2017/11/29 - Amazon Cognito Identity Provider - 11 new 18 updated api methods
Gets the user pool multi-factor authentication (MFA) configuration.
See also: AWS API Documentation
Request Syntax
client.get_user_pool_mfa_config(
UserPoolId='string'
)
string
[REQUIRED]
The user pool ID.
dict
Response Syntax
{
'SmsMfaConfiguration': {
'SmsAuthenticationMessage': 'string',
'SmsConfiguration': {
'SnsCallerArn': 'string',
'ExternalId': 'string'
}
},
'SoftwareTokenMfaConfiguration': {
'Enabled': True|False
},
'MfaConfiguration': 'OFF'|'ON'|'OPTIONAL'
}
Response Structure
(dict) --
SmsMfaConfiguration (dict) --
The SMS text message multi-factor (MFA) configuration.
SmsAuthenticationMessage (string) --
The SMS authentication message.
SmsConfiguration (dict) --
The SMS configuration.
SnsCallerArn (string) --
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.
ExternalId (string) --
The external ID.
SoftwareTokenMfaConfiguration (dict) --
The software token multi-factor (MFA) configuration.
Enabled (boolean) --
Specifies whether software token MFA is enabled.
MfaConfiguration (string) --
The multi-factor (MFA) configuration.
Describes the risk configuration.
See also: AWS API Documentation
Request Syntax
client.describe_risk_configuration(
UserPoolId='string',
ClientId='string'
)
string
[REQUIRED]
The user pool ID.
string
The app client ID.
dict
Response Syntax
{
'RiskConfiguration': {
'UserPoolId': 'string',
'ClientId': 'string',
'CompromisedCredentialsRiskConfiguration': {
'EventFilter': [
'SIGN_IN'|'PASSWORD_CHANGE'|'SIGN_UP',
],
'Actions': {
'EventAction': 'BLOCK'|'NO_ACTION'
}
},
'AccountTakeoverRiskConfiguration': {
'NotifyConfiguration': {
'From': 'string',
'ReplyTo': 'string',
'SourceArn': 'string',
'BlockEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
},
'NoActionEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
},
'MfaEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
}
},
'Actions': {
'LowAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
},
'MediumAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
},
'HighAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
}
}
},
'RiskExceptionConfiguration': {
'BlockedIPRangeList': [
'string',
],
'SkippedIPRangeList': [
'string',
]
},
'LastModifiedDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
RiskConfiguration (dict) --
The risk configuration.
UserPoolId (string) --
The user pool ID.
ClientId (string) --
The app client ID.
CompromisedCredentialsRiskConfiguration (dict) --
The compromised credentials risk configuration object including the EventFilter and the EventAction
EventFilter (list) --
Perform the action for these events. The default is to perform all events if no event filter is specified.
(string) --
Actions (dict) --
The compromised credentials risk configuration actions.
EventAction (string) --
The event action.
AccountTakeoverRiskConfiguration (dict) --
The account takeover risk configuration object including the NotifyConfiguration object and Actions to take in the case of an account takeover.
NotifyConfiguration (dict) --
The notify configuration used to construct email notifications.
From (string) --
The email address that is sending the email. It must be either individually verified with Amazon SES, or from a domain that has been verified with Amazon SES.
ReplyTo (string) --
The destination to which the receiver of an email should reply to.
SourceArn (string) --
The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. It permits Amazon Cognito to send for the email address specified in the From parameter.
BlockEmail (dict) --
Email template used when a detected risk event is blocked.
Subject (string) --
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
NoActionEmail (dict) --
The email template used when a detected risk event is allowed.
Subject (string) --
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
MfaEmail (dict) --
The MFA email template used when MFA is challenged as part of a detected risk.
Subject (string) --
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
Actions (dict) --
Account takeover risk configuration actions
LowAction (dict) --
Action to take for a low risk.
Notify (boolean) --
Flag specifying whether to send a notification.
EventAction (string) --
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
MediumAction (dict) --
Action to take for a medium risk.
Notify (boolean) --
Flag specifying whether to send a notification.
EventAction (string) --
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
HighAction (dict) --
Action to take for a high risk.
Notify (boolean) --
Flag specifying whether to send a notification.
EventAction (string) --
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
RiskExceptionConfiguration (dict) --
The configuration to override the risk decision.
