Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. AWS
  3. API Docs
  4. cognito
  5. ManagedUserPoolClient
AWS v6.76.0 published on Tuesday, Apr 8, 2025 by Pulumi
pulumi/pulumi-aws

aws.cognito.ManagedUserPoolClient

Explore with Pulumi AI

AWS v6.76.0 published on Tuesday, Apr 8, 2025 by Pulumi
pulumi/pulumi-aws

Use the aws.cognito.UserPoolClient resource to manage a Cognito User Pool Client.

This resource is advanced and has special caveats to consider before use. Please read this document completely before using the resource.

Use the aws.cognito.ManagedUserPoolClient resource to manage a Cognito User Pool Client that is automatically created by an AWS service. For instance, when configuring an OpenSearch Domain to use Cognito authentication, the OpenSearch service creates the User Pool Client during setup and removes it when it is no longer required. As a result, the aws.cognito.ManagedUserPoolClient resource does not create or delete this resource, but instead assumes management of it.

Use the aws.cognito.UserPoolClient resource to manage Cognito User Pool Clients for normal use cases.

Example Usage

Using Name Pattern

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.cognito.ManagedUserPoolClient("example", {
    namePattern: "^AmazonOpenSearchService-example-(\\w+)$",
    userPoolId: exampleAwsCognitoUserPool.id,
});
Copy
import pulumi
import pulumi_aws as aws

example = aws.cognito.ManagedUserPoolClient("example",
    name_pattern="^AmazonOpenSearchService-example-(\\w+)$",
    user_pool_id=example_aws_cognito_user_pool["id"])
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cognito.NewManagedUserPoolClient(ctx, "example", &cognito.ManagedUserPoolClientArgs{
			NamePattern: pulumi.String("^AmazonOpenSearchService-example-(\\w+)$"),
			UserPoolId:  pulumi.Any(exampleAwsCognitoUserPool.Id),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Cognito.ManagedUserPoolClient("example", new()
    {
        NamePattern = "^AmazonOpenSearchService-example-(\\w+)$",
        UserPoolId = exampleAwsCognitoUserPool.Id,
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cognito.ManagedUserPoolClient;
import com.pulumi.aws.cognito.ManagedUserPoolClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new ManagedUserPoolClient("example", ManagedUserPoolClientArgs.builder()
            .namePattern("^AmazonOpenSearchService-example-(\\w+)$")
            .userPoolId(exampleAwsCognitoUserPool.id())
            .build());

    }
}
Copy
resources:
  example:
    type: aws:cognito:ManagedUserPoolClient
    properties:
      namePattern: ^AmazonOpenSearchService-example-(\w+)$
      userPoolId: ${exampleAwsCognitoUserPool.id}
Copy

Create ManagedUserPoolClient Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ManagedUserPoolClient(name: string, args: ManagedUserPoolClientArgs, opts?: CustomResourceOptions);
@overload
def ManagedUserPoolClient(resource_name: str,
                          args: ManagedUserPoolClientArgs,
                          opts: Optional[ResourceOptions] = None)

@overload
def ManagedUserPoolClient(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          user_pool_id: Optional[str] = None,
                          explicit_auth_flows: Optional[Sequence[str]] = None,
                          auth_session_validity: Optional[int] = None,
                          id_token_validity: Optional[int] = None,
                          name_pattern: Optional[str] = None,
                          logout_urls: Optional[Sequence[str]] = None,
                          callback_urls: Optional[Sequence[str]] = None,
                          default_redirect_uri: Optional[str] = None,
                          enable_propagate_additional_user_context_data: Optional[bool] = None,
                          enable_token_revocation: Optional[bool] = None,
                          access_token_validity: Optional[int] = None,
                          allowed_oauth_scopes: Optional[Sequence[str]] = None,
                          allowed_oauth_flows_user_pool_client: Optional[bool] = None,
                          analytics_configuration: Optional[ManagedUserPoolClientAnalyticsConfigurationArgs] = None,
                          name_prefix: Optional[str] = None,
                          prevent_user_existence_errors: Optional[str] = None,
                          read_attributes: Optional[Sequence[str]] = None,
                          refresh_token_validity: Optional[int] = None,
                          supported_identity_providers: Optional[Sequence[str]] = None,
                          token_validity_units: Optional[ManagedUserPoolClientTokenValidityUnitsArgs] = None,
                          allowed_oauth_flows: Optional[Sequence[str]] = None,
                          write_attributes: Optional[Sequence[str]] = None)
func NewManagedUserPoolClient(ctx *Context, name string, args ManagedUserPoolClientArgs, opts ...ResourceOption) (*ManagedUserPoolClient, error)
public ManagedUserPoolClient(string name, ManagedUserPoolClientArgs args, CustomResourceOptions? opts = null)
public ManagedUserPoolClient(String name, ManagedUserPoolClientArgs args)
public ManagedUserPoolClient(String name, ManagedUserPoolClientArgs args, CustomResourceOptions options)

