1. Packages
  2. AWS
  3. API Docs
  4. cognito
  5. UserPoolClient
AWS v6.64.0 published on Friday, Dec 6, 2024 by Pulumi

aws.cognito.UserPoolClient

Explore with Pulumi AI

aws logo
AWS v6.64.0 published on Friday, Dec 6, 2024 by Pulumi

    Provides a Cognito User Pool Client resource.

    To manage a User Pool Client created by another service, such as when configuring an OpenSearch Domain to use Cognito authentication, use the aws.cognito.ManagedUserPoolClient resource instead.

    Example Usage

    Create a basic user pool client

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const pool = new aws.cognito.UserPool("pool", {name: "pool"});
    const client = new aws.cognito.UserPoolClient("client", {
        name: "client",
        userPoolId: pool.id,
    });
    
    import pulumi
    import pulumi_aws as aws
    
    pool = aws.cognito.UserPool("pool", name="pool")
    client = aws.cognito.UserPoolClient("client",
        name="client",
        user_pool_id=pool.id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
    			Name: pulumi.String("pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
    			Name:       pulumi.String("client"),
    			UserPoolId: pool.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Aws.Cognito.UserPool("pool", new()
        {
            Name = "pool",
        });
    
        var client = new Aws.Cognito.UserPoolClient("client", new()
        {
            Name = "client",
            UserPoolId = pool.Id,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cognito.UserPool;
    import com.pulumi.aws.cognito.UserPoolArgs;
    import com.pulumi.aws.cognito.UserPoolClient;
    import com.pulumi.aws.cognito.UserPoolClientArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new UserPool("pool", UserPoolArgs.builder()
                .name("pool")
                .build());
    
            var client = new UserPoolClient("client", UserPoolClientArgs.builder()
                .name("client")
                .userPoolId(pool.id())
                .build());
    
        }
    }
    
    resources:
      client:
        type: aws:cognito:UserPoolClient
        properties:
          name: client
          userPoolId: ${pool.id}
      pool:
        type: aws:cognito:UserPool
        properties:
          name: pool
    

    Create a user pool client with no SRP authentication

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const pool = new aws.cognito.UserPool("pool", {name: "pool"});
    const client = new aws.cognito.UserPoolClient("client", {
        name: "client",
        userPoolId: pool.id,
        generateSecret: true,
        explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    pool = aws.cognito.UserPool("pool", name="pool")
    client = aws.cognito.UserPoolClient("client",
        name="client",
        user_pool_id=pool.id,
        generate_secret=True,
        explicit_auth_flows=["ADMIN_NO_SRP_AUTH"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
    			Name: pulumi.String("pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
    			Name:           pulumi.String("client"),
    			UserPoolId:     pool.ID(),
    			GenerateSecret: pulumi.Bool(true),
    			ExplicitAuthFlows: pulumi.StringArray{
    				pulumi.String("ADMIN_NO_SRP_AUTH"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Aws.Cognito.UserPool("pool", new()
        {
            Name = "pool",
        });
    
        var client = new Aws.Cognito.UserPoolClient("client", new()
        {
            Name = "client",
            UserPoolId = pool.Id,
            GenerateSecret = true,
            ExplicitAuthFlows = new[]
            {
                "ADMIN_NO_SRP_AUTH",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cognito.UserPool;
    import com.pulumi.aws.cognito.UserPoolArgs;
    import com.pulumi.aws.cognito.UserPoolClient;
    import com.pulumi.aws.cognito.UserPoolClientArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new UserPool("pool", UserPoolArgs.builder()
                .name("pool")
                .build());
    
            var client = new UserPoolClient("client", UserPoolClientArgs.builder()
                .name("client")
                .userPoolId(pool.id())
                .generateSecret(true)
                .explicitAuthFlows("ADMIN_NO_SRP_AUTH")
                .build());
    
        }
    }
    
    resources:
      client:
        type: aws:cognito:UserPoolClient
        properties:
          name: client
          userPoolId: ${pool.id}
          generateSecret: true
          explicitAuthFlows:
            - ADMIN_NO_SRP_AUTH
      pool:
        type: aws:cognito:UserPool
        properties:
          name: pool
    

    Create a user pool client with pinpoint analytics

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const testUserPool = new aws.cognito.UserPool("test", {name: "pool"});
    const testApp = new aws.pinpoint.App("test", {name: "pinpoint"});
    const assumeRole = aws.iam.getPolicyDocument({
        statements: [{
            effect: "Allow",
            principals: [{
                type: "Service",
                identifiers: ["cognito-idp.amazonaws.com"],
            }],
            actions: ["sts:AssumeRole"],
        }],
    });
    const testRole = new aws.iam.Role("test", {
        name: "role",
        assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
    });
    const testUserPoolClient = new aws.cognito.UserPoolClient("test", {
        name: "pool_client",
        userPoolId: testUserPool.id,
        analyticsConfiguration: {
            applicationId: testApp.applicationId,
            externalId: "some_id",
            roleArn: testRole.arn,
            userDataShared: true,
        },
    });
    const current = aws.getCallerIdentity({});
    const test = aws.iam.getPolicyDocumentOutput({
        statements: [{
            effect: "Allow",
            actions: [
                "mobiletargeting:UpdateEndpoint",
                "mobiletargeting:PutEvents",
            ],
            resources: [pulumi.all([current, testApp.applicationId]).apply(([current, applicationId]) => `arn:aws:mobiletargeting:*:${current.accountId}:apps/${applicationId}*`)],
        }],
    });
    const testRolePolicy = new aws.iam.RolePolicy("test", {
        name: "role_policy",
        role: testRole.id,
        policy: test.apply(test => test.json),
    });
    