BlockedIPRangeList (list) --
Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation: a compact representation of an IP address and its associated routing prefix.
(string) --
SkippedIPRangeList (list) --
Risk detection is not performed on the IP addresses in the range list. The IP range is in CIDR notation.
(string) --
LastModifiedDate (datetime) --
The last modified date.
Provides feedback for an authentication event as to whether it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
See also: AWS API Documentation
Request Syntax
client.admin_update_auth_event_feedback(
UserPoolId='string',
Username='string',
EventId='string',
FeedbackValue='Valid'|'Invalid'
)
string
[REQUIRED]
The user pool ID.
string
[REQUIRED]
The user pool username.
string
[REQUIRED]
The authentication event ID.
string
[REQUIRED]
The authentication event feedback value.
dict
Response Syntax
{}
Response Structure
(dict) --
Returns a unique generated shared secret key code for the user account. The request takes an access token or a session string, but not both.
See also: AWS API Documentation
Request Syntax
client.associate_software_token(
AccessToken='string',
Session='string'
)
string
The access token.
string
The session which should be passed both ways in challenge-response calls to the service. This allows authentication of the user as part of the MFA setup process.
dict
Response Syntax
{
'SecretCode': 'string',
'Session': 'string'
}
Response Structure
(dict) --
SecretCode (string) --
A unique generated shared secret code that is used in the TOTP algorithm to generate a one time code.
Session (string) --
The session which should be passed both ways in challenge-response calls to the service. This allows authentication of the user as part of the MFA setup process.
Sets the user's multi-factor authentication (MFA) preference.
See also: AWS API Documentation
Request Syntax
client.admin_set_user_mfa_preference(
SMSMfaSettings={
'Enabled': True|False,
'PreferredMfa': True|False
},
SoftwareTokenMfaSettings={
'Enabled': True|False,
'PreferredMfa': True|False
},
Username='string',
UserPoolId='string'
)
dict
The SMS text message MFA settings.
Enabled (boolean) --
Specifies whether SMS text message MFA is enabled.
PreferredMfa (boolean) --
The preferred MFA method.
dict
The time-based one-time password software token MFA settings.
Enabled (boolean) --
Specifies whether software token MFA is enabled.
PreferredMfa (boolean) --
The preferred MFA method.
string
[REQUIRED]
The user pool username.
string
[REQUIRED]
The user pool ID.
dict
Response Syntax
{}
Response Structure
(dict) --
Lists a history of user activity and any risks detected as part of Amazon Cognito advanced security.
See also: AWS API Documentation
Request Syntax
client.admin_list_user_auth_events(
UserPoolId='string',
Username='string',
MaxResults=123,
NextToken='string'
)
string
[REQUIRED]
The user pool ID.
string
[REQUIRED]
The user pool username.
integer
The maximum number of authentication events to return.
string
A pagination token.
dict
Response Syntax
{
'AuthEvents': [
{
'EventId': 'string',
'EventType': 'SignIn'|'SignUp'|'ForgotPassword',
'CreationDate': datetime(2015, 1, 1),
'EventResponse': 'Success'|'Failure',
'EventRisk': {
'RiskDecision': 'NoRisk'|'AccountTakeover'|'Block',
'RiskLevel': 'Low'|'Medium'|'High'
},
'ChallengeResponses': [
{
'ChallengeName': 'Password'|'Mfa',
'ChallengeResponse': 'Success'|'Failure'
},
],
'EventContextData': {
'IpAddress': 'string',
'DeviceName': 'string',
'Timezone': 'string',
'City': 'string',
'Country': 'string'
},
'EventFeedback': {
'FeedbackValue': 'Valid'|'Invalid',
'Provider': 'string',
'FeedbackDate': datetime(2015, 1, 1)
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
AuthEvents (list) --
The response object. It includes the EventID , EventType , CreationDate , EventRisk , and EventResponse .
(dict) --
The authentication event type.
EventId (string) --
The event ID.
EventType (string) --
The event type.
CreationDate (datetime) --
The creation date
EventResponse (string) --
The event response.
EventRisk (dict) --
The event risk.
RiskDecision (string) --
The risk decision.
RiskLevel (string) --
The risk level.
ChallengeResponses (list) --
The challenge responses.
(dict) --
The challenge response type.
ChallengeName (string) --
The challenge name
ChallengeResponse (string) --
The challenge response.
