group that you want to add the user * to. * @public */ UserPoolId: string | undefined; /** * The name of the user that you want to query or modify. The value of this parameter * is typically your user's username, but it can be any of their alias attributes. If * <code>username</code> isn't an alias attribute in your user pool, this value * must be the <code>sub</code> of a local user or the username of a user from a * third-party IdP. * @public */ Username: string | undefined; /** * The name of the group that you want to add your user to. * @public */ GroupName: string | undefined; } /** * This exception is thrown when a user isn't found. * @public */ export declare class UserNotFoundException extends __BaseException { readonly name: "UserNotFoundException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UserNotFoundException, __BaseException>); } /** * Confirm a user's registration as a user pool administrator. * @public */ export interface AdminConfirmSignUpRequest { /** * The ID of the user pool where you want to confirm a user's sign-up * request. * @public */ UserPoolId: string | undefined; /** * The name of the user that you want to query or modify. The value of this parameter * is typically your user's username, but it can be any of their alias attributes. If * <code>username</code> isn't an alias attribute in your user pool, this value * must be the <code>sub</code> of a local user or the username of a user from a * third-party IdP. * @public */ Username: string | undefined; /** * A map of custom key-value pairs that you can provide as input for any custom workflows * that this action triggers. * If your user pool configuration includes triggers, the AdminConfirmSignUp API action * invokes the Lambda function that is specified for the post * confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON * payload, which the function receives as input. In this payload, the * <code>clientMetadata</code> attribute provides the data that you assigned to the * ClientMetadata parameter in your AdminConfirmSignUp request. In your function code in * Lambda, you can process the ClientMetadata value to enhance your workflow for your * specific needs. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html"> * Using Lambda triggers</a> in the Amazon Cognito Developer Guide. * <note> * When you use the <code>ClientMetadata</code> parameter, note that Amazon Cognito won't do the * following: * <ul> * <li> * Store the <code>ClientMetadata</code> value. This data is available only * to Lambda triggers that are assigned to a user pool to support custom * workflows. If your user pool configuration doesn't include triggers, the * <code>ClientMetadata</code> parameter serves no purpose. * </li> * <li> * Validate the <code>ClientMetadata</code> value. * </li> * <li> * Encrypt the <code>ClientMetadata</code> value. Don't send sensitive * information in this parameter. * </li> * </ul> * </note> * @public */ ClientMetadata?: Record<string, string> | undefined; } /** * Represents the response from the server for the request to confirm * registration. * @public */ export interface AdminConfirmSignUpResponse { } /** * This exception is thrown when Amazon Cognito encounters an invalid Lambda response. * @public */ export declare class InvalidLambdaResponseException extends __BaseException { readonly name: "InvalidLambdaResponseException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidLambdaResponseException, __BaseException>); } /** * This exception is thrown when a user exceeds the limit for a requested Amazon Web Services * resource. * @public */ export declare class LimitExceededException extends __BaseException { readonly name: "LimitExceededException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<LimitExceededException, __BaseException>); } /** * This exception is thrown when the user has made too many failed attempts for a given * action, such as sign-in. * @public */ export declare class TooManyFailedAttemptsException extends __BaseException { readonly name: "TooManyFailedAttemptsException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<TooManyFailedAttemptsException, __BaseException>); } /** * This exception is thrown when Amazon Cognito encounters an unexpected exception with * Lambda. * @public */ export declare class UnexpectedLambdaException extends __BaseException { readonly name: "UnexpectedLambdaException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UnexpectedLambdaException, __BaseException>); } /** * This exception is thrown when the Amazon Cognito service encounters a user validation exception * with the Lambda service. * @public */ export declare class UserLambdaValidationException extends __BaseException { readonly name: "UserLambdaValidationException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UserLambdaValidationException, __BaseException>); } /** * @public * @enum */ export declare const DeliveryMediumType: { readonly EMAIL: "EMAIL"; readonly SMS: "SMS"; }; /** * @public */ export type DeliveryMediumType = (typeof DeliveryMediumType)[keyof typeof DeliveryMediumType]; /** * @public * @enum */ export declare const MessageActionType: { readonly RESEND: "RESEND"; readonly SUPPRESS: "SUPPRESS"; }; /** * @public */ export type MessageActionType = (typeof MessageActionType)[keyof typeof MessageActionType]; /** * The name and value of a user