    import pulumi
    import pulumi_aws as aws
    
    test_user_pool = aws.cognito.UserPool("test", name="pool")
    test_app = aws.pinpoint.App("test", name="pinpoint")
    assume_role = aws.iam.get_policy_document(statements=[{
        "effect": "Allow",
        "principals": [{
            "type": "Service",
            "identifiers": ["cognito-idp.amazonaws.com"],
        }],
        "actions": ["sts:AssumeRole"],
    }])
    test_role = aws.iam.Role("test",
        name="role",
        assume_role_policy=assume_role.json)
    test_user_pool_client = aws.cognito.UserPoolClient("test",
        name="pool_client",
        user_pool_id=test_user_pool.id,
        analytics_configuration={
            "application_id": test_app.application_id,
            "external_id": "some_id",
            "role_arn": test_role.arn,
            "user_data_shared": True,
        })
    current = aws.get_caller_identity()
    test = aws.iam.get_policy_document_output(statements=[{
        "effect": "Allow",
        "actions": [
            "mobiletargeting:UpdateEndpoint",
            "mobiletargeting:PutEvents",
        ],
        "resources": [test_app.application_id.apply(lambda application_id: f"arn:aws:mobiletargeting:*:{current.account_id}:apps/{application_id}*")],
    }])
    test_role_policy = aws.iam.RolePolicy("test",
        name="role_policy",
        role=test_role.id,
        policy=test.json)
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/pinpoint"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		testUserPool, err := cognito.NewUserPool(ctx, "test", &cognito.UserPoolArgs{
    			Name: pulumi.String("pool"),
    		})
    		if err != nil {
    			return err
    		}
    		testApp, err := pinpoint.NewApp(ctx, "test", &pinpoint.AppArgs{
    			Name: pulumi.String("pinpoint"),
    		})
    		if err != nil {
    			return err
    		}
    		assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Effect: pulumi.StringRef("Allow"),
    					Principals: []iam.GetPolicyDocumentStatementPrincipal{
    						{
    							Type: "Service",
    							Identifiers: []string{
    								"cognito-idp.amazonaws.com",
    							},
    						},
    					},
    					Actions: []string{
    						"sts:AssumeRole",
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		testRole, err := iam.NewRole(ctx, "test", &iam.RoleArgs{
    			Name:             pulumi.String("role"),
    			AssumeRolePolicy: pulumi.String(assumeRole.Json),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = cognito.NewUserPoolClient(ctx, "test", &cognito.UserPoolClientArgs{
    			Name:       pulumi.String("pool_client"),
    			UserPoolId: testUserPool.ID(),
    			AnalyticsConfiguration: &cognito.UserPoolClientAnalyticsConfigurationArgs{
    				ApplicationId:  testApp.ApplicationId,
    				ExternalId:     pulumi.String("some_id"),
    				RoleArn:        testRole.Arn,
    				UserDataShared: pulumi.Bool(true),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
    		if err != nil {
    			return err
    		}
    		test := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
    			Statements: iam.GetPolicyDocumentStatementArray{
    				&iam.GetPolicyDocumentStatementArgs{
    					Effect: pulumi.String("Allow"),
    					Actions: pulumi.StringArray{
    						pulumi.String("mobiletargeting:UpdateEndpoint"),
    						pulumi.String("mobiletargeting:PutEvents"),
    					},
    					Resources: pulumi.StringArray{
    						testApp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
    							return fmt.Sprintf("arn:aws:mobiletargeting:*:%v:apps/%v*", current.AccountId, applicationId), nil
    						}).(pulumi.StringOutput),
    					},
    				},
    			},
    		}, nil)
    		_, err = iam.NewRolePolicy(ctx, "test", &iam.RolePolicyArgs{
    			Name: pulumi.String("role_policy"),
    			Role: testRole.ID(),
    			Policy: pulumi.String(test.ApplyT(func(test iam.GetPolicyDocumentResult) (*string, error) {
    				return &test.Json, nil
    			}).(pulumi.StringPtrOutput)),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var testUserPool = new Aws.Cognito.UserPool("test", new()
        {
            Name = "pool",
        });
    
        var testApp = new Aws.Pinpoint.App("test", new()
        {
            Name = "pinpoint",
        });
    
        var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "cognito-idp.amazonaws.com",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                },
            },
        });
    
        var testRole = new Aws.Iam.Role("test", new()
        {
            Name = "role",
            AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var testUserPoolClient = new Aws.Cognito.UserPoolClient("test", new()
        {
            Name = "pool_client",
            UserPoolId = testUserPool.Id,
            AnalyticsConfiguration = new Aws.Cognito.Inputs.UserPoolClientAnalyticsConfigurationArgs
            {
                ApplicationId = testApp.ApplicationId,
                ExternalId = "some_id",
                RoleArn = testRole.Arn,
                UserDataShared = true,
            },
        });
    
        var current = Aws.GetCallerIdentity.Invoke();
    
        var test = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "mobiletargeting:UpdateEndpoint",
                        "mobiletargeting:PutEvents",
                    },
                    Resources = new[]
                    {
                        $"arn:aws:mobiletargeting:*:{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:apps/{testApp.ApplicationId}*",
                    },
                },
            },
        });
    
        var testRolePolicy = new Aws.Iam.RolePolicy("test", new()
        {
            Name = "role_policy",
            Role = testRole.Id,
            Policy = test.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cognito.UserPool;
    import com.pulumi.aws.cognito.UserPoolArgs;
    import com.pulumi.aws.pinpoint.App;
    import com.pulumi.aws.pinpoint.AppArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.cognito.UserPoolClient;
    import com.pulumi.aws.cognito.UserPoolClientArgs;
    import com.pulumi.aws.cognito.inputs.UserPoolClientAnalyticsConfigurationArgs;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.iam.RolePolicy;
    import com.pulumi.aws.iam.RolePolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var testUserPool = new UserPool("testUserPool", UserPoolArgs.builder()
                .name("pool")
                .build());
    
            var testApp = new App("testApp", AppArgs.builder()
                .name("pinpoint")
                .build());
    
            final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .effect("Allow")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("cognito-idp.amazonaws.com")
                        .build())
                    .actions("sts:AssumeRole")
                    .build())
                .build());
    
            var testRole = new Role("testRole", RoleArgs.builder()
                .name("role")
                .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
            var testUserPoolClient = new UserPoolClient("testUserPoolClient", UserPoolClientArgs.builder()
                .name("pool_client")
                .userPoolId(testUserPool.id())
                .analyticsConfiguration(UserPoolClientAnalyticsConfigurationArgs.builder()
                    .applicationId(testApp.applicationId())
                    .externalId("some_id")
                    .roleArn(testRole.arn())
                    .userDataShared(true)
                    .build())
                .build());
    
            final var current = AwsFunctions.getCallerIdentity();
    
            final var test = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .effect("Allow")
                    .actions(                
                        "mobiletargeting:UpdateEndpoint",
                        "mobiletargeting:PutEvents")
                    .resources(testApp.applicationId().applyValue(applicationId -> String.format("arn:aws:mobiletargeting:*:%s:apps/%s*", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()),applicationId)))
                    .build())
                .build());
    
            var testRolePolicy = new RolePolicy("testRolePolicy", RolePolicyArgs.builder()
                .name("role_policy")
                .role(testRole.id())
                .policy(test.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(test -> test.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
                .build());
    