EventContextData (dict) --
The user context data captured at the time of an event request. It provides additional information about the client from which event the request is received.
IpAddress (string) --
The user's IP address.
DeviceName (string) --
The user's device name.
Timezone (string) --
The user's time zone.
City (string) --
The user's city.
Country (string) --
The user's country.
EventFeedback (dict) --
A flag specifying the user feedback captured at the time of an event request is good or bad.
FeedbackValue (string) --
The event feedback value.
Provider (string) --
The provider.
FeedbackDate (datetime) --
The event feedback date.
NextToken (string) --
A pagination token.
Provides the feedback for an authentication event whether it was from a valid user or not. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
See also: AWS API Documentation
Request Syntax
client.update_auth_event_feedback(
UserPoolId='string',
Username='string',
EventId='string',
FeedbackToken='string',
FeedbackValue='Valid'|'Invalid'
)
string
[REQUIRED]
The user pool ID.
string
[REQUIRED]
The user pool username.
string
[REQUIRED]
The event ID.
string
[REQUIRED]
The feedback token.
string
[REQUIRED]
The authentication event feedback value.
dict
Response Syntax
{}
Response Structure
(dict) --
Set the user's multi-factor authentication (MFA) method preference.
See also: AWS API Documentation
Request Syntax
client.set_user_mfa_preference(
SMSMfaSettings={
'Enabled': True|False,
'PreferredMfa': True|False
},
SoftwareTokenMfaSettings={
'Enabled': True|False,
'PreferredMfa': True|False
},
AccessToken='string'
)
dict
The SMS text message multi-factor authentication (MFA) settings.
Enabled (boolean) --
Specifies whether SMS text message MFA is enabled.
PreferredMfa (boolean) --
The preferred MFA method.
dict
The time-based one-time password software token MFA settings.
Enabled (boolean) --
Specifies whether software token MFA is enabled.
PreferredMfa (boolean) --
The preferred MFA method.
string
[REQUIRED]
The access token.
dict
Response Syntax
{}
Response Structure
(dict) --
Configures actions on detected risks. To delete the risk configuration for UserPoolId or ClientId , pass null values for all four configuration types.
To enable Amazon Cognito advanced security features, update the user pool to include the UserPoolAddOns key AdvancedSecurityMode .
See .
See also: AWS API Documentation
Request Syntax
client.set_risk_configuration(
UserPoolId='string',
ClientId='string',
CompromisedCredentialsRiskConfiguration={
'EventFilter': [
'SIGN_IN'|'PASSWORD_CHANGE'|'SIGN_UP',
],
'Actions': {
'EventAction': 'BLOCK'|'NO_ACTION'
}
},
AccountTakeoverRiskConfiguration={
'NotifyConfiguration': {
'From': 'string',
'ReplyTo': 'string',
'SourceArn': 'string',
'BlockEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
},
'NoActionEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
},
'MfaEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
}
},
'Actions': {
'LowAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
},
'MediumAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
},
'HighAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
}
}
},
RiskExceptionConfiguration={
'BlockedIPRangeList': [
'string',
],
'SkippedIPRangeList': [
'string',
]
}
)
string
[REQUIRED]
The user pool ID.
string
The app client ID. If ClientId is null, then the risk configuration is mapped to userPoolId . When the client ID is null, the same risk configuration is applied to all the clients in the userPool.
Otherwise, ClientId is mapped to the client. When the client ID is not null, the user pool configuration is overridden and the risk configuration for the client is used instead.
dict
The compromised credentials risk configuration.
EventFilter (list) --
Perform the action for these events. The default is to perform all events if no event filter is specified.
(string) --
Actions (dict) -- [REQUIRED]
The compromised credentials risk configuration actions.
EventAction (string) -- [REQUIRED]
The event action.
dict
The account takeover risk configuration.
NotifyConfiguration (dict) --
The notify configuration used to construct email notifications.
From (string) --
The email address that is sending the email. It must be either individually verified with Amazon SES, or from a domain that has been verified with Amazon SES.
ReplyTo (string) --
The destination to which the receiver of an email should reply to.
SourceArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. It permits Amazon Cognito to send for the email address specified in the From parameter.
BlockEmail (dict) --
Email template used when a detected risk event is blocked.
Subject (string) -- [REQUIRED]
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
NoActionEmail (dict) --
The email template used when a detected risk event is allowed.
