The aws:connect/user:User resource, part of the Pulumi AWS provider, provisions agent and supervisor users within an Amazon Connect contact center instance. This guide focuses on four capabilities: basic user creation with phone configuration, hierarchy group assignment, email contact information, and multiple security profiles with desk phone setup.
Users belong to a Connect instance and reference routing profiles, security profiles, and optionally hierarchy groups that must exist separately. The examples are intentionally small. Combine them with your own Connect instance, routing profiles, and organizational structure.
Create a user with soft phone configuration
Contact center deployments start by creating agent users who can handle customer interactions through browser-based soft phones.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.connect.User("example", {
instanceId: exampleAwsConnectInstance.id,
name: "example",
password: "Password123",
routingProfileId: exampleAwsConnectRoutingProfile.routingProfileId,
securityProfileIds: [exampleAwsConnectSecurityProfile.securityProfileId],
identityInfo: {
firstName: "example",
lastName: "example2",
},
phoneConfig: {
afterContactWorkTimeLimit: 0,
phoneType: "SOFT_PHONE",
},
});
import pulumi
import pulumi_aws as aws
example = aws.connect.User("example",
instance_id=example_aws_connect_instance["id"],
name="example",
password="Password123",
routing_profile_id=example_aws_connect_routing_profile["routingProfileId"],
security_profile_ids=[example_aws_connect_security_profile["securityProfileId"]],
identity_info={
"first_name": "example",
"last_name": "example2",
},
phone_config={
"after_contact_work_time_limit": 0,
"phone_type": "SOFT_PHONE",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewUser(ctx, "example", &connect.UserArgs{
InstanceId: pulumi.Any(exampleAwsConnectInstance.Id),
Name: pulumi.String("example"),
Password: pulumi.String("Password123"),
RoutingProfileId: pulumi.Any(exampleAwsConnectRoutingProfile.RoutingProfileId),
SecurityProfileIds: pulumi.StringArray{
exampleAwsConnectSecurityProfile.SecurityProfileId,
},
IdentityInfo: &connect.UserIdentityInfoArgs{
FirstName: pulumi.String("example"),
LastName: pulumi.String("example2"),
},
PhoneConfig: &connect.UserPhoneConfigArgs{
AfterContactWorkTimeLimit: pulumi.Int(0),
PhoneType: pulumi.String("SOFT_PHONE"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Connect.User("example", new()
{
InstanceId = exampleAwsConnectInstance.Id,
Name = "example",
Password = "Password123",
RoutingProfileId = exampleAwsConnectRoutingProfile.RoutingProfileId,
SecurityProfileIds = new[]
{
exampleAwsConnectSecurityProfile.SecurityProfileId,
},
IdentityInfo = new Aws.Connect.Inputs.UserIdentityInfoArgs
{
FirstName = "example",
LastName = "example2",
},
PhoneConfig = new Aws.Connect.Inputs.UserPhoneConfigArgs
{
AfterContactWorkTimeLimit = 0,
PhoneType = "SOFT_PHONE",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.User;
import com.pulumi.aws.connect.UserArgs;
import com.pulumi.aws.connect.inputs.UserIdentityInfoArgs;
import com.pulumi.aws.connect.inputs.UserPhoneConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.instanceId(exampleAwsConnectInstance.id())
.name("example")
.password("Password123")
.routingProfileId(exampleAwsConnectRoutingProfile.routingProfileId())
.securityProfileIds(exampleAwsConnectSecurityProfile.securityProfileId())
.identityInfo(UserIdentityInfoArgs.builder()
.firstName("example")
.lastName("example2")
.build())
.phoneConfig(UserPhoneConfigArgs.builder()
.afterContactWorkTimeLimit(0)
.phoneType("SOFT_PHONE")
.build())
.build());
}
}
resources:
example:
type: aws:connect:User
properties:
instanceId: ${exampleAwsConnectInstance.id}
name: example
password: Password123
routingProfileId: ${exampleAwsConnectRoutingProfile.routingProfileId}
securityProfileIds:
- ${exampleAwsConnectSecurityProfile.securityProfileId}
identityInfo:
firstName: example
lastName: example2
phoneConfig:
afterContactWorkTimeLimit: 0
phoneType: SOFT_PHONE
When a user logs in, Connect routes calls based on their routingProfileId, which determines which queues they serve. The securityProfileIds array grants permissions for features like call handling and customer data access. The phoneConfig block sets phoneType to SOFT_PHONE, enabling browser-based calling without physical hardware. The identityInfo block captures the agent’s name for display in the Connect interface.