        }
    }
    
    resources:
      testUserPoolClient:
        type: aws:cognito:UserPoolClient
        name: test
        properties:
          name: pool_client
          userPoolId: ${testUserPool.id}
          analyticsConfiguration:
            applicationId: ${testApp.applicationId}
            externalId: some_id
            roleArn: ${testRole.arn}
            userDataShared: true
      testUserPool:
        type: aws:cognito:UserPool
        name: test
        properties:
          name: pool
      testApp:
        type: aws:pinpoint:App
        name: test
        properties:
          name: pinpoint
      testRole:
        type: aws:iam:Role
        name: test
        properties:
          name: role
          assumeRolePolicy: ${assumeRole.json}
      testRolePolicy:
        type: aws:iam:RolePolicy
        name: test
        properties:
          name: role_policy
          role: ${testRole.id}
          policy: ${test.json}
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
      assumeRole:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - effect: Allow
                principals:
                  - type: Service
                    identifiers:
                      - cognito-idp.amazonaws.com
                actions:
                  - sts:AssumeRole
      test:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - effect: Allow
                actions:
                  - mobiletargeting:UpdateEndpoint
                  - mobiletargeting:PutEvents
                resources:
                  - arn:aws:mobiletargeting:*:${current.accountId}:apps/${testApp.applicationId}*
    

    Create a user pool client with Cognito as the identity provider

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const pool = new aws.cognito.UserPool("pool", {name: "pool"});
    const userpoolClient = new aws.cognito.UserPoolClient("userpool_client", {
        name: "client",
        userPoolId: pool.id,
        callbackUrls: ["https://example.com"],
        allowedOauthFlowsUserPoolClient: true,
        allowedOauthFlows: [
            "code",
            "implicit",
        ],
        allowedOauthScopes: [
            "email",
            "openid",
        ],
        supportedIdentityProviders: ["COGNITO"],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    pool = aws.cognito.UserPool("pool", name="pool")
    userpool_client = aws.cognito.UserPoolClient("userpool_client",
        name="client",
        user_pool_id=pool.id,
        callback_urls=["https://example.com"],
        allowed_oauth_flows_user_pool_client=True,
        allowed_oauth_flows=[
            "code",
            "implicit",
        ],
        allowed_oauth_scopes=[
            "email",
            "openid",
        ],
        supported_identity_providers=["COGNITO"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
    			Name: pulumi.String("pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = cognito.NewUserPoolClient(ctx, "userpool_client", &cognito.UserPoolClientArgs{
    			Name:       pulumi.String("client"),
    			UserPoolId: pool.ID(),
    			CallbackUrls: pulumi.StringArray{
    				pulumi.String("https://example.com"),
    			},
    			AllowedOauthFlowsUserPoolClient: pulumi.Bool(true),
    			AllowedOauthFlows: pulumi.StringArray{
    				pulumi.String("code"),
    				pulumi.String("implicit"),
    			},
    			AllowedOauthScopes: pulumi.StringArray{
    				pulumi.String("email"),
    				pulumi.String("openid"),
    			},
    			SupportedIdentityProviders: pulumi.StringArray{
    				pulumi.String("COGNITO"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Aws.Cognito.UserPool("pool", new()
        {
            Name = "pool",
        });
    
        var userpoolClient = new Aws.Cognito.UserPoolClient("userpool_client", new()
        {
            Name = "client",
            UserPoolId = pool.Id,
            CallbackUrls = new[]
            {
                "https://example.com",
            },
            AllowedOauthFlowsUserPoolClient = true,
            AllowedOauthFlows = new[]
            {
                "code",
                "implicit",
            },
            AllowedOauthScopes = new[]
            {
                "email",
                "openid",
            },
            SupportedIdentityProviders = new[]
            {
                "COGNITO",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cognito.UserPool;
    import com.pulumi.aws.cognito.UserPoolArgs;
    import com.pulumi.aws.cognito.UserPoolClient;
    import com.pulumi.aws.cognito.UserPoolClientArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new UserPool("pool", UserPoolArgs.builder()
                .name("pool")
                .build());
    
            var userpoolClient = new UserPoolClient("userpoolClient", UserPoolClientArgs.builder()
                .name("client")
                .userPoolId(pool.id())
                .callbackUrls("https://example.com")
                .allowedOauthFlowsUserPoolClient(true)
                .allowedOauthFlows(            
                    "code",
                    "implicit")
                .allowedOauthScopes(            
                    "email",
                    "openid")
                .supportedIdentityProviders("COGNITO")
                .build());
    
        }
    }
    
    resources:
      userpoolClient:
        type: aws:cognito:UserPoolClient
        name: userpool_client
        properties:
          name: client
          userPoolId: ${pool.id}
          callbackUrls:
            - https://example.com
          allowedOauthFlowsUserPoolClient: true
          allowedOauthFlows:
            - code
            - implicit
          allowedOauthScopes:
            - email
            - openid
          supportedIdentityProviders:
            - COGNITO
      pool:
        type: aws:cognito:UserPool
        properties:
          name: pool
    

    Create UserPoolClient Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new UserPoolClient(name: string, args: UserPoolClientArgs, opts?: CustomResourceOptions);
    @overload
    def UserPoolClient(resource_name: str,
                       args: UserPoolClientArgs,
                       opts: Optional[ResourceOptions] = None)
    