Subject (string) -- [REQUIRED]
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
MfaEmail (dict) --
The MFA email template used when MFA is challenged as part of a detected risk.
Subject (string) -- [REQUIRED]
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
Actions (dict) -- [REQUIRED]
Account takeover risk configuration actions
LowAction (dict) --
Action to take for a low risk.
Notify (boolean) -- [REQUIRED]
Flag specifying whether to send a notification.
EventAction (string) -- [REQUIRED]
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
MediumAction (dict) --
Action to take for a medium risk.
Notify (boolean) -- [REQUIRED]
Flag specifying whether to send a notification.
EventAction (string) -- [REQUIRED]
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
HighAction (dict) --
Action to take for a high risk.
Notify (boolean) -- [REQUIRED]
Flag specifying whether to send a notification.
EventAction (string) -- [REQUIRED]
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
dict
The configuration to override the risk decision.
BlockedIPRangeList (list) --
Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation: a compact representation of an IP address and its associated routing prefix.
(string) --
SkippedIPRangeList (list) --
Risk detection is not performed on the IP addresses in the range list. The IP range is in CIDR notation.
(string) --
dict
Response Syntax
{
'RiskConfiguration': {
'UserPoolId': 'string',
'ClientId': 'string',
'CompromisedCredentialsRiskConfiguration': {
'EventFilter': [
'SIGN_IN'|'PASSWORD_CHANGE'|'SIGN_UP',
],
'Actions': {
'EventAction': 'BLOCK'|'NO_ACTION'
}
},
'AccountTakeoverRiskConfiguration': {
'NotifyConfiguration': {
'From': 'string',
'ReplyTo': 'string',
'SourceArn': 'string',
'BlockEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
},
'NoActionEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
},
'MfaEmail': {
'Subject': 'string',
'HtmlBody': 'string',
'TextBody': 'string'
}
},
'Actions': {
'LowAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
},
'MediumAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
},
'HighAction': {
'Notify': True|False,
'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
}
}
},
'RiskExceptionConfiguration': {
'BlockedIPRangeList': [
'string',
],
'SkippedIPRangeList': [
'string',
]
},
'LastModifiedDate': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
RiskConfiguration (dict) --
The risk configuration.
UserPoolId (string) --
The user pool ID.
ClientId (string) --
The app client ID.
CompromisedCredentialsRiskConfiguration (dict) --
The compromised credentials risk configuration object including the EventFilter and the EventAction
EventFilter (list) --
Perform the action for these events. The default is to perform all events if no event filter is specified.
(string) --
Actions (dict) --
The compromised credentials risk configuration actions.
EventAction (string) --
The event action.
AccountTakeoverRiskConfiguration (dict) --
The account takeover risk configuration object including the NotifyConfiguration object and Actions to take in the case of an account takeover.
NotifyConfiguration (dict) --
The notify configuration used to construct email notifications.
From (string) --
The email address that is sending the email. It must be either individually verified with Amazon SES, or from a domain that has been verified with Amazon SES.
ReplyTo (string) --
The destination to which the receiver of an email should reply to.
SourceArn (string) --
The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. It permits Amazon Cognito to send for the email address specified in the From parameter.
BlockEmail (dict) --
Email template used when a detected risk event is blocked.
Subject (string) --
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
NoActionEmail (dict) --
The email template used when a detected risk event is allowed.
Subject (string) --
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
MfaEmail (dict) --
The MFA email template used when MFA is challenged as part of a detected risk.
Subject (string) --
The subject.
HtmlBody (string) --
The HTML body.
TextBody (string) --
The text body.
Actions (dict) --
Account takeover risk configuration actions
LowAction (dict) --
Action to take for a low risk.
Notify (boolean) --
Flag specifying whether to send a notification.
EventAction (string) --
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
MediumAction (dict) --
Action to take for a medium risk.
Notify (boolean) --
Flag specifying whether to send a notification.
EventAction (string) --
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
HighAction (dict) --
Action to take for a high risk.
Notify (boolean) --
Flag specifying whether to send a notification.
EventAction (string) --
The event action.
BLOCK Choosing this action will block the request.
MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
NO_ACTION Allow the user sign-in.
RiskExceptionConfiguration (dict) --
The configuration to override the risk decision.
BlockedIPRangeList (list) --
Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation: a compact representation of an IP address and its associated routing prefix.
(string) --
SkippedIPRangeList (list) --
Risk detection is not performed on the IP addresses in the range list. The IP range is in CIDR notation.
(string) --
LastModifiedDate (datetime) --
The last modified date.
Set the user pool MFA configuration.
See also: AWS API Documentation
Request Syntax
client.set_user_pool_mfa_config(
UserPoolId='string',
SmsMfaConfiguration={
'SmsAuthenticationMessage': 'string',
'SmsConfiguration': {
'SnsCallerArn': 'string',
'ExternalId': 'string'
}
},
SoftwareTokenMfaConfiguration={
'Enabled': True|False
},
MfaConfiguration='OFF'|'ON'|'OPTIONAL'
)
string
[REQUIRED]
The user pool ID.
dict
The SMS text message MFA configuration.
SmsAuthenticationMessage (string) --
The SMS authentication message.
SmsConfiguration (dict) --
The SMS configuration.
SnsCallerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.
ExternalId (string) --
The external ID.
dict
The software token MFA configuration.
Enabled (boolean) --
Specifies whether software token MFA is enabled.
string
The MFA configuration.
dict
Response Syntax
{
'SmsMfaConfiguration': {
'SmsAuthenticationMessage': 'string',
'SmsConfiguration': {
'SnsCallerArn': 'string',
'ExternalId': 'string'
}
},
'SoftwareTokenMfaConfiguration': {
'Enabled': True|False
},
'MfaConfiguration': 'OFF'|'ON'|'OPTIONAL'
}
Response Structure
(dict) --
SmsMfaConfiguration (dict) --
The SMS text message MFA configuration.
SmsAuthenticationMessage (string) --
The SMS authentication message.
SmsConfiguration (dict) --
The SMS configuration.
SnsCallerArn (string) --
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.
ExternalId (string) --
The external ID.
SoftwareTokenMfaConfiguration (dict) --
The software token MFA configuration.
Enabled (boolean) --
Specifies whether software token MFA is enabled.
MfaConfiguration (string) --
The MFA configuration.
Use this API to register a user's entered TOTP code and mark the user's software token MFA status as "verified" if successful,
See also: AWS API Documentation
Request Syntax
client.verify_software_token(
AccessToken='string',
Session='string',
UserCode='string',
FriendlyDeviceName='string'
)
string
The access token.
string
The session which should be passed both ways in challenge-response calls to the service.
string
[REQUIRED]
The one time password computed using the secret code returned by
string
The friendly device name.
dict
Response Syntax
{
'Status': 'SUCCESS'|'ERROR',
'Session': 'string'
}
Response Structure
(dict) --
Status (string) --
The status of the verify software token.
Session (string) --
The session which should be passed both ways in challenge-response calls to the service.
{'PreferredMfaSetting': 'string', 'UserMFASettingList': ['string']}
Gets the specified user by user name in a user pool as an administrator. Works on any user.
Requires developer credentials.
See also: AWS API Documentation
Request Syntax
client.admin_get_user(
UserPoolId='string',
Username='string'
)
string
[REQUIRED]
The user pool ID for the user pool where you want to get information about the user.
string
[REQUIRED]
The user name of the user you wish to retrieve.
dict
Response Syntax
{
'Username': 'string',
'UserAttributes': [
{
'Name': 'string',
'Value': 'string'
},
],
'UserCreateDate': datetime(2015, 1, 1),
'UserLastModifiedDate': datetime(2015, 1, 1),
'Enabled': True|False,
'UserStatus': 'UNCONFIRMED'|'CONFIRMED'|'ARCHIVED'|'COMPROMISED'|'UNKNOWN'|'RESET_REQUIRED'|'FORCE_CHANGE_PASSWORD',
'MFAOptions': [
{
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
},
],
'PreferredMfaSetting': 'string',
'UserMFASettingList': [
'string',
]
}
Response Structure
(dict) --
Represents the response from the server from the request to get the specified user as an administrator.
Username (string) --
The user name of the user about whom you are receiving information.
UserAttributes (list) --
An array of name-value pairs representing user attributes.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) --
The name of the attribute.
Value (string) --
The value of the attribute.
UserCreateDate (datetime) --
The date the user was created.
UserLastModifiedDate (datetime) --
The date the user was last modified.
Enabled (boolean) --
Indicates that the status is enabled.
UserStatus (string) --
The user status. Can be one of the following:
UNCONFIRMED - User has been created but not confirmed.
CONFIRMED - User has been confirmed.
ARCHIVED - User is no longer active.
COMPROMISED - User is disabled due to a potential security threat.
UNKNOWN - User status is not known.
MFAOptions (list) --
Specifies the options for MFA (e.g., email or phone number).
(dict) --
Specifies the different settings for multi-factor authentication (MFA).
DeliveryMedium (string) --
The delivery medium (email message or SMS message) to send the MFA code.
AttributeName (string) --
The attribute name of the MFA option type.
PreferredMfaSetting (string) --
UserMFASettingList (list) --
(string) --
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'ContextData': {'EncodedData': 'string',
'HttpHeaders': [{'headerName': 'string',
'headerValue': 'string'}],
'IpAddress': 'string',
'ServerName': 'string',
'ServerPath': 'string'}}
Response {'ChallengeName': {'SELECT_MFA_TYPE', 'MFA_SETUP', 'SOFTWARE_TOKEN_MFA'}}
Initiates the authentication flow, as an administrator.
Requires developer credentials.
See also: AWS API Documentation
Request Syntax
client.admin_initiate_auth(
UserPoolId='string',
ClientId='string',
AuthFlow='USER_SRP_AUTH'|'REFRESH_TOKEN_AUTH'|'REFRESH_TOKEN'|'CUSTOM_AUTH'|'ADMIN_NO_SRP_AUTH',
AuthParameters={
'string': 'string'
},
ClientMetadata={
'string': 'string'
},
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
ContextData={
'IpAddress': 'string',
'ServerName': 'string',
'ServerPath': 'string',
'HttpHeaders': [
{
'headerName': 'string',
'headerValue': 'string'
},
],
'EncodedData': 'string'
}
)
string
[REQUIRED]
The ID of the Amazon Cognito user pool.
string
[REQUIRED]
The app client ID.
string
[REQUIRED]
The authentication flow for this call to execute. The API action will depend on this value. For example:
REFRESH_TOKEN_AUTH will take in a valid refresh token and return new tokens.
USER_SRP_AUTH will take in USERNAME and SRP_A and return the SRP variables to be used for next challenge execution.
Valid values include:
USER_SRP_AUTH : Authentication flow for the Secure Remote Password (SRP) protocol.
REFRESH_TOKEN_AUTH / REFRESH_TOKEN : Authentication flow for refreshing the access token and ID token by supplying a valid refresh token.
CUSTOM_AUTH : Custom authentication flow.
ADMIN_NO_SRP_AUTH : Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is enabled for calling the app client.
dict
The authentication parameters. These are inputs corresponding to the AuthFlow that you are invoking. The required values depend on the value of AuthFlow :
For USER_SRP_AUTH : USERNAME (required), SRP_A (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY
For REFRESH_TOKEN_AUTH/REFRESH_TOKEN : USERNAME (required), SECRET_HASH (required if the app client is configured with a client secret), REFRESH_TOKEN (required), DEVICE_KEY
For ADMIN_NO_SRP_AUTH : USERNAME (required), SECRET_HASH (if app client is configured with client secret), PASSWORD (required), DEVICE_KEY
For CUSTOM_AUTH : USERNAME (required), SECRET_HASH (if app client is configured with client secret), DEVICE_KEY
(string) --
(string) --
dict
This is a random key-value pair map which can contain any key and will be passed to your PreAuthentication Lambda trigger as-is. It can be used to implement additional validations around authentication.
(string) --
(string) --
dict
The analytics metadata for collecting Amazon Pinpoint metrics for AdminInitiateAuth calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
IpAddress (string) -- [REQUIRED]
Source IP address of your user.
ServerName (string) -- [REQUIRED]
Your server endpoint where this API is invoked.
ServerPath (string) -- [REQUIRED]
Your server path where this API is invoked.
HttpHeaders (list) -- [REQUIRED]
HttpHeaders received on your server in same order.
(dict) --
The HTTP header.
headerName (string) --
The header name
headerValue (string) --
The header value.
EncodedData (string) --
Encoded data containing device fingerprinting details, collected using the Amazon Cognito context data collection library.
dict
Response Syntax
{
'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
'Session': 'string',
'ChallengeParameters': {
'string': 'string'
},
'AuthenticationResult': {
'AccessToken': 'string',
'ExpiresIn': 123,
'