attribute. * @public */ export interface AttributeType { /** * The name of the attribute. * @public */ Name: string | undefined; /** * The value of the attribute. * @public */ Value?: string | undefined; } /** * Creates a new user in the specified user pool. * @public */ export interface AdminCreateUserRequest { /** * The ID of the user pool where you want to create a user. * @public */ UserPoolId: string | undefined; /** * The value that you want to set as the username sign-in attribute. The following * conditions apply to the username parameter. * <ul> * <li> * The username can't be a duplicate of another username in the same user * pool. * </li> * <li> * You can't change the value of a username after you create it. * </li> * <li> * You can only provide a value if usernames are a valid sign-in attribute for * your user pool. If your user pool only supports phone numbers or email addresses * as sign-in attributes, Amazon Cognito automatically generates a username value. For more * information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases">Customizing sign-in attributes</a>. * </li> * </ul> * @public */ Username: string | undefined; /** * An array of name-value pairs that contain user attributes and attribute values to be * set for the user to be created. You can create a user without specifying any attributes * other than <code>Username</code>. However, any attributes that you specify as required * (when creating a user pool or in the Attributes tab of * the console) either you should supply (in your call to <code>AdminCreateUser</code>) or * the user should supply (when they sign up in response to your welcome message). * For custom attributes, you must prepend the <code>custom:</code> prefix to the * attribute name. * To send a message inviting the user to sign up, you must specify the user's email * address or phone number. You can do this in your call to AdminCreateUser or in the * Users tab of the Amazon Cognito console for managing your * user pools. * You must also provide an email address or phone number when you expect the user to do * passwordless sign-in with an email or SMS OTP. These attributes must be provided when * passwordless options are the only available, or when you don't submit a * <code>TemporaryPassword</code>. * In your <code>AdminCreateUser</code> request, you can set the * <code>email_verified</code> and <code>phone_number_verified</code> attributes to * <code>true</code>. The following conditions apply: * <dl> * <dt>email</dt> * <dd> * The email address where you want the user to receive their confirmation * code and username. You must provide a value for <code>email</code> when you * want to set <code>email_verified</code> to <code>true</code>, or if you set * <code>EMAIL</code> in the <code>DesiredDeliveryMediums</code> * parameter. * </dd> * <dt>phone_number</dt> * <dd> * The phone number where you want the user to receive their confirmation * code and username. You must provide a value for <code>phone_number</code> * when you want to set <code>phone_number_verified</code> to * <code>true</code>, or if you set <code>SMS</code> in the * <code>DesiredDeliveryMediums</code> parameter. * </dd> * </dl> * @public */ UserAttributes?: AttributeType[] | undefined; /** * Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda * trigger. This set of key-value pairs are for custom validation of information that you * collect from your users but don't need to retain. * Your Lambda function can analyze this additional data and act on it. Your function * can automatically confirm and verify select users or perform external API operations * like logging user attributes and validation data to Amazon CloudWatch Logs. * For more information about the pre sign-up Lambda trigger, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html">Pre sign-up Lambda trigger</a>. * @public */ ValidationData?: AttributeType[] | undefined; /** * The user's temporary password. This password must conform to the password policy that * you specified when you created the user pool. * The exception to the requirement for a password is when your user pool supports * passwordless sign-in with email or SMS OTPs. To create a user with no password, omit * this parameter or submit a blank value. You can only create a passwordless user when * passwordless sign-in is available. * The temporary password is valid only once. To complete the Admin Create User flow, the * user must enter the temporary password in the sign-in page, along with a new password to * be used in all future sign-ins. * If you don't specify a value, Amazon Cognito generates one for you unless you have passwordless * options active for your user pool. * The temporary password can only be used until the user account expiration limit that * you set for your user pool. To reset the account after that time limit, you must call * <code>AdminCreateUser</code> again and specify <code>RESEND</code> for the * <code>MessageAction</code> parameter. * @public */ TemporaryPassword?: string | undefined; /** * This parameter is used only if the <code>phone_number_verified</code> or * <code>email_verified</code> attribute is set to <code>True</code>. Otherwise, it is * ignored. * If this parameter is set to <code>True</code> and the phone number or email address * specified in the <code>UserAttributes</code> parameter already exists as an alias with a * different user, this request migrates the alias from the previous user to the * newly-created user. The previous user will no longer be able to log in using that * alias. * If this parameter is set to <code>False</code>, the API throws an * <code>AliasExistsException</code> error if the alias already exists. The default * value is <code>False</code>. * @public */ ForceAliasCreation?: boolean | undefined; /** * Set to <code>RESEND</code> to resend the invitation message to a user that already * exists, and to reset the temporary-password duration with a new temporary password. Set * to <code>SUPPRESS</code> to suppress sending the message. You can specify only one * value. * @public */ MessageAction?: MessageActionType | undefined; /** * Specify <code>EMAIL</code> if email will be used to send the welcome message. Specify * <code>SMS</code> if the phone number will be used. The default value is * <code>SMS</code>. You can specify more than one value. * @public */ DesiredDeliveryMediums?: DeliveryMediumType[] | undefined; /** * A map of custom key-value pairs that you can provide as input for any custom workflows * that this action triggers. * You create custom workflows by assigning Lambda functions to user pool triggers. * When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned * to the pre sign-up trigger. When Amazon Cognito invokes this function, it * passes a JSON payload, which the function receives as input. This payload contains a * <code>ClientMetadata</code> attribute, which provides the data that you assigned to * the ClientMetadata parameter in your AdminCreateUser request. In your function code in * Lambda, you can process the <code>clientMetadata</code> value to enhance your * workflow for your specific needs. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html"> * Using Lambda triggers</a> in the Amazon Cognito Developer Guide. * <note> * When you use the <code>ClientMetadata</code> parameter, note that Amazon Cognito won't do the * following: * <ul> * <li> * Store the <code>ClientMetadata</code> value. This data is available only * to Lambda triggers that are assigned to a user pool to support custom * workflows. If your user pool configuration doesn't include triggers, the * <code>ClientMetadata</code> parameter serves no purpose. * </li> * <li> * Validate the <code>ClientMetadata</code> value. * </li> * <li> * Encrypt the <code>ClientMetadata</code> value. Don't send sensitive * information in this parameter. * </li> * </ul> * </note> * @public */ ClientMetadata?: Record<string, string> | undefined; } /** * * This data type is no longer supported. Applies only to SMS * multi-factor authentication (MFA) configurations. Does not apply to time-based one-time * password (TOTP) software token MFA configurations. * @public */ export interface MFAOptionType { /** * The delivery medium to send the MFA code. You can use this parameter to set only the * <code>SMS</code> delivery medium value. * @public */ DeliveryMedium?: DeliveryMediumType | undefined; /** * The attribute name of the MFA option type. The only valid value is * <code>phone_number</code>. * @public */ AttributeName?: string | undefined; } /** * @public * @enum */ export declare const UserStatusType: { readonly ARCHIVED: "ARCHIVED"; readonly COMPROMISED: "COMPROMISED"; readonly CONFIRMED: "CONFIRMED"; readonly EXTERNAL_PROVIDER: "EXTERNAL_PROVIDER"; readonly FORCE_CHANGE_PASSWORD: "FORCE_CHANGE_PASSWORD"; readonly RESET_REQUIRED: "RESET_REQUIRED"; readonly UNCONFIRMED: "UNCONFIRMED"; readonly UNKNOWN: "UNKNOWN"; }; /** * @public */ export type UserStatusType = (typeof UserStatusType)[keyof typeof UserStatusType]; /** * A user profile in a Amazon Cognito user pool. * @public */ export interface UserType { /** * The user's username. * @public */ Username?: string | undefined; /** * Names and values of a user's attributes, for example <code>email</code>. * @public */ Attributes?: AttributeType[] | undefined; /** * The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a * human-readable format like ISO 8601 or a Java <code>Date</code> object. * @public */ UserCreateDate?: Date | undefined; /** * The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a * human-readable format like ISO 8601 or a Java <code>Date</code> object. * @public */ UserLastModifiedDate?: Date | undefined; /** * Indicates whether the user's account is enabled or disabled. * @public */ Enabled?: boolean | undefined; /** * The user status. This can be one of the following: * <ul> * <li> * * <code>UNCONFIRMED</code>: User has been created but not confirmed. * </li> * <li> * * <code>CONFIRMED</code>: User has been confirmed. * </li> * <li> * * <code>EXTERNAL_PROVIDER</code>: User signed in with a third-party IdP. * </li> * <li> * * <code>RESET_REQUIRED</code>: User is confirmed, but the user must request a * code and reset their password before they can sign in. * </li> * <li> * * <code>FORCE_CHANGE_PASSWORD</code>: The user is confirmed and the user can * sign in using a temporary password, but on first sign-in, the user must change * their password to a new value before doing anything else. * </li> * </ul> * The statuses <code>ARCHIVED</code>, <code>UNKNOWN</code>, and <code>COMPROMISED</code> * are no longer used. * @public */ UserStatus?: UserStatusType | undefined; /** * The user's MFA configuration. * @public */ MFAOptions?: MFAOptionType[] | undefined; } /** * Represents the response from the server to the request to create the user. * @public */ export interface AdminCreateUserResponse { /** * The new user's profile details. * @public */ User?: UserType | undefined; } /** * This exception is thrown when a verification code fails to deliver * successfully. * @public */ export declare class CodeDeliveryFailureException extends __BaseException { readonly name: "CodeDeliveryFailureException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<CodeDeliveryFailureException, __BaseException>); } /** * This exception is thrown when Amazon Cognito encounters an invalid password. * @public */ export declare class InvalidPasswordException extends __BaseException { readonly name: "InvalidPasswordException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidPasswordException, __BaseException>); } /** * This exception is returned when the role provided for SMS configuration doesn't have * permission to publish using Amazon SNS. * @public */ export declare class InvalidSmsRoleAccessPolicyException extends __BaseException { readonly name: "InvalidSmsRoleAccessPolicyException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidSmsRoleAccessPolicyException, __BaseException>); } /** * This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust * <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool. * @public */ export declare class InvalidSmsRoleTrustRelationshipException extends __BaseException { readonly name: "InvalidSmsRoleTrustRelationshipException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidSmsRoleTrustRelationshipException, __BaseException>); } /** * This exception is thrown when a precondition is not met. * @public */ export declare class PreconditionNotMetException extends __BaseException { readonly name: "PreconditionNotMetException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<PreconditionNotMetException, __BaseException>); } /** * The request failed because the user is in an unsupported state. * @public */ export declare class UnsupportedUserStateException extends __BaseException { readonly name: "UnsupportedUserStateException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UnsupportedUserStateException, __BaseException>); } /** * This exception is thrown when Amazon Cognito encounters a user name that already * exists in the user pool. * @public */ export declare class UsernameExistsException extends __BaseException { readonly name: "UsernameExistsException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UsernameExistsException, __BaseException>); } /** * The message template structure. * @public */ export interface MessageTemplateType { /** * The message template for SMS messages. * @public */ SMSMessage?: string | undefined; /** * The message template for email messages. EmailMessage is allowed only if <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount">EmailSendingAccount</a> is DEVELOPER. * @public */ EmailMessage?: string | undefined; /** * The subject line for email messages. EmailSubject is allowed only if <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount">EmailSendingAccount</a> is DEVELOPER. * @public */ EmailSubject?: string | undefined; } /** * The settings for administrator creation of users in a user pool. Contains settings for * allowing user sign-up, customizing invitation messages to new users, and the amount of * time before temporary passwords expire. * @public */ export interface AdminCreateUserConfigType { /** * The setting for allowing self-service sign-up. When <code>true</code>, only * administrators can create new user profiles. When <code>false</code>, users can register * themselves and create a new user profile with the <code>SignUp</code> operation. * @public */ AllowAdminCreateUserOnly?: boolean | undefined; /** * This parameter is no longer in use. * The password expiration limit in days for administrator-created users. When this time * expires, the user can't sign in with their temporary password. To reset the account * after that time limit, you must call <code>AdminCreateUser</code> again, specifying * <code>RESEND</code> for the <code>MessageAction</code> parameter. * The default value for this parameter is 7. * @public */ UnusedAccountValidityDays?: number | undefined; /** * The template for the welcome message to new users. This template must include the * <code>\{####\}</code> temporary password placeholder if you are creating users with * passwords. If your users don't have passwords, you can omit the placeholder. * See also <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization">Customizing User Invitation Messages</a>. * @public */ InviteMessageTemplate?: MessageTemplateType | undefined; } /** * Represents the request to delete a user as an administrator. * @public */ export interface AdminDeleteUserRequest { /** * The ID of the user pool where you want to delete the user. * @public */ UserPoolId: string | undefined; /** * The name of the user that you want to query or modify. The value of this parameter * is typically your user's username, but it can be any of their alias attributes. If * <code>username</code> isn't an alias attribute in your user pool, this value * must be the <code>sub</code> of a local user or the username of a user from a * third-party IdP. * @public */