    @overload
    def UserPoolClient(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       user_pool_id: Optional[str] = None,
                       explicit_auth_flows: Optional[Sequence[str]] = None,
                       auth_session_validity: Optional[int] = None,
                       generate_secret: Optional[bool] = None,
                       logout_urls: Optional[Sequence[str]] = None,
                       id_token_validity: Optional[int] = None,
                       callback_urls: Optional[Sequence[str]] = None,
                       default_redirect_uri: Optional[str] = None,
                       enable_propagate_additional_user_context_data: Optional[bool] = None,
                       enable_token_revocation: Optional[bool] = None,
                       access_token_validity: Optional[int] = None,
                       allowed_oauth_scopes: Optional[Sequence[str]] = None,
                       allowed_oauth_flows_user_pool_client: Optional[bool] = None,
                       analytics_configuration: Optional[UserPoolClientAnalyticsConfigurationArgs] = None,
                       name: Optional[str] = None,
                       prevent_user_existence_errors: Optional[str] = None,
                       read_attributes: Optional[Sequence[str]] = None,
                       refresh_token_validity: Optional[int] = None,
                       supported_identity_providers: Optional[Sequence[str]] = None,
                       token_validity_units: Optional[UserPoolClientTokenValidityUnitsArgs] = None,
                       allowed_oauth_flows: Optional[Sequence[str]] = None,
                       write_attributes: Optional[Sequence[str]] = None)
    func NewUserPoolClient(ctx *Context, name string, args UserPoolClientArgs, opts ...ResourceOption) (*UserPoolClient, error)
    public UserPoolClient(string name, UserPoolClientArgs args, CustomResourceOptions? opts = null)
    public UserPoolClient(String name, UserPoolClientArgs args)
    public UserPoolClient(String name, UserPoolClientArgs args, CustomResourceOptions options)
    
    type: aws:cognito:UserPoolClient
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args UserPoolClientArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args UserPoolClientArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args UserPoolClientArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args UserPoolClientArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args UserPoolClientArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var userPoolClientResource = new Aws.Cognito.UserPoolClient("userPoolClientResource", new()
    {
        UserPoolId = "string",
        ExplicitAuthFlows = new[]
        {
            "string",
        },
        AuthSessionValidity = 0,
        GenerateSecret = false,
        LogoutUrls = new[]
        {
            "string",
        },
        IdTokenValidity = 0,
        CallbackUrls = new[]
        {
            "string",
        },
        DefaultRedirectUri = "string",
        EnablePropagateAdditionalUserContextData = false,
        EnableTokenRevocation = false,
        AccessTokenValidity = 0,
        AllowedOauthScopes = new[]
        {
            "string",
        },
        AllowedOauthFlowsUserPoolClient = false,
        AnalyticsConfiguration = new Aws.Cognito.Inputs.UserPoolClientAnalyticsConfigurationArgs
        {
            ApplicationArn = "string",
            ApplicationId = "string",
            ExternalId = "string",
            RoleArn = "string",
            UserDataShared = false,
        },
        Name = "string",
        PreventUserExistenceErrors = "string",
        ReadAttributes = new[]
        {
            "string",
        },
        RefreshTokenValidity = 0,
        SupportedIdentityProviders = new[]
        {
            "string",
        },
        TokenValidityUnits = new Aws.Cognito.Inputs.UserPoolClientTokenValidityUnitsArgs
        {
            AccessToken = "string",
            IdToken = "string",
            RefreshToken = "string",
        },
        AllowedOauthFlows = new[]
        {
            "string",
        },
        WriteAttributes = new[]
        {
            "string",
        },
    });
    
    example, err := cognito.NewUserPoolClient(ctx, "userPoolClientResource", &cognito.UserPoolClientArgs{
    	UserPoolId: pulumi.String("string"),
    	ExplicitAuthFlows: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AuthSessionValidity: pulumi.Int(0),
    	GenerateSecret:      pulumi.Bool(false),
    	LogoutUrls: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	IdTokenValidity: pulumi.Int(0),
    	CallbackUrls: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	DefaultRedirectUri:                       pulumi.String("string"),
    	EnablePropagateAdditionalUserContextData: pulumi.Bool(false),
    	EnableTokenRevocation:                    pulumi.Bool(false),
    	AccessTokenValidity:                      pulumi.Int(0),
    	AllowedOauthScopes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AllowedOauthFlowsUserPoolClient: pulumi.Bool(false),
    	AnalyticsConfiguration: &cognito.UserPoolClientAnalyticsConfigurationArgs{
    		ApplicationArn: pulumi.String("string"),
    		ApplicationId:  pulumi.String("string"),
    		ExternalId:     pulumi.String("string"),
    		RoleArn:        pulumi.String("string"),
    		UserDataShared: pulumi.Bool(false),
    	},
    	Name:                       pulumi.String("string"),
    	PreventUserExistenceErrors: pulumi.String("string"),
    	ReadAttributes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	RefreshTokenValidity: pulumi.Int(0),
    	SupportedIdentityProviders: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	TokenValidityUnits: &cognito.UserPoolClientTokenValidityUnitsArgs{
    		AccessToken:  pulumi.String("string"),
    		IdToken:      pulumi.String("string"),
    		RefreshToken: pulumi.String("string"),
    	},
    	AllowedOauthFlows: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	WriteAttributes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    })
    
    var userPoolClientResource = new UserPoolClient("userPoolClientResource", UserPoolClientArgs.builder()
        .userPoolId("string")
        .explicitAuthFlows("string")
        .authSessionValidity(0)
        .generateSecret(false)
        .logoutUrls("string")
        .idTokenValidity(0)
        .callbackUrls("string")
        .defaultRedirectUri("string")
        .enablePropagateAdditionalUserContextData(false)
        .enableTokenRevocation(false)
        .accessTokenValidity(0)
        .allowedOauthScopes("string")
        .allowedOauthFlowsUserPoolClient(false)
        .analyticsConfiguration(UserPoolClientAnalyticsConfigurationArgs.builder()
            .applicationArn("string")
            .applicationId("string")
            .externalId("string")
            .roleArn("string")
            .userDataShared(false)
            .build())
        .name("string")
        .preventUserExistenceErrors("string")
        .readAttributes("string")
        .refreshTokenValidity(0)
        .supportedIdentityProviders("string")
        .tokenValidityUnits(UserPoolClientTokenValidityUnitsArgs.builder()
            .accessToken("string")
            .idToken("string")
            .refreshToken("string")
            .build())
        .allowedOauthFlows("string")
        .writeAttributes("string")
        .build());
    