type: aws:cognito:ManagedUserPoolClient
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. ManagedUserPoolClientArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. ManagedUserPoolClientArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. ManagedUserPoolClientArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. ManagedUserPoolClientArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. ManagedUserPoolClientArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var managedUserPoolClientResource = new Aws.Cognito.ManagedUserPoolClient("managedUserPoolClientResource", new()
{
    UserPoolId = "string",
    ExplicitAuthFlows = new[]
    {
        "string",
    },
    AuthSessionValidity = 0,
    IdTokenValidity = 0,
    NamePattern = "string",
    LogoutUrls = new[]
    {
        "string",
    },
    CallbackUrls = new[]
    {
        "string",
    },
    DefaultRedirectUri = "string",
    EnablePropagateAdditionalUserContextData = false,
    EnableTokenRevocation = false,
    AccessTokenValidity = 0,
    AllowedOauthScopes = new[]
    {
        "string",
    },
    AllowedOauthFlowsUserPoolClient = false,
    AnalyticsConfiguration = new Aws.Cognito.Inputs.ManagedUserPoolClientAnalyticsConfigurationArgs
    {
        ApplicationArn = "string",
        ApplicationId = "string",
        ExternalId = "string",
        RoleArn = "string",
        UserDataShared = false,
    },
    NamePrefix = "string",
    PreventUserExistenceErrors = "string",
    ReadAttributes = new[]
    {
        "string",
    },
    RefreshTokenValidity = 0,
    SupportedIdentityProviders = new[]
    {
        "string",
    },
    TokenValidityUnits = new Aws.Cognito.Inputs.ManagedUserPoolClientTokenValidityUnitsArgs
    {
        AccessToken = "string",
        IdToken = "string",
        RefreshToken = "string",
    },
    AllowedOauthFlows = new[]
    {
        "string",
    },
    WriteAttributes = new[]
    {
        "string",
    },
});
Copy
example, err := cognito.NewManagedUserPoolClient(ctx, "managedUserPoolClientResource", &cognito.ManagedUserPoolClientArgs{
	UserPoolId: pulumi.String("string"),
	ExplicitAuthFlows: pulumi.StringArray{
		pulumi.String("string"),
	},
	AuthSessionValidity: pulumi.Int(0),
	IdTokenValidity:     pulumi.Int(0),
	NamePattern:         pulumi.String("string"),
	LogoutUrls: pulumi.StringArray{
		pulumi.String("string"),
	},
	CallbackUrls: pulumi.StringArray{
		pulumi.String("string"),
	},
	DefaultRedirectUri:                       pulumi.String("string"),
	EnablePropagateAdditionalUserContextData: pulumi.Bool(false),
	EnableTokenRevocation:                    pulumi.Bool(false),
	AccessTokenValidity:                      pulumi.Int(0),
	AllowedOauthScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedOauthFlowsUserPoolClient: pulumi.Bool(false),
	AnalyticsConfiguration: &cognito.ManagedUserPoolClientAnalyticsConfigurationArgs{
		ApplicationArn: pulumi.String("string"),
		ApplicationId:  pulumi.String("string"),
		ExternalId:     pulumi.String("string"),
		RoleArn:        pulumi.String("string"),
		UserDataShared: pulumi.Bool(false),
	},
	NamePrefix:                 pulumi.String("string"),
	PreventUserExistenceErrors: pulumi.String("string"),
	ReadAttributes: pulumi.StringArray{
		pulumi.String("string"),
	},
	RefreshTokenValidity: pulumi.Int(0),
	SupportedIdentityProviders: pulumi.StringArray{
		pulumi.String("string"),
	},
	TokenValidityUnits: &cognito.ManagedUserPoolClientTokenValidityUnitsArgs{
		AccessToken:  pulumi.String("string"),
		IdToken:      pulumi.String("string"),
		RefreshToken: pulumi.String("string"),
	},
	AllowedOauthFlows: pulumi.StringArray{
		pulumi.String("string"),
	},
	WriteAttributes: pulumi.StringArray{
		pulumi.String("string"),
	},
})
Copy
var managedUserPoolClientResource = new ManagedUserPoolClient("managedUserPoolClientResource", ManagedUserPoolClientArgs.builder()
    .userPoolId("string")
    .explicitAuthFlows("string")
    .authSessionValidity(0)
    .idTokenValidity(0)
    .namePattern("string")
    .logoutUrls("string")
    .callbackUrls("string")
    .defaultRedirectUri("string")