Organize users into hierarchy groups
Large contact centers organize agents into teams or departments for reporting and supervision.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.connect.User("example", {
instanceId: exampleAwsConnectInstance.id,
name: "example",
password: "Password123",
routingProfileId: exampleAwsConnectRoutingProfile.routingProfileId,
hierarchyGroupId: exampleAwsConnectUserHierarchyGroup.hierarchyGroupId,
securityProfileIds: [exampleAwsConnectSecurityProfile.securityProfileId],
identityInfo: {
firstName: "example",
lastName: "example2",
},
phoneConfig: {
afterContactWorkTimeLimit: 0,
phoneType: "SOFT_PHONE",
},
});
import pulumi
import pulumi_aws as aws
example = aws.connect.User("example",
instance_id=example_aws_connect_instance["id"],
name="example",
password="Password123",
routing_profile_id=example_aws_connect_routing_profile["routingProfileId"],
hierarchy_group_id=example_aws_connect_user_hierarchy_group["hierarchyGroupId"],
security_profile_ids=[example_aws_connect_security_profile["securityProfileId"]],
identity_info={
"first_name": "example",
"last_name": "example2",
},
phone_config={
"after_contact_work_time_limit": 0,
"phone_type": "SOFT_PHONE",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewUser(ctx, "example", &connect.UserArgs{
InstanceId: pulumi.Any(exampleAwsConnectInstance.Id),
Name: pulumi.String("example"),
Password: pulumi.String("Password123"),
RoutingProfileId: pulumi.Any(exampleAwsConnectRoutingProfile.RoutingProfileId),
HierarchyGroupId: pulumi.Any(exampleAwsConnectUserHierarchyGroup.HierarchyGroupId),
SecurityProfileIds: pulumi.StringArray{
exampleAwsConnectSecurityProfile.SecurityProfileId,
},
IdentityInfo: &connect.UserIdentityInfoArgs{
FirstName: pulumi.String("example"),
LastName: pulumi.String("example2"),
},
PhoneConfig: &connect.UserPhoneConfigArgs{
AfterContactWorkTimeLimit: pulumi.Int(0),
PhoneType: pulumi.String("SOFT_PHONE"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Connect.User("example", new()
{
InstanceId = exampleAwsConnectInstance.Id,
Name = "example",
Password = "Password123",
RoutingProfileId = exampleAwsConnectRoutingProfile.RoutingProfileId,
HierarchyGroupId = exampleAwsConnectUserHierarchyGroup.HierarchyGroupId,
SecurityProfileIds = new[]
{
exampleAwsConnectSecurityProfile.SecurityProfileId,
},
IdentityInfo = new Aws.Connect.Inputs.UserIdentityInfoArgs
{
FirstName = "example",
LastName = "example2",
},
PhoneConfig = new Aws.Connect.Inputs.UserPhoneConfigArgs
{
AfterContactWorkTimeLimit = 0,
PhoneType = "SOFT_PHONE",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.User;
import com.pulumi.aws.connect.UserArgs;
import com.pulumi.aws.connect.inputs.UserIdentityInfoArgs;
import com.pulumi.aws.connect.inputs.UserPhoneConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.instanceId(exampleAwsConnectInstance.id())
.name("example")
.password("Password123")
.routingProfileId(exampleAwsConnectRoutingProfile.routingProfileId())
.hierarchyGroupId(exampleAwsConnectUserHierarchyGroup.hierarchyGroupId())
.securityProfileIds(exampleAwsConnectSecurityProfile.securityProfileId())
.identityInfo(UserIdentityInfoArgs.builder()
.firstName("example")
.lastName("example2")
.build())
.phoneConfig(UserPhoneConfigArgs.builder()
.afterContactWorkTimeLimit(0)
.phoneType("SOFT_PHONE")
.build())
.build());
}
}
resources:
example:
type: aws:connect:User
properties:
instanceId: ${exampleAwsConnectInstance.id}
name: example
password: Password123
routingProfileId: ${exampleAwsConnectRoutingProfile.routingProfileId}
hierarchyGroupId: ${exampleAwsConnectUserHierarchyGroup.hierarchyGroupId}
securityProfileIds:
- ${exampleAwsConnectSecurityProfile.securityProfileId}
identityInfo:
firstName: example
lastName: example2
phoneConfig:
afterContactWorkTimeLimit: 0
phoneType: SOFT_PHONE
The hierarchyGroupId property places the user within an organizational structure. This enables team-based reporting and allows supervisors to manage specific groups of agents. Hierarchy groups are typically organized by department, location, or skill set.