    user_pool_client_resource = aws.cognito.UserPoolClient("userPoolClientResource",
        user_pool_id="string",
        explicit_auth_flows=["string"],
        auth_session_validity=0,
        generate_secret=False,
        logout_urls=["string"],
        id_token_validity=0,
        callback_urls=["string"],
        default_redirect_uri="string",
        enable_propagate_additional_user_context_data=False,
        enable_token_revocation=False,
        access_token_validity=0,
        allowed_oauth_scopes=["string"],
        allowed_oauth_flows_user_pool_client=False,
        analytics_configuration={
            "application_arn": "string",
            "application_id": "string",
            "external_id": "string",
            "role_arn": "string",
            "user_data_shared": False,
        },
        name="string",
        prevent_user_existence_errors="string",
        read_attributes=["string"],
        refresh_token_validity=0,
        supported_identity_providers=["string"],
        token_validity_units={
            "access_token": "string",
            "id_token": "string",
            "refresh_token": "string",
        },
        allowed_oauth_flows=["string"],
        write_attributes=["string"])
    
    const userPoolClientResource = new aws.cognito.UserPoolClient("userPoolClientResource", {
        userPoolId: "string",
        explicitAuthFlows: ["string"],
        authSessionValidity: 0,
        generateSecret: false,
        logoutUrls: ["string"],
        idTokenValidity: 0,
        callbackUrls: ["string"],
        defaultRedirectUri: "string",
        enablePropagateAdditionalUserContextData: false,
        enableTokenRevocation: false,
        accessTokenValidity: 0,
        allowedOauthScopes: ["string"],
        allowedOauthFlowsUserPoolClient: false,
        analyticsConfiguration: {
            applicationArn: "string",
            applicationId: "string",
            externalId: "string",
            roleArn: "string",
            userDataShared: false,
        },
        name: "string",
        preventUserExistenceErrors: "string",
        readAttributes: ["string"],
        refreshTokenValidity: 0,
        supportedIdentityProviders: ["string"],
        tokenValidityUnits: {
            accessToken: "string",
            idToken: "string",
            refreshToken: "string",
        },
        allowedOauthFlows: ["string"],
        writeAttributes: ["string"],
    });
    
    type: aws:cognito:UserPoolClient
    properties:
        accessTokenValidity: 0
        allowedOauthFlows:
            - string
        allowedOauthFlowsUserPoolClient: false
        allowedOauthScopes:
            - string
        analyticsConfiguration:
            applicationArn: string
            applicationId: string
            externalId: string
            roleArn: string
            userDataShared: false
        authSessionValidity: 0
        callbackUrls:
            - string
        defaultRedirectUri: string
        enablePropagateAdditionalUserContextData: false
        enableTokenRevocation: false
        explicitAuthFlows:
            - string
        generateSecret: false
        idTokenValidity: 0
        logoutUrls:
            - string
        name: string
        preventUserExistenceErrors: string
        readAttributes:
            - string
        refreshTokenValidity: 0
        supportedIdentityProviders:
            - string
        tokenValidityUnits:
            accessToken: string
            idToken: string
            refreshToken: string
        userPoolId: string
        writeAttributes:
            - string
    

    UserPoolClient Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The UserPoolClient resource accepts the following input properties:

    UserPoolId string

    User pool the client belongs to.

    The following arguments are optional:

    AccessTokenValidity int
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    AllowedOauthFlows List<string>
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    AllowedOauthFlowsUserPoolClient bool
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    AllowedOauthScopes List<string>
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    AnalyticsConfiguration UserPoolClientAnalyticsConfiguration
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    AuthSessionValidity int
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    CallbackUrls List<string>
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    DefaultRedirectUri string
    Default redirect URI and must be included in the list of callback URLs.
    EnablePropagateAdditionalUserContextData bool
    Enables the propagation of additional user context data.
    EnableTokenRevocation bool
    Enables or disables token revocation.
    ExplicitAuthFlows List<string>
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    GenerateSecret bool
    Boolean flag indicating whether an application secret should be generated.
    IdTokenValidity int
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    LogoutUrls List<string>
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    Name string
    Name of the application client.
    PreventUserExistenceErrors string
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    ReadAttributes List<string>
    List of user pool attributes that the application client can read from.
    RefreshTokenValidity int
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    SupportedIdentityProviders List<string>
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    TokenValidityUnits UserPoolClientTokenValidityUnits
    Configuration block for representing the validity times in units. See details below. Detailed below.
    WriteAttributes List<string>
    List of user pool attributes that the application client can write to.
    UserPoolId string

    User pool the client belongs to.

    The following arguments are optional:

    AccessTokenValidity int
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    AllowedOauthFlows []string
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    AllowedOauthFlowsUserPoolClient bool
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    AllowedOauthScopes []string
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    AnalyticsConfiguration UserPoolClientAnalyticsConfigurationArgs
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    AuthSessionValidity int
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    CallbackUrls []string
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    DefaultRedirectUri string
    Default redirect URI and must be included in the list of callback URLs.
    EnablePropagateAdditionalUserContextData bool
    Enables the propagation of additional user context data.
    EnableTokenRevocation bool
    Enables or disables token revocation.
    ExplicitAuthFlows []string
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    GenerateSecret bool
    Boolean flag indicating whether an application secret should be generated.
    IdTokenValidity int
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    LogoutUrls []string
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    Name string
    Name of the application client.
    PreventUserExistenceErrors string
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    ReadAttributes []string
    List of user pool attributes that the application client can read from.
    RefreshTokenValidity int
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    SupportedIdentityProviders []string
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    TokenValidityUnits UserPoolClientTokenValidityUnitsArgs
    Configuration block for representing the validity times in units. See details below. Detailed below.
    WriteAttributes []string
    List of user pool attributes that the application client can write to.
    userPoolId String

    User pool the client belongs to.

    The following arguments are optional:

    accessTokenValidity Integer
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    allowedOauthFlows List<String>
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    allowedOauthFlowsUserPoolClient Boolean
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    allowedOauthScopes List<String>
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    analyticsConfiguration UserPoolClientAnalyticsConfiguration
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    authSessionValidity Integer
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    callbackUrls List<String>
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    defaultRedirectUri String
    Default redirect URI and must be included in the list of callback URLs.
    enablePropagateAdditionalUserContextData Boolean
    Enables the propagation of additional user context data.
    enableTokenRevocation Boolean
    Enables or disables token revocation.
    explicitAuthFlows List<String>
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    generateSecret Boolean
    Boolean flag indicating whether an application secret should be generated.
    idTokenValidity Integer
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    logoutUrls List<String>
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    name String
    Name of the application client.
    preventUserExistenceErrors String
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    readAttributes List<String>
    List of user pool attributes that the application client can read from.
    refreshTokenValidity Integer
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    supportedIdentityProviders List<String>
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    tokenValidityUnits UserPoolClientTokenValidityUnits
    Configuration block for representing the validity times in units. See details below. Detailed below.
    writeAttributes List<String>
    List of user pool attributes that the application client can write to.
    userPoolId string

    User pool the client belongs to.