    .enablePropagateAdditionalUserContextData(false)
    .enableTokenRevocation(false)
    .accessTokenValidity(0)
    .allowedOauthScopes("string")
    .allowedOauthFlowsUserPoolClient(false)
    .analyticsConfiguration(ManagedUserPoolClientAnalyticsConfigurationArgs.builder()
        .applicationArn("string")
        .applicationId("string")
        .externalId("string")
        .roleArn("string")
        .userDataShared(false)
        .build())
    .namePrefix("string")
    .preventUserExistenceErrors("string")
    .readAttributes("string")
    .refreshTokenValidity(0)
    .supportedIdentityProviders("string")
    .tokenValidityUnits(ManagedUserPoolClientTokenValidityUnitsArgs.builder()
        .accessToken("string")
        .idToken("string")
        .refreshToken("string")
        .build())
    .allowedOauthFlows("string")
    .writeAttributes("string")
    .build());
Copy
managed_user_pool_client_resource = aws.cognito.ManagedUserPoolClient("managedUserPoolClientResource",
    user_pool_id="string",
    explicit_auth_flows=["string"],
    auth_session_validity=0,
    id_token_validity=0,
    name_pattern="string",
    logout_urls=["string"],
    callback_urls=["string"],
    default_redirect_uri="string",
    enable_propagate_additional_user_context_data=False,
    enable_token_revocation=False,
    access_token_validity=0,
    allowed_oauth_scopes=["string"],
    allowed_oauth_flows_user_pool_client=False,
    analytics_configuration={
        "application_arn": "string",
        "application_id": "string",
        "external_id": "string",
        "role_arn": "string",
        "user_data_shared": False,
    },
    name_prefix="string",
    prevent_user_existence_errors="string",
    read_attributes=["string"],
    refresh_token_validity=0,
    supported_identity_providers=["string"],
    token_validity_units={
        "access_token": "string",
        "id_token": "string",
        "refresh_token": "string",
    },
    allowed_oauth_flows=["string"],
    write_attributes=["string"])
Copy
const managedUserPoolClientResource = new aws.cognito.ManagedUserPoolClient("managedUserPoolClientResource", {
    userPoolId: "string",
    explicitAuthFlows: ["string"],
    authSessionValidity: 0,
    idTokenValidity: 0,
    namePattern: "string",
    logoutUrls: ["string"],
    callbackUrls: ["string"],
    defaultRedirectUri: "string",
    enablePropagateAdditionalUserContextData: false,
    enableTokenRevocation: false,
    accessTokenValidity: 0,
    allowedOauthScopes: ["string"],
    allowedOauthFlowsUserPoolClient: false,
    analyticsConfiguration: {
        applicationArn: "string",
        applicationId: "string",
        externalId: "string",
        roleArn: "string",
        userDataShared: false,
    },
    namePrefix: "string",
    preventUserExistenceErrors: "string",
    readAttributes: ["string"],
    refreshTokenValidity: 0,
    supportedIdentityProviders: ["string"],
    tokenValidityUnits: {
        accessToken: "string",
        idToken: "string",
        refreshToken: "string",
    },
    allowedOauthFlows: ["string"],
    writeAttributes: ["string"],
});
Copy
type: aws:cognito:ManagedUserPoolClient
properties:
    accessTokenValidity: 0
    allowedOauthFlows:
        - string
    allowedOauthFlowsUserPoolClient: false
    allowedOauthScopes:
        - string
    analyticsConfiguration:
        applicationArn: string
        applicationId: string
        externalId: string
        roleArn: string
        userDataShared: false
    authSessionValidity: 0
    callbackUrls:
        - string
    defaultRedirectUri: string
    enablePropagateAdditionalUserContextData: false
    enableTokenRevocation: false
    explicitAuthFlows:
        - string
    idTokenValidity: 0
    logoutUrls:
        - string
    namePattern: string
    namePrefix: string
    preventUserExistenceErrors: string
    readAttributes:
        - string
    refreshTokenValidity: 0
    supportedIdentityProviders:
        - string
    tokenValidityUnits:
        accessToken: string
        idToken: string
        refreshToken: string
    userPoolId: string
    writeAttributes:
        - string
Copy

ManagedUserPoolClient Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ManagedUserPoolClient resource accepts the following input properties:

UserPoolId This property is required. string
User pool that the client belongs to.
AccessTokenValidity int
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
AllowedOauthFlows List<string>
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
AllowedOauthFlowsUserPoolClient bool
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
AllowedOauthScopes List<string>
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
AnalyticsConfiguration ManagedUserPoolClientAnalyticsConfiguration
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
AuthSessionValidity int
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
CallbackUrls List<string>
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
DefaultRedirectUri string
Default redirect URI and must be included in the list of callback URLs.
EnablePropagateAdditionalUserContextData bool
Enables the propagation of additional user context data.
EnableTokenRevocation bool
Enables or disables token revocation.
ExplicitAuthFlows List<string>
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
IdTokenValidity int
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
LogoutUrls List<string>
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
NamePattern string
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
NamePrefix string

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

PreventUserExistenceErrors string
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
ReadAttributes List<string>
List of user pool attributes that the application client can read from.
RefreshTokenValidity int
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
SupportedIdentityProviders List<string>
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
TokenValidityUnits ManagedUserPoolClientTokenValidityUnits
Configuration block for representing the validity times in units. See details below. Detailed below.
WriteAttributes List<string>
List of user pool attributes that the application client can write to.
UserPoolId This property is required. string
User pool that the client belongs to.
AccessTokenValidity int
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
AllowedOauthFlows []string
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
AllowedOauthFlowsUserPoolClient bool
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
AllowedOauthScopes []string
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
AnalyticsConfiguration ManagedUserPoolClientAnalyticsConfigurationArgs
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
AuthSessionValidity int
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
CallbackUrls []string
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
DefaultRedirectUri string
Default redirect URI and must be included in the list of callback URLs.
EnablePropagateAdditionalUserContextData bool
Enables the propagation of additional user context data.
EnableTokenRevocation bool
Enables or disables token revocation.
ExplicitAuthFlows []string
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
IdTokenValidity int
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
LogoutUrls []string
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
NamePattern string
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
NamePrefix string

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

PreventUserExistenceErrors string
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
ReadAttributes []string
List of user pool attributes that the application client can read from.
RefreshTokenValidity int
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
SupportedIdentityProviders []string
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
TokenValidityUnits ManagedUserPoolClientTokenValidityUnitsArgs
Configuration block for representing the validity times in units. See details below. Detailed below.
WriteAttributes []string
List of user pool attributes that the application client can write to.
userPoolId This property is required. String
User pool that the client belongs to.
accessTokenValidity Integer
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
allowedOauthFlows List<String>
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
allowedOauthFlowsUserPoolClient Boolean
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
allowedOauthScopes List<String>
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
analyticsConfiguration ManagedUserPoolClientAnalyticsConfiguration
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
authSessionValidity Integer
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
callbackUrls List<String>
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
defaultRedirectUri String
Default redirect URI and must be included in the list of callback URLs.
enablePropagateAdditionalUserContextData Boolean
Enables the propagation of additional user context data.
enableTokenRevocation Boolean
Enables or disables token revocation.
explicitAuthFlows List<String>
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
idTokenValidity Integer
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
logoutUrls List<String>
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
namePattern String
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
namePrefix String

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

preventUserExistenceErrors String
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
readAttributes List<String>
List of user pool attributes that the application client can read from.
refreshTokenValidity Integer
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
supportedIdentityProviders List<String>
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
tokenValidityUnits ManagedUserPoolClientTokenValidityUnits
Configuration block for representing the validity times in units. See details below. Detailed below.
writeAttributes List<String>
List of user pool attributes that the application client can write to.
userPoolId This property is required. string
User pool that the client belongs to.
accessTokenValidity number
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
allowedOauthFlows string[]
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
allowedOauthFlowsUserPoolClient boolean
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
allowedOauthScopes string[]
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
analyticsConfiguration ManagedUserPoolClientAnalyticsConfiguration
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
authSessionValidity number
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
callbackUrls string[]
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
defaultRedirectUri string
Default redirect URI and must be included in the list of callback URLs.
enablePropagateAdditionalUserContextData boolean
Enables the propagation of additional user context data.
enableTokenRevocation boolean
Enables or disables token revocation.
explicitAuthFlows string[]
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
idTokenValidity number
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
logoutUrls string[]
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
namePattern string
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
namePrefix string

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

preventUserExistenceErrors string
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
readAttributes string[]
List of user pool attributes that the application client can read from.
refreshTokenValidity number
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
supportedIdentityProviders string[]
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
tokenValidityUnits ManagedUserPoolClientTokenValidityUnits
Configuration block for representing the validity times in units. See details below. Detailed below.
writeAttributes string[]
List of user pool attributes that the application client can write to.
user_pool_id This property is required. str
User pool that the client belongs to.
access_token_validity int
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
allowed_oauth_flows Sequence[str]
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
allowed_oauth_flows_user_pool_client bool
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
allowed_oauth_scopes Sequence[str]
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
analytics_configuration ManagedUserPoolClientAnalyticsConfigurationArgs
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
auth_session_validity int
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
callback_urls Sequence[str]
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
default_redirect_uri str
Default redirect URI and must be included in the list of callback URLs.
enable_propagate_additional_user_context_data bool
Enables the propagation of additional user context data.
enable_token_revocation bool
Enables or disables token revocation.
explicit_auth_flows Sequence[str]
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
id_token_validity int
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
logout_urls Sequence[str]
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
name_pattern str
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
name_prefix str

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

prevent_user_existence_errors str
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
read_attributes Sequence[str]
List of user pool attributes that the application client can read from.
refresh_token_validity int
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
supported_identity_providers Sequence[str]
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
token_validity_units ManagedUserPoolClientTokenValidityUnitsArgs
Configuration block for representing the validity times in units. See details below. Detailed below.
write_attributes Sequence[str]
List of user pool attributes that the application client can write to.
userPoolId This property is required. String
User pool that the client belongs to.
accessTokenValidity Number
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
allowedOauthFlows List<String>
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
allowedOauthFlowsUserPoolClient Boolean
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
allowedOauthScopes List<String>
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
analyticsConfiguration Property Map
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
authSessionValidity Number
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
callbackUrls List<String>
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
defaultRedirectUri String
Default redirect URI and must be included in the list of callback URLs.
enablePropagateAdditionalUserContextData Boolean
Enables the propagation of additional user context data.
enableTokenRevocation Boolean
Enables or disables token revocation.
explicitAuthFlows List<String>
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
idTokenValidity Number
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
logoutUrls List<String>
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
namePattern String
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
namePrefix String

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

preventUserExistenceErrors String
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
readAttributes List<String>
List of user pool attributes that the application client can read from.
refreshTokenValidity Number
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
supportedIdentityProviders List<String>
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
tokenValidityUnits Property Map
Configuration block for representing the validity times in units. See details below. Detailed below.
writeAttributes List<String>
List of user pool attributes that the application client can write to.

Outputs

All input properties are implicitly available as output properties. Additionally, the ManagedUserPoolClient resource produces the following output properties:

ClientSecret string
Client secret of the user pool client.
Id string
The provider-assigned unique ID for this managed resource.
Name string
Name of the user pool client.
ClientSecret string
Client secret of the user pool client.
Id string
The provider-assigned unique ID for this managed resource.
Name string
Name of the user pool client.
clientSecret String
Client secret of the user pool client.
id String
The provider-assigned unique ID for this managed resource.
name String
Name of the user pool client.
clientSecret string
Client secret of the user pool client.
id string
The provider-assigned unique ID for this managed resource.
name string
Name of the user pool client.
client_secret str
Client secret of the user pool client.
id str
The provider-assigned unique ID for this managed resource.
name str
Name of the user pool client.
clientSecret String
Client secret of the user pool client.
id String
The provider-assigned unique ID for this managed resource.
name String
Name of the user pool client.

Look up Existing ManagedUserPoolClient Resource

Get an existing ManagedUserPoolClient resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ManagedUserPoolClientState, opts?: CustomResourceOptions): ManagedUserPoolClient
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_token_validity: Optional[int] = None,
        allowed_oauth_flows: Optional[Sequence[str]] = None,
        allowed_oauth_flows_user_pool_client: Optional[bool] = None,
        allowed_oauth_scopes: Optional[Sequence[str]] = None,
        analytics_configuration: Optional[ManagedUserPoolClientAnalyticsConfigurationArgs] = None,
        auth_session_validity: Optional[int] = None,
        callback_urls: Optional[Sequence[str]] = None,
        client_secret: Optional[str] = None,
        default_redirect_uri: Optional[str] = None,
        enable_propagate_additional_user_context_data: Optional[bool] = None,
        enable_token_revocation: Optional[bool] = None,
        explicit_auth_flows: Optional[Sequence[str]] = None,
        id_token_validity: Optional[int] = None,
        logout_urls: Optional[Sequence[str]] = None,
        name: Optional[str] = None,
        name_pattern: Optional[str] = None,
        name_prefix: Optional[str] = None,
        prevent_user_existence_errors: Optional[str] = None,
        read_attributes: Optional[Sequence[str]] = None,
        refresh_token_validity: Optional[int] = None,
        supported_identity_providers: Optional[Sequence[str]] = None,
        token_validity_units: Optional[ManagedUserPoolClientTokenValidityUnitsArgs] = None,
        user_pool_id: Optional[str] = None,
        write_attributes: Optional[Sequence[str]] = None) -> ManagedUserPoolClient
func GetManagedUserPoolClient(ctx *Context, name string, id IDInput, state *ManagedUserPoolClientState, opts ...ResourceOption) (*ManagedUserPoolClient, error)
public static ManagedUserPoolClient Get(string name, Input<string> id, ManagedUserPoolClientState? state, CustomResourceOptions? opts = null)
public static ManagedUserPoolClient get(String name, Output<String> id, ManagedUserPoolClientState state, CustomResourceOptions options)
resources:  _:    type: aws:cognito:ManagedUserPoolClient    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccessTokenValidity int
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
AllowedOauthFlows List<string>
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
AllowedOauthFlowsUserPoolClient bool
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
AllowedOauthScopes List<string>
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
AnalyticsConfiguration ManagedUserPoolClientAnalyticsConfiguration
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
AuthSessionValidity int
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
CallbackUrls List<string>
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
ClientSecret string
Client secret of the user pool client.
DefaultRedirectUri string
Default redirect URI and must be included in the list of callback URLs.
EnablePropagateAdditionalUserContextData bool
Enables the propagation of additional user context data.
EnableTokenRevocation bool
Enables or disables token revocation.
ExplicitAuthFlows List<string>
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
IdTokenValidity int
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
LogoutUrls List<string>
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
Name string
Name of the user pool client.
NamePattern string
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
NamePrefix string

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

PreventUserExistenceErrors string
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
ReadAttributes List<string>
List of user pool attributes that the application client can read from.
RefreshTokenValidity int
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
SupportedIdentityProviders List<string>
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
TokenValidityUnits ManagedUserPoolClientTokenValidityUnits
Configuration block for representing the validity times in units. See details below. Detailed below.
UserPoolId string
User pool that the client belongs to.
WriteAttributes List<string>
List of user pool attributes that the application client can write to.
AccessTokenValidity int
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
AllowedOauthFlows []string
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
AllowedOauthFlowsUserPoolClient bool
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
AllowedOauthScopes []string
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
AnalyticsConfiguration ManagedUserPoolClientAnalyticsConfigurationArgs
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
AuthSessionValidity int
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
CallbackUrls []string
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
ClientSecret string
Client secret of the user pool client.
DefaultRedirectUri string
Default redirect URI and must be included in the list of callback URLs.
EnablePropagateAdditionalUserContextData bool
Enables the propagation of additional user context data.
EnableTokenRevocation bool
Enables or disables token revocation.
ExplicitAuthFlows []string
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
IdTokenValidity int
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
LogoutUrls []string
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
Name string
Name of the user pool client.
NamePattern string
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
NamePrefix string