Add contact information to user profiles
User profiles can include email addresses for system notifications and password recovery.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.connect.User("example", {
instanceId: exampleAwsConnectInstance.id,
name: "example",
password: "Password123",
routingProfileId: exampleAwsConnectRoutingProfile.routingProfileId,
securityProfileIds: [exampleAwsConnectSecurityProfile.securityProfileId],
identityInfo: {
email: "example@example.com",
firstName: "example",
lastName: "example2",
secondaryEmail: "secondary@example.com",
},
phoneConfig: {
afterContactWorkTimeLimit: 0,
phoneType: "SOFT_PHONE",
},
});
import pulumi
import pulumi_aws as aws
example = aws.connect.User("example",
instance_id=example_aws_connect_instance["id"],
name="example",
password="Password123",
routing_profile_id=example_aws_connect_routing_profile["routingProfileId"],
security_profile_ids=[example_aws_connect_security_profile["securityProfileId"]],
identity_info={
"email": "example@example.com",
"first_name": "example",
"last_name": "example2",
"secondary_email": "secondary@example.com",
},
phone_config={
"after_contact_work_time_limit": 0,
"phone_type": "SOFT_PHONE",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewUser(ctx, "example", &connect.UserArgs{
InstanceId: pulumi.Any(exampleAwsConnectInstance.Id),
Name: pulumi.String("example"),
Password: pulumi.String("Password123"),
RoutingProfileId: pulumi.Any(exampleAwsConnectRoutingProfile.RoutingProfileId),
SecurityProfileIds: pulumi.StringArray{
exampleAwsConnectSecurityProfile.SecurityProfileId,
},
IdentityInfo: &connect.UserIdentityInfoArgs{
Email: pulumi.String("example@example.com"),
FirstName: pulumi.String("example"),
LastName: pulumi.String("example2"),
SecondaryEmail: pulumi.String("secondary@example.com"),
},
PhoneConfig: &connect.UserPhoneConfigArgs{
AfterContactWorkTimeLimit: pulumi.Int(0),
PhoneType: pulumi.String("SOFT_PHONE"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Connect.User("example", new()
{
InstanceId = exampleAwsConnectInstance.Id,
Name = "example",
Password = "Password123",
RoutingProfileId = exampleAwsConnectRoutingProfile.RoutingProfileId,
SecurityProfileIds = new[]
{
exampleAwsConnectSecurityProfile.SecurityProfileId,
},
IdentityInfo = new Aws.Connect.Inputs.UserIdentityInfoArgs
{
Email = "example@example.com",
FirstName = "example",
LastName = "example2",
SecondaryEmail = "secondary@example.com",
},
PhoneConfig = new Aws.Connect.Inputs.UserPhoneConfigArgs
{
AfterContactWorkTimeLimit = 0,
PhoneType = "SOFT_PHONE",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.User;
import com.pulumi.aws.connect.UserArgs;
import com.pulumi.aws.connect.inputs.UserIdentityInfoArgs;
import com.pulumi.aws.connect.inputs.UserPhoneConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.instanceId(exampleAwsConnectInstance.id())
.name("example")
.password("Password123")
.routingProfileId(exampleAwsConnectRoutingProfile.routingProfileId())
.securityProfileIds(exampleAwsConnectSecurityProfile.securityProfileId())
.identityInfo(UserIdentityInfoArgs.builder()
.email("example@example.com")
.firstName("example")
.lastName("example2")
.secondaryEmail("secondary@example.com")
.build())
.phoneConfig(UserPhoneConfigArgs.builder()
.afterContactWorkTimeLimit(0)
.phoneType("SOFT_PHONE")
.build())
.build());
}
}
resources:
example:
type: aws:connect:User
properties:
instanceId: ${exampleAwsConnectInstance.id}
name: example
password: Password123
routingProfileId: ${exampleAwsConnectRoutingProfile.routingProfileId}
securityProfileIds:
- ${exampleAwsConnectSecurityProfile.securityProfileId}
identityInfo:
email: example@example.com
firstName: example
lastName: example2