    The following arguments are optional:

    accessTokenValidity number
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    allowedOauthFlows string[]
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    allowedOauthFlowsUserPoolClient boolean
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    allowedOauthScopes string[]
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    analyticsConfiguration UserPoolClientAnalyticsConfiguration
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    authSessionValidity number
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    callbackUrls string[]
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    defaultRedirectUri string
    Default redirect URI and must be included in the list of callback URLs.
    enablePropagateAdditionalUserContextData boolean
    Enables the propagation of additional user context data.
    enableTokenRevocation boolean
    Enables or disables token revocation.
    explicitAuthFlows string[]
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    generateSecret boolean
    Boolean flag indicating whether an application secret should be generated.
    idTokenValidity number
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    logoutUrls string[]
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    name string
    Name of the application client.
    preventUserExistenceErrors string
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    readAttributes string[]
    List of user pool attributes that the application client can read from.
    refreshTokenValidity number
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    supportedIdentityProviders string[]
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    tokenValidityUnits UserPoolClientTokenValidityUnits
    Configuration block for representing the validity times in units. See details below. Detailed below.
    writeAttributes string[]
    List of user pool attributes that the application client can write to.
    user_pool_id str

    User pool the client belongs to.

    The following arguments are optional:

    access_token_validity int
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    allowed_oauth_flows Sequence[str]
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    allowed_oauth_flows_user_pool_client bool
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    allowed_oauth_scopes Sequence[str]
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    analytics_configuration UserPoolClientAnalyticsConfigurationArgs
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    auth_session_validity int
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    callback_urls Sequence[str]
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    default_redirect_uri str
    Default redirect URI and must be included in the list of callback URLs.
    enable_propagate_additional_user_context_data bool
    Enables the propagation of additional user context data.
    enable_token_revocation bool
    Enables or disables token revocation.
    explicit_auth_flows Sequence[str]
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    generate_secret bool
    Boolean flag indicating whether an application secret should be generated.
    id_token_validity int
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    logout_urls Sequence[str]
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    name str
    Name of the application client.
    prevent_user_existence_errors str
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    read_attributes Sequence[str]
    List of user pool attributes that the application client can read from.
    refresh_token_validity int
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    supported_identity_providers Sequence[str]
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    token_validity_units UserPoolClientTokenValidityUnitsArgs
    Configuration block for representing the validity times in units. See details below. Detailed below.
    write_attributes Sequence[str]
    List of user pool attributes that the application client can write to.
    userPoolId String

    User pool the client belongs to.

    The following arguments are optional:

    accessTokenValidity Number
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    allowedOauthFlows List<String>
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    allowedOauthFlowsUserPoolClient Boolean
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    allowedOauthScopes List<String>
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    analyticsConfiguration Property Map
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    authSessionValidity Number
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    callbackUrls List<String>
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    defaultRedirectUri String
    Default redirect URI and must be included in the list of callback URLs.
    enablePropagateAdditionalUserContextData Boolean
    Enables the propagation of additional user context data.
    enableTokenRevocation Boolean
    Enables or disables token revocation.
    explicitAuthFlows List<String>
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    generateSecret Boolean
    Boolean flag indicating whether an application secret should be generated.
    idTokenValidity Number
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    logoutUrls List<String>
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    name String
    Name of the application client.
    preventUserExistenceErrors String
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    readAttributes List<String>
    List of user pool attributes that the application client can read from.
    refreshTokenValidity Number
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    supportedIdentityProviders List<String>
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    tokenValidityUnits Property Map
    Configuration block for representing the validity times in units. See details below. Detailed below.
    writeAttributes List<String>
    List of user pool attributes that the application client can write to.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the UserPoolClient resource produces the following output properties:

    ClientSecret string
    Client secret of the user pool client.
    Id string
    The provider-assigned unique ID for this managed resource.
    ClientSecret string
    Client secret of the user pool client.
    Id string
    The provider-assigned unique ID for this managed resource.
    clientSecret String
    Client secret of the user pool client.
    id String
    The provider-assigned unique ID for this managed resource.
    clientSecret string
    Client secret of the user pool client.
    id string
    The provider-assigned unique ID for this managed resource.
    client_secret str
    Client secret of the user pool client.
    id str
    The provider-assigned unique ID for this managed resource.
    clientSecret String
    Client secret of the user pool client.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing UserPoolClient Resource

    Get an existing UserPoolClient resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: UserPoolClientState, opts?: CustomResourceOptions): UserPoolClient
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            access_token_validity: Optional[int] = None,
            allowed_oauth_flows: Optional[Sequence[str]] = None,
            allowed_oauth_flows_user_pool_client: Optional[bool] = None,
            allowed_oauth_scopes: Optional[Sequence[str]] = None,
            analytics_configuration: Optional[UserPoolClientAnalyticsConfigurationArgs] = None,
            auth_session_validity: Optional[int] = None,
            callback_urls: Optional[Sequence[str]] = None,
            client_secret: Optional[str] = None,
            default_redirect_uri: Optional[str] = None,
            enable_propagate_additional_user_context_data: Optional[bool] = None,
            enable_token_revocation: Optional[bool] = None,
            explicit_auth_flows: Optional[Sequence[str]] = None,
            generate_secret: Optional[bool] = None,
            id_token_validity: Optional[int] = None,
            logout_urls: Optional[Sequence[str]] = None,
            name: Optional[str] = None,
            prevent_user_existence_errors: Optional[str] = None,
            read_attributes: Optional[Sequence[str]] = None,
            refresh_token_validity: Optional[int] = None,
            supported_identity_providers: Optional[Sequence[str]] = None,
            token_validity_units: Optional[UserPoolClientTokenValidityUnitsArgs] = None,
            user_pool_id: Optional[str] = None,
            write_attributes: Optional[Sequence[str]] = None) -> UserPoolClient
    func GetUserPoolClient(ctx *Context, name string, id IDInput, state *UserPoolClientState, opts ...ResourceOption) (*UserPoolClient, error)
    public static UserPoolClient Get(string name, Input<string> id, UserPoolClientState? state, CustomResourceOptions? opts = null)
    public static UserPoolClient get(String name, Output<String> id, UserPoolClientState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessTokenValidity int
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    AllowedOauthFlows List<string>
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    AllowedOauthFlowsUserPoolClient bool
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    AllowedOauthScopes List<string>
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    AnalyticsConfiguration UserPoolClientAnalyticsConfiguration
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    AuthSessionValidity int
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    CallbackUrls List<string>
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    ClientSecret string
    Client secret of the user pool client.
    DefaultRedirectUri string
    Default redirect URI and must be included in the list of callback URLs.
    EnablePropagateAdditionalUserContextData bool
    Enables the propagation of additional user context data.
    EnableTokenRevocation bool
    Enables or disables token revocation.
    ExplicitAuthFlows List<string>
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    GenerateSecret bool
    Boolean flag indicating whether an application secret should be generated.
    IdTokenValidity int
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    LogoutUrls List<string>
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    Name string
    Name of the application client.
    PreventUserExistenceErrors string
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    ReadAttributes List<string>
    List of user pool attributes that the application client can read from.
    RefreshTokenValidity int
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    SupportedIdentityProviders List<string>
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    TokenValidityUnits UserPoolClientTokenValidityUnits
    Configuration block for representing the validity times in units. See details below. Detailed below.
    UserPoolId string