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

PreventUserExistenceErrors string
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
ReadAttributes []string
List of user pool attributes that the application client can read from.
RefreshTokenValidity int
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
SupportedIdentityProviders []string
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
TokenValidityUnits ManagedUserPoolClientTokenValidityUnitsArgs
Configuration block for representing the validity times in units. See details below. Detailed below.
UserPoolId string
User pool that the client belongs to.
WriteAttributes []string
List of user pool attributes that the application client can write to.
accessTokenValidity Integer
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
allowedOauthFlows List<String>
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
allowedOauthFlowsUserPoolClient Boolean
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
allowedOauthScopes List<String>
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
analyticsConfiguration ManagedUserPoolClientAnalyticsConfiguration
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
authSessionValidity Integer
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
callbackUrls List<String>
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
clientSecret String
Client secret of the user pool client.
defaultRedirectUri String
Default redirect URI and must be included in the list of callback URLs.
enablePropagateAdditionalUserContextData Boolean
Enables the propagation of additional user context data.
enableTokenRevocation Boolean
Enables or disables token revocation.
explicitAuthFlows List<String>
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
idTokenValidity Integer
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
logoutUrls List<String>
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
name String
Name of the user pool client.
namePattern String
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
namePrefix String

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

preventUserExistenceErrors String
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
readAttributes List<String>
List of user pool attributes that the application client can read from.
refreshTokenValidity Integer
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
supportedIdentityProviders List<String>
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
tokenValidityUnits ManagedUserPoolClientTokenValidityUnits
Configuration block for representing the validity times in units. See details below. Detailed below.
userPoolId String
User pool that the client belongs to.
writeAttributes List<String>
List of user pool attributes that the application client can write to.
accessTokenValidity number
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
allowedOauthFlows string[]
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
allowedOauthFlowsUserPoolClient boolean
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
allowedOauthScopes string[]
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
analyticsConfiguration ManagedUserPoolClientAnalyticsConfiguration
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
authSessionValidity number
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
callbackUrls string[]
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
clientSecret string
Client secret of the user pool client.
defaultRedirectUri string
Default redirect URI and must be included in the list of callback URLs.
enablePropagateAdditionalUserContextData boolean
Enables the propagation of additional user context data.
enableTokenRevocation boolean
Enables or disables token revocation.
explicitAuthFlows string[]
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
idTokenValidity number
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
logoutUrls string[]
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
name string
Name of the user pool client.
namePattern string
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
namePrefix string

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

preventUserExistenceErrors string
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
readAttributes string[]
List of user pool attributes that the application client can read from.
refreshTokenValidity number
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
supportedIdentityProviders string[]
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
tokenValidityUnits ManagedUserPoolClientTokenValidityUnits
Configuration block for representing the validity times in units. See details below. Detailed below.
userPoolId string
User pool that the client belongs to.
writeAttributes string[]
List of user pool attributes that the application client can write to.
access_token_validity int
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
allowed_oauth_flows Sequence[str]
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
allowed_oauth_flows_user_pool_client bool
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
allowed_oauth_scopes Sequence[str]
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
analytics_configuration ManagedUserPoolClientAnalyticsConfigurationArgs
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
auth_session_validity int
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
callback_urls Sequence[str]
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
client_secret str
Client secret of the user pool client.
default_redirect_uri str
Default redirect URI and must be included in the list of callback URLs.
enable_propagate_additional_user_context_data bool
Enables the propagation of additional user context data.
enable_token_revocation bool
Enables or disables token revocation.
explicit_auth_flows Sequence[str]
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
id_token_validity int
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
logout_urls Sequence[str]
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
name str
Name of the user pool client.
name_pattern str
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
name_prefix str

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

prevent_user_existence_errors str
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
read_attributes Sequence[str]
List of user pool attributes that the application client can read from.
refresh_token_validity int
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
supported_identity_providers Sequence[str]
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
token_validity_units ManagedUserPoolClientTokenValidityUnitsArgs
Configuration block for representing the validity times in units. See details below. Detailed below.
user_pool_id str
User pool that the client belongs to.
write_attributes Sequence[str]
List of user pool attributes that the application client can write to.
accessTokenValidity Number
Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
allowedOauthFlows List<String>
List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
allowedOauthFlowsUserPoolClient Boolean
Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
allowedOauthScopes List<String>
List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
analyticsConfiguration Property Map
Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
authSessionValidity Number
Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
callbackUrls List<String>
List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
clientSecret String
Client secret of the user pool client.
defaultRedirectUri String
Default redirect URI and must be included in the list of callback URLs.
enablePropagateAdditionalUserContextData Boolean
Enables the propagation of additional user context data.
enableTokenRevocation Boolean
Enables or disables token revocation.
explicitAuthFlows List<String>
List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
idTokenValidity Number
Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
logoutUrls List<String>
List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
name String
Name of the user pool client.
namePattern String
Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client.
namePrefix String

String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client.

The following arguments are optional:

preventUserExistenceErrors String
Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
readAttributes List<String>
List of user pool attributes that the application client can read from.
refreshTokenValidity Number
Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
supportedIdentityProviders List<String>
List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
tokenValidityUnits Property Map
Configuration block for representing the validity times in units. See details below. Detailed below.
userPoolId String
User pool that the client belongs to.
writeAttributes List<String>
List of user pool attributes that the application client can write to.

Supporting Types

ManagedUserPoolClientAnalyticsConfiguration
, ManagedUserPoolClientAnalyticsConfigurationArgs

ApplicationArn string
Application ARN for an Amazon Pinpoint application. It conflicts with external_id and role_arn.
ApplicationId string
Unique identifier for an Amazon Pinpoint application.
ExternalId string
ID for the Analytics Configuration and conflicts with application_arn.
RoleArn string
ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with application_arn.
UserDataShared bool
If user_data_shared is set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
ApplicationArn string
Application ARN for an Amazon Pinpoint application. It conflicts with external_id and role_arn.
ApplicationId string
Unique identifier for an Amazon Pinpoint application.
ExternalId string
ID for the Analytics Configuration and conflicts with application_arn.
RoleArn string
ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with application_arn.
UserDataShared bool
If user_data_shared is set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
applicationArn String
Application ARN for an Amazon Pinpoint application. It conflicts with external_id and role_arn.
applicationId String
Unique identifier for an Amazon Pinpoint application.
externalId String
ID for the Analytics Configuration and conflicts with application_arn.
roleArn String
ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with application_arn.
userDataShared Boolean
If user_data_shared is set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
applicationArn string
Application ARN for an Amazon Pinpoint application. It conflicts with external_id and role_arn.
applicationId string
Unique identifier for an Amazon Pinpoint application.
externalId string
ID for the Analytics Configuration and conflicts with application_arn.
roleArn string
ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with application_arn.
userDataShared boolean
If user_data_shared is set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
application_arn str
Application ARN for an Amazon Pinpoint application. It conflicts with external_id and role_arn.
application_id str
Unique identifier for an Amazon Pinpoint application.
external_id str
ID for the Analytics Configuration and conflicts with application_arn.
role_arn str
ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with application_arn.
user_data_shared bool
If user_data_shared is set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
applicationArn String
Application ARN for an Amazon Pinpoint application. It conflicts with external_id and role_arn.
applicationId String
Unique identifier for an Amazon Pinpoint application.
externalId String
ID for the Analytics Configuration and conflicts with application_arn.
roleArn String
ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. It conflicts with application_arn.
userDataShared Boolean
If user_data_shared is set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

ManagedUserPoolClientTokenValidityUnits
, ManagedUserPoolClientTokenValidityUnitsArgs

AccessToken string
Time unit for the value in access_token_validity and defaults to hours.
IdToken string
Time unit for the value in id_token_validity, and it defaults to hours.
RefreshToken string
Time unit for the value in refresh_token_validity and defaults to days.
AccessToken string
Time unit for the value in access_token_validity and defaults to hours.
IdToken string
Time unit for the value in id_token_validity, and it defaults to hours.
RefreshToken string
Time unit for the value in refresh_token_validity and defaults to days.
accessToken String
Time unit for the value in access_token_validity and defaults to hours.
idToken String
Time unit for the value in id_token_validity, and it defaults to hours.
refreshToken String
Time unit for the value in refresh_token_validity and defaults to days.
accessToken string
Time unit for the value in access_token_validity and defaults to hours.
idToken string
Time unit for the value in id_token_validity, and it defaults to hours.
refreshToken string
Time unit for the value in refresh_token_validity and defaults to days.
access_token str
Time unit for the value in access_token_validity and defaults to hours.
id_token str
Time unit for the value in id_token_validity, and it defaults to hours.
refresh_token str
Time unit for the value in refresh_token_validity and defaults to days.
accessToken String
Time unit for the value in access_token_validity and defaults to hours.
idToken String
Time unit for the value in id_token_validity, and it defaults to hours.
refreshToken String
Time unit for the value in refresh_token_validity and defaults to days.

Import

Using pulumi import, import Cognito User Pool Clients using the id of the Cognito User Pool and the id of the Cognito User Pool Client. For example:

$ pulumi import aws:cognito/managedUserPoolClient:ManagedUserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
AWS Classic pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.
AWS v6.76.0 published on Tuesday, Apr 8, 2025 by Pulumi
pulumi/pulumi-aws