secondaryEmail: secondary@example.com
phoneConfig:
afterContactWorkTimeLimit: 0
phoneType: SOFT_PHONE
The identityInfo block accepts email and secondaryEmail properties. Connect uses these addresses for password reset workflows and system notifications. The email field is particularly important for self-service features where agents manage their own credentials.
Assign multiple security profiles and desk phone
Some agents need permissions from multiple security profiles and prefer physical desk phones over browser-based calling.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.connect.User("example", {
instanceId: exampleAwsConnectInstance.id,
name: "example",
password: "Password123",
routingProfileId: exampleAwsConnectRoutingProfile.routingProfileId,
securityProfileIds: [
exampleAwsConnectSecurityProfile.securityProfileId,
example2.securityProfileId,
],
phoneConfig: {
afterContactWorkTimeLimit: 0,
autoAccept: false,
deskPhoneNumber: "+112345678912",
phoneType: "DESK_PHONE",
},
});
import pulumi
import pulumi_aws as aws
example = aws.connect.User("example",
instance_id=example_aws_connect_instance["id"],
name="example",
password="Password123",
routing_profile_id=example_aws_connect_routing_profile["routingProfileId"],
security_profile_ids=[
example_aws_connect_security_profile["securityProfileId"],
example2["securityProfileId"],
],
phone_config={
"after_contact_work_time_limit": 0,
"auto_accept": False,
"desk_phone_number": "+112345678912",
"phone_type": "DESK_PHONE",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewUser(ctx, "example", &connect.UserArgs{
InstanceId: pulumi.Any(exampleAwsConnectInstance.Id),
Name: pulumi.String("example"),
Password: pulumi.String("Password123"),
RoutingProfileId: pulumi.Any(exampleAwsConnectRoutingProfile.RoutingProfileId),
SecurityProfileIds: pulumi.StringArray{
exampleAwsConnectSecurityProfile.SecurityProfileId,
example2.SecurityProfileId,
},
PhoneConfig: &connect.UserPhoneConfigArgs{
AfterContactWorkTimeLimit: pulumi.Int(0),
AutoAccept: pulumi.Bool(false),
DeskPhoneNumber: pulumi.String("+112345678912"),
PhoneType: pulumi.String("DESK_PHONE"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Connect.User("example", new()
{
InstanceId = exampleAwsConnectInstance.Id,
Name = "example",
Password = "Password123",
RoutingProfileId = exampleAwsConnectRoutingProfile.RoutingProfileId,
SecurityProfileIds = new[]
{
exampleAwsConnectSecurityProfile.SecurityProfileId,
example2.SecurityProfileId,
},
PhoneConfig = new Aws.Connect.Inputs.UserPhoneConfigArgs
{
AfterContactWorkTimeLimit = 0,
AutoAccept = false,
DeskPhoneNumber = "+112345678912",
PhoneType = "DESK_PHONE",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.User;
import com.pulumi.aws.connect.UserArgs;
import com.pulumi.aws.connect.inputs.UserPhoneConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.instanceId(exampleAwsConnectInstance.id())
.name("example")
.password("Password123")
.routingProfileId(exampleAwsConnectRoutingProfile.routingProfileId())
.securityProfileIds(
exampleAwsConnectSecurityProfile.securityProfileId(),
example2.securityProfileId())
.phoneConfig(UserPhoneConfigArgs.builder()
.afterContactWorkTimeLimit(0)
.autoAccept(false)
.deskPhoneNumber("+112345678912")
.phoneType("DESK_PHONE")
.build())
.build());
}
}
resources:
example:
type: aws:connect:User
properties:
instanceId: ${exampleAwsConnectInstance.id}
name: example
password: Password123
routingProfileId: ${exampleAwsConnectRoutingProfile.routingProfileId}
securityProfileIds:
- ${exampleAwsConnectSecurityProfile.securityProfileId}
- ${example2.securityProfileId}
phoneConfig:
afterContactWorkTimeLimit: 0
autoAccept: false
deskPhoneNumber: '+112345678912'
phoneType: DESK_PHONE
