@pulumi/aws

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Provides a Cognito User Pool Client resource. * * To manage a User Pool Client created by another service, such as when [configuring an OpenSearch Domain to use Cognito authentication](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html), * use the `aws.cognito.ManagedUserPoolClient` resource instead. * * ## Example Usage * * ### Create a basic user pool client * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const pool = new aws.cognito.UserPool("pool", {name: "pool"}); * const client = new aws.cognito.UserPoolClient("client", { * name: "client", * userPoolId: pool.id, * }); * ``` * * ### Create a user pool client with no SRP authentication * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const pool = new aws.cognito.UserPool("pool", {name: "pool"}); * const client = new aws.cognito.UserPoolClient("client", { * name: "client", * userPoolId: pool.id, * generateSecret: true, * explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"], * }); * ``` * * ### Create a user pool client with pinpoint analytics * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const testUserPool = new aws.cognito.UserPool("test", {name: "pool"}); * const testApp = new aws.pinpoint.App("test", {name: "pinpoint"}); * const assumeRole = aws.iam.getPolicyDocument({ * statements: [{ * effect: "Allow", * principals: [{ * type: "Service", * identifiers: ["cognito-idp.amazonaws.com"], * }], * actions: ["sts:AssumeRole"], * }], * }); * const testRole = new aws.iam.Role("test", { * name: "role", * assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json), * }); * const testUserPoolClient = new aws.cognito.UserPoolClient("test", { * name: "pool_client", * userPoolId: testUserPool.id, * analyticsConfiguration: { * applicationId: testApp.applicationId, * externalId: "some_id", * roleArn: testRole.arn, * userDataShared: true, * }, * }); * const current = aws.getCallerIdentity({}); * const test = aws.iam.getPolicyDocumentOutput({ * statements: [{ * effect: "Allow", * actions: [ * "mobiletargeting:UpdateEndpoint", * "mobiletargeting:PutEvents", * ], * resources: [pulumi.all([current, testApp.applicationId]).apply(([current, applicationId]) => `arn:aws:mobiletargeting:*:${current.accountId}:apps/${applicationId}*`)], * }], * }); * const testRolePolicy = new aws.iam.RolePolicy("test", { * name: "role_policy", * role: testRole.id, * policy: test.apply(test => test.json), * }); * ``` * * ### Create a user pool client with Cognito as the identity provider * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const pool = new aws.cognito.UserPool("pool", {name: "pool"}); * const userpoolClient = new aws.cognito.UserPoolClient("userpool_client", { * name: "client", * userPoolId: pool.id, * callbackUrls: ["https://example.com"], * allowedOauthFlowsUserPoolClient: true, * allowedOauthFlows: [ * "code", * "implicit", * ], * allowedOauthScopes: [ * "email", * "openid", * ], * supportedIdentityProviders: ["COGNITO"], * }); * ``` * * ### Create a user pool client with refresh token rotation * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const pool = new aws.cognito.UserPool("pool", {name: "pool"}); * const userpoolClient = new aws.cognito.UserPoolClient("userpool_client", { * name: "client", * userPoolId: pool.id, * explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"], * refreshTokenRotation: { * feature: "ENABLED", * retryGracePeriodSeconds: 10, * }, * }); * ``` * * ## Import * * Using `pulumi import`, import Cognito User Pool Clients using the `id` of the Cognito User Pool, and the `id` of the Cognito User Pool Client. For example: * * ```sh * $ pulumi import aws:cognito/userPoolClient:UserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko * ``` */ export declare class UserPoolClient extends pulumi.CustomResource { /** * Get an existing UserPoolClient resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserPoolClientState, opts?: pulumi.CustomResourceOptions): UserPoolClient; /** * Returns true if the given object is an instance of UserPoolClient. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is UserPoolClient; /** * Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`. */ readonly accessTokenValidity: pulumi.Output<number>; /** * List of allowed OAuth flows, including `code`, `implicit`, and `clientCredentials`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ readonly allowedOauthFlows: pulumi.Output<string[]>; /** * Whether the client is allowed to use OAuth 2.0 features. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure the following arguments: `callbackUrls`, `logoutUrls`, `allowedOauthScopes` and `allowedOauthFlows`. */ readonly allowedOauthFlowsUserPoolClient: pulumi.Output<boolean>; /** * List of allowed OAuth scopes, including `phone`, `email`, `openid`, `profile`, and `aws.cognito.signin.user.admin`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ readonly allowedOauthScopes: pulumi.Output<string[]>; /** * Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below. */ readonly analyticsConfiguration: pulumi.Output<outputs.cognito.UserPoolClientAnalyticsConfiguration | undefined>; /** * Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`. */ readonly authSessionValidity: pulumi.Output<number>; /** * List of allowed callback URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ readonly callbackUrls: pulumi.Output<string[]>; /** * Client secret of the user pool client. */ readonly clientSecret: pulumi.Output<string>; /** * Default redirect URI and must be included in the list of callback URLs. */ readonly defaultRedirectUri: pulumi.Output<string>; /** * Enables the propagation of additional user context data. */ readonly enablePropagateAdditionalUserContextData: pulumi.Output<boolean>; /** * Enables or disables token revocation. */ readonly enableTokenRevocation: pulumi.Output<boolean>; /** * List of authentication flows. The available options include `ADMIN_NO_SRP_AUTH`, `CUSTOM_AUTH_FLOW_ONLY`, `USER_PASSWORD_AUTH`, `ALLOW_ADMIN_USER_PASSWORD_AUTH`, `ALLOW_CUSTOM_AUTH`, `ALLOW_USER_PASSWORD_AUTH`, `ALLOW_USER_SRP_AUTH`, `ALLOW_REFRESH_TOKEN_AUTH`, and `ALLOW_USER_AUTH`. */ readonly explicitAuthFlows: pulumi.Output<string[]>; /** * Boolean flag indicating whether an application secret should be generated. */ readonly generateSecret: pulumi.Output<boolean | undefined>; /** * Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`. */ readonly idTokenValidity: pulumi.Output<number>; /** * List of allowed logout URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ readonly logoutUrls: pulumi.Output<string[]>; /** * Name of the application client. */ readonly name: pulumi.Output<string>; /** * Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery. */ readonly preventUserExistenceErrors: pulumi.Output<string>; /** * List of user pool attributes that the application client can read from. */ readonly readAttributes: pulumi.Output<string[]>; /** * A block that specifies the configuration of refresh token rotation. Detailed below. */ readonly refreshTokenRotation: pulumi.Output<outputs.cognito.UserPoolClientRefreshTokenRotation | undefined>; /** * Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`. */ readonly refreshTokenValidity: pulumi.Output<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ readonly region: pulumi.Output<string>; /** * List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `aws.cognito.IdentityProvider` resource(s), or the equivalent string(s). */ readonly supportedIdentityProviders: pulumi.Output<string[]>; /** * Configuration block for representing the validity times in units. See details below. Detailed below. */ readonly tokenValidityUnits: pulumi.Output<outputs.cognito.UserPoolClientTokenValidityUnits | undefined>; /** * User pool the client belongs to. * * The following arguments are optional: */ readonly userPoolId: pulumi.Output<string>; /** * List of user pool attributes that the application client can write to. */ readonly writeAttributes: pulumi.Output<string[]>; /** * Create a UserPoolClient resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: UserPoolClientArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering UserPoolClient resources. */ export interface UserPoolClientState { /** * Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`. */ accessTokenValidity?: pulumi.Input<number>; /** * List of allowed OAuth flows, including `code`, `implicit`, and `clientCredentials`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ allowedOauthFlows?: pulumi.Input<pulumi.Input<string>[]>; /** * Whether the client is allowed to use OAuth 2.0 features. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure the following arguments: `callbackUrls`, `logoutUrls`, `allowedOauthScopes` and `allowedOauthFlows`. */ allowedOauthFlowsUserPoolClient?: pulumi.Input<boolean>; /** * List of allowed OAuth scopes, including `phone`, `email`, `openid`, `profile`, and `aws.cognito.signin.user.admin`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ allowedOauthScopes?: pulumi.Input<pulumi.Input<string>[]>; /** * Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below. */ analyticsConfiguration?: pulumi.Input<inputs.cognito.UserPoolClientAnalyticsConfiguration>; /** * Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`. */ authSessionValidity?: pulumi.Input<number>; /** * List of allowed callback URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ callbackUrls?: pulumi.Input<pulumi.Input<string>[]>; /** * Client secret of the user pool client. */ clientSecret?: pulumi.Input<string>; /** * Default redirect URI and must be included in the list of callback URLs. */ defaultRedirectUri?: pulumi.Input<string>; /** * Enables the propagation of additional user context data. */ enablePropagateAdditionalUserContextData?: pulumi.Input<boolean>; /** * Enables or disables token revocation. */ enableTokenRevocation?: pulumi.Input<boolean>; /** * List of authentication flows. The available options include `ADMIN_NO_SRP_AUTH`, `CUSTOM_AUTH_FLOW_ONLY`, `USER_PASSWORD_AUTH`, `ALLOW_ADMIN_USER_PASSWORD_AUTH`, `ALLOW_CUSTOM_AUTH`, `ALLOW_USER_PASSWORD_AUTH`, `ALLOW_USER_SRP_AUTH`, `ALLOW_REFRESH_TOKEN_AUTH`, and `ALLOW_USER_AUTH`. */ explicitAuthFlows?: pulumi.Input<pulumi.Input<string>[]>; /** * Boolean flag indicating whether an application secret should be generated. */ generateSecret?: pulumi.Input<boolean>; /** * Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`. */ idTokenValidity?: pulumi.Input<number>; /** * List of allowed logout URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ logoutUrls?: pulumi.Input<pulumi.Input<string>[]>; /** * Name of the application client. */ name?: pulumi.Input<string>; /** * Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery. */ preventUserExistenceErrors?: pulumi.Input<string>; /** * List of user pool attributes that the application client can read from. */ readAttributes?: pulumi.Input<pulumi.Input<string>[]>; /** * A block that specifies the configuration of refresh token rotation. Detailed below. */ refreshTokenRotation?: pulumi.Input<inputs.cognito.UserPoolClientRefreshTokenRotation>; /** * Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`. */ refreshTokenValidity?: pulumi.Input<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `aws.cognito.IdentityProvider` resource(s), or the equivalent string(s). */ supportedIdentityProviders?: pulumi.Input<pulumi.Input<string>[]>; /** * Configuration block for representing the validity times in units. See details below. Detailed below. */ tokenValidityUnits?: pulumi.Input<inputs.cognito.UserPoolClientTokenValidityUnits>; /** * User pool the client belongs to. * * The following arguments are optional: */ userPoolId?: pulumi.Input<string>; /** * List of user pool attributes that the application client can write to. */ writeAttributes?: pulumi.Input<pulumi.Input<string>[]>; } /** * The set of arguments for constructing a UserPoolClient resource. */ export interface UserPoolClientArgs { /** * Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`. */ accessTokenValidity?: pulumi.Input<number>; /** * List of allowed OAuth flows, including `code`, `implicit`, and `clientCredentials`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ allowedOauthFlows?: pulumi.Input<pulumi.Input<string>[]>; /** * Whether the client is allowed to use OAuth 2.0 features. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure the following arguments: `callbackUrls`, `logoutUrls`, `allowedOauthScopes` and `allowedOauthFlows`. */ allowedOauthFlowsUserPoolClient?: pulumi.Input<boolean>; /** * List of allowed OAuth scopes, including `phone`, `email`, `openid`, `profile`, and `aws.cognito.signin.user.admin`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ allowedOauthScopes?: pulumi.Input<pulumi.Input<string>[]>; /** * Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below. */ analyticsConfiguration?: pulumi.Input<inputs.cognito.UserPoolClientAnalyticsConfiguration>; /** * Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`. */ authSessionValidity?: pulumi.Input<number>; /** * List of allowed callback URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ callbackUrls?: pulumi.Input<pulumi.Input<string>[]>; /** * Default redirect URI and must be included in the list of callback URLs. */ defaultRedirectUri?: pulumi.Input<string>; /** * Enables the propagation of additional user context data. */ enablePropagateAdditionalUserContextData?: pulumi.Input<boolean>; /** * Enables or disables token revocation. */ enableTokenRevocation?: pulumi.Input<boolean>; /** * List of authentication flows. The available options include `ADMIN_NO_SRP_AUTH`, `CUSTOM_AUTH_FLOW_ONLY`, `USER_PASSWORD_AUTH`, `ALLOW_ADMIN_USER_PASSWORD_AUTH`, `ALLOW_CUSTOM_AUTH`, `ALLOW_USER_PASSWORD_AUTH`, `ALLOW_USER_SRP_AUTH`, `ALLOW_REFRESH_TOKEN_AUTH`, and `ALLOW_USER_AUTH`. */ explicitAuthFlows?: pulumi.Input<pulumi.Input<string>[]>; /** * Boolean flag indicating whether an application secret should be generated. */ generateSecret?: pulumi.Input<boolean>; /** * Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`. */ idTokenValidity?: pulumi.Input<number>; /** * List of allowed logout URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ logoutUrls?: pulumi.Input<pulumi.Input<string>[]>; /** * Name of the application client. */ name?: pulumi.Input<string>; /** * Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery. */ preventUserExistenceErrors?: pulumi.Input<string>; /** * List of user pool attributes that the application client can read from. */ readAttributes?: pulumi.Input<pulumi.Input<string>[]>; /** * A block that specifies the configuration of refresh token rotation. Detailed below. */ refreshTokenRotation?: pulumi.Input<inputs.cognito.UserPoolClientRefreshTokenRotation>; /** * Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`. */ refreshTokenValidity?: pulumi.Input<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `aws.cognito.IdentityProvider` resource(s), or the equivalent string(s). */ supportedIdentityProviders?: pulumi.Input<pulumi.Input<string>[]>; /** * Configuration block for representing the validity times in units. See details below. Detailed below. */ tokenValidityUnits?: pulumi.Input<inputs.cognito.UserPoolClientTokenValidityUnits>; /** * User pool the client belongs to. * * The following arguments are optional: */ userPoolId: pulumi.Input<string>; /** * List of user pool attributes that the application client can write to. */ writeAttributes?: pulumi.Input<pulumi.Input<string>[]>; }