    User pool the client belongs to.

    The following arguments are optional:

    WriteAttributes List<string>
    List of user pool attributes that the application client can write to.
    AccessTokenValidity int
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    AllowedOauthFlows []string
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    AllowedOauthFlowsUserPoolClient bool
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    AllowedOauthScopes []string
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    AnalyticsConfiguration UserPoolClientAnalyticsConfigurationArgs
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    AuthSessionValidity int
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    CallbackUrls []string
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    ClientSecret string
    Client secret of the user pool client.
    DefaultRedirectUri string
    Default redirect URI and must be included in the list of callback URLs.
    EnablePropagateAdditionalUserContextData bool
    Enables the propagation of additional user context data.
    EnableTokenRevocation bool
    Enables or disables token revocation.
    ExplicitAuthFlows []string
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    GenerateSecret bool
    Boolean flag indicating whether an application secret should be generated.
    IdTokenValidity int
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    LogoutUrls []string
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    Name string
    Name of the application client.
    PreventUserExistenceErrors string
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    ReadAttributes []string
    List of user pool attributes that the application client can read from.
    RefreshTokenValidity int
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    SupportedIdentityProviders []string
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    TokenValidityUnits UserPoolClientTokenValidityUnitsArgs
    Configuration block for representing the validity times in units. See details below. Detailed below.
    UserPoolId string

    User pool the client belongs to.

    The following arguments are optional:

    WriteAttributes []string
    List of user pool attributes that the application client can write to.
    accessTokenValidity Integer
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    allowedOauthFlows List<String>
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    allowedOauthFlowsUserPoolClient Boolean
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    allowedOauthScopes List<String>
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    analyticsConfiguration UserPoolClientAnalyticsConfiguration
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    authSessionValidity Integer
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    callbackUrls List<String>
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    clientSecret String
    Client secret of the user pool client.
    defaultRedirectUri String
    Default redirect URI and must be included in the list of callback URLs.
    enablePropagateAdditionalUserContextData Boolean
    Enables the propagation of additional user context data.
    enableTokenRevocation Boolean
    Enables or disables token revocation.
    explicitAuthFlows List<String>
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    generateSecret Boolean
    Boolean flag indicating whether an application secret should be generated.
    idTokenValidity Integer
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    logoutUrls List<String>
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    name String
    Name of the application client.
    preventUserExistenceErrors String
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    readAttributes List<String>
    List of user pool attributes that the application client can read from.
    refreshTokenValidity Integer
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    supportedIdentityProviders List<String>
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    tokenValidityUnits UserPoolClientTokenValidityUnits
    Configuration block for representing the validity times in units. See details below. Detailed below.
    userPoolId String

    User pool the client belongs to.

    The following arguments are optional:

    writeAttributes List<String>
    List of user pool attributes that the application client can write to.
    accessTokenValidity number
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    allowedOauthFlows string[]
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    allowedOauthFlowsUserPoolClient boolean
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    allowedOauthScopes string[]
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    analyticsConfiguration UserPoolClientAnalyticsConfiguration
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    authSessionValidity number
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    callbackUrls string[]
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    clientSecret string
    Client secret of the user pool client.
    defaultRedirectUri string
    Default redirect URI and must be included in the list of callback URLs.
    enablePropagateAdditionalUserContextData boolean
    Enables the propagation of additional user context data.
    enableTokenRevocation boolean
    Enables or disables token revocation.
    explicitAuthFlows string[]
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    generateSecret boolean
    Boolean flag indicating whether an application secret should be generated.
    idTokenValidity number
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    logoutUrls string[]
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    name string
    Name of the application client.
    preventUserExistenceErrors string
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    readAttributes string[]
    List of user pool attributes that the application client can read from.
    refreshTokenValidity number
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    supportedIdentityProviders string[]
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    tokenValidityUnits UserPoolClientTokenValidityUnits
    Configuration block for representing the validity times in units. See details below. Detailed below.
    userPoolId string

    User pool the client belongs to.

    The following arguments are optional:

    writeAttributes string[]
    List of user pool attributes that the application client can write to.
    access_token_validity int
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    allowed_oauth_flows Sequence[str]
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    allowed_oauth_flows_user_pool_client bool
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    allowed_oauth_scopes Sequence[str]
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    analytics_configuration UserPoolClientAnalyticsConfigurationArgs
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    auth_session_validity int
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    callback_urls Sequence[str]
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    client_secret str
    Client secret of the user pool client.
    default_redirect_uri str
    Default redirect URI and must be included in the list of callback URLs.
    enable_propagate_additional_user_context_data bool
    Enables the propagation of additional user context data.
    enable_token_revocation bool
    Enables or disables token revocation.
    explicit_auth_flows Sequence[str]
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    generate_secret bool
    Boolean flag indicating whether an application secret should be generated.
    id_token_validity int
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    logout_urls Sequence[str]
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    name str
    Name of the application client.
    prevent_user_existence_errors str
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    read_attributes Sequence[str]
    List of user pool attributes that the application client can read from.
    refresh_token_validity int
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    supported_identity_providers Sequence[str]
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    token_validity_units UserPoolClientTokenValidityUnitsArgs
    Configuration block for representing the validity times in units. See details below. Detailed below.
    user_pool_id str

    User pool the client belongs to.

    The following arguments are optional:

    write_attributes Sequence[str]
    List of user pool attributes that the application client can write to.
    accessTokenValidity Number
    Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.access_token.
    allowedOauthFlows List<String>
    List of allowed OAuth flows, including code, implicit, and client_credentials. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    allowedOauthFlowsUserPoolClient Boolean
    Whether the client is allowed to use OAuth 2.0 features. allowed_oauth_flows_user_pool_client must be set to true before you can configure the following arguments: callback_urls, logout_urls, allowed_oauth_scopes and allowed_oauth_flows.
    allowedOauthScopes List<String>
    List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    analyticsConfiguration Property Map
    Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
    authSessionValidity Number
    Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for auth_session_validity are between 3 and 15, with a default value of 3.
    callbackUrls List<String>
    List of allowed callback URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    clientSecret String
    Client secret of the user pool client.
    defaultRedirectUri String
    Default redirect URI and must be included in the list of callback URLs.
    enablePropagateAdditionalUserContextData Boolean
    Enables the propagation of additional user context data.
    enableTokenRevocation Boolean
    Enables or disables token revocation.
    explicitAuthFlows List<String>
    List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
    generateSecret Boolean
    Boolean flag indicating whether an application secret should be generated.
    idTokenValidity Number
    Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in token_validity_units.id_token.
    logoutUrls List<String>
    List of allowed logout URLs for the identity providers. allowed_oauth_flows_user_pool_client must be set to true before you can configure this option.
    name String
    Name of the application client.
    preventUserExistenceErrors String
    Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
    readAttributes List<String>
    List of user pool attributes that the application client can read from.
    refreshTokenValidity Number
    Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in token_validity_units.refresh_token.
    supportedIdentityProviders List<String>
    List of provider names for the identity providers that are supported on this client. It uses the provider_name attribute of the aws.cognito.IdentityProvider resource(s), or the equivalent string(s).
    tokenValidityUnits Property Map
    Configuration block for representing the validity times in units. See details below. Detailed below.
    userPoolId String

    User pool the client belongs to.

    The following arguments are optional:

    writeAttributes List<String>
    List of user pool attributes that the application client can write to.

    Supporting Types

    UserPoolClientAnalyticsConfiguration, UserPoolClientAnalyticsConfigurationArgs

    ApplicationArn string
    Application ARN for an Amazon Pinpoint application. Conflicts with external_id and role_arn.
    ApplicationId string
    Application ID for an Amazon Pinpoint application.
    ExternalId string
    ID for the Analytics Configuration. Conflicts with application_arn.
    RoleArn string
    ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with application_arn.
    UserDataShared bool
    If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
    ApplicationArn string
    Application ARN for an Amazon Pinpoint application. Conflicts with external_id and role_arn.
    ApplicationId string
    Application ID for an Amazon Pinpoint application.
    ExternalId string
    ID for the Analytics Configuration. Conflicts with application_arn.
    RoleArn string
    ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with application_arn.
    UserDataShared bool
    If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
    applicationArn String
    Application ARN for an Amazon Pinpoint application. Conflicts with external_id and role_arn.
    applicationId String
    Application ID for an Amazon Pinpoint application.
    externalId String
    ID for the Analytics Configuration. Conflicts with application_arn.
    roleArn String
    ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with application_arn.
    userDataShared Boolean
    If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
    applicationArn string
    Application ARN for an Amazon Pinpoint application. Conflicts with external_id and role_arn.
    applicationId string
    Application ID for an Amazon Pinpoint application.
    externalId string
    ID for the Analytics Configuration. Conflicts with application_arn.
    roleArn string
    ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with application_arn.
    userDataShared boolean
    If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
    application_arn str
    Application ARN for an Amazon Pinpoint application. Conflicts with external_id and role_arn.
    application_id str
    Application ID for an Amazon Pinpoint application.
    external_id str
    ID for the Analytics Configuration. Conflicts with application_arn.
    role_arn str
    ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with application_arn.
    user_data_shared bool
    If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
    applicationArn String
    Application ARN for an Amazon Pinpoint application. Conflicts with external_id and role_arn.
    applicationId String
    Application ID for an Amazon Pinpoint application.
    externalId String
    ID for the Analytics Configuration. Conflicts with application_arn.
    roleArn String
    ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with application_arn.
    userDataShared Boolean
    If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

    UserPoolClientTokenValidityUnits, UserPoolClientTokenValidityUnitsArgs

    AccessToken string
    Time unit in for the value in access_token_validity, defaults to hours.
    IdToken string
    Time unit in for the value in id_token_validity, defaults to hours.
    RefreshToken string
    Time unit in for the value in refresh_token_validity, defaults to days.
    AccessToken string
    Time unit in for the value in access_token_validity, defaults to hours.
    IdToken string
    Time unit in for the value in id_token_validity, defaults to hours.
    RefreshToken string
    Time unit in for the value in refresh_token_validity, defaults to days.
    accessToken String
    Time unit in for the value in access_token_validity, defaults to hours.
    idToken String
    Time unit in for the value in id_token_validity, defaults to hours.
    refreshToken String
    Time unit in for the value in refresh_token_validity, defaults to days.
    accessToken string
    Time unit in for the value in access_token_validity, defaults to hours.
    idToken string
    Time unit in for the value in id_token_validity, defaults to hours.
    refreshToken string
    Time unit in for the value in refresh_token_validity, defaults to days.
    access_token str
    Time unit in for the value in access_token_validity, defaults to hours.
    id_token str
    Time unit in for the value in id_token_validity, defaults to hours.
    refresh_token str
    Time unit in for the value in refresh_token_validity, defaults to days.
    accessToken String
    Time unit in for the value in access_token_validity, defaults to hours.
    idToken String
    Time unit in for the value in id_token_validity, defaults to hours.
    refreshToken String
    Time unit in for the value in refresh_token_validity, defaults to days.

    Import

    Using pulumi import, import Cognito User Pool Clients using the id of the Cognito User Pool, and the id of the Cognito User Pool Client. For example:

    $ pulumi import aws:cognito/userPoolClient:UserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo
    AWS v6.64.0 published on Friday, Dec 6, 2024 by Pulumi