The securityProfileIds array can include multiple profile IDs, combining permissions from different sources. Setting phoneType to DESK_PHONE routes calls to the deskPhoneNumber instead of the browser. The autoAccept property controls whether calls ring or connect automatically; setting it to false requires the agent to manually accept each call.
Beyond these examples
These snippets focus on specific user-level features: user provisioning with routing and security profiles, hierarchy group assignment, and soft phone and desk phone configuration. They’re intentionally minimal rather than full contact center deployments.
The examples reference pre-existing infrastructure such as Amazon Connect instances, routing profiles, security profiles, and hierarchy groups. They focus on configuring the user rather than provisioning the surrounding contact center infrastructure.
To keep things focused, common user patterns are omitted, including:
- Directory integration (directoryUserId for SAML/AD)
- Tags for cost allocation and organization
- After-contact work time limits (afterContactWorkTimeLimit)
- Auto-accept call behavior (autoAccept)
These omissions are intentional: the goal is to illustrate how each user feature is wired, not provide drop-in contact center modules. See the Connect User resource reference for all available configuration options.
Let's create AWS Connect Users
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Identity Management & Authentication
When should I provide a password for a Connect user?
Provide a password only when using Amazon Connect for identity management. Including a password with other identity providers (like SAML or directory-based authentication) causes an error.
When should I use directoryUserId?
Use
directoryUserId when Amazon Connect cannot access your directory to authenticate users. This parameter is required for existing directory-based identity management when directory access is unavailable, but causes an error if used with SAML identity management.What are the username requirements for Connect users?
Username requirements depend on your identity management type. For non-SAML instances, usernames can include up to 20 characters. For SAML instances, usernames can include up to 64 characters from the pattern
[a-zA-Z0-9_-.\@]+.Resource Lifecycle & Immutability
What properties can't I change after creating a Connect user?
The
name and instanceId properties are immutable. Changing either property after creation forces replacement of the entire user resource.How do I import an existing Connect user?
Import users using the format
instance_id:user_id separated by a colon. For example: pulumi import aws:connect/user:User example f1288a1f-6193-445a-b47e-af739b2:c1d4e5f6-1b3c-1b3c-1b3c-c1d4e5f6c1d4e5.Security & Permissions
How many security profiles can I assign to a user?
You must assign between 1 and 10 security profiles using the
securityProfileIds array. The examples demonstrate assigning multiple profiles by including additional security profile IDs in the array.Phone Configuration
What's the difference between SOFT_PHONE and DESK_PHONE?
SOFT_PHONE uses the Connect web interface for calls, while DESK_PHONE routes calls to a physical phone number specified in deskPhoneNumber. Both are configured in the required phoneConfig block.What identity information can I provide for a Connect user?
The optional
identityInfo block supports firstName, lastName, email, and secondaryEmail fields for user identity details.Can I organize users into hierarchy groups?
Yes, use the optional
hierarchyGroupId property to assign users to a hierarchy group within your Connect instance.Using a different cloud?
Explore integration guides for other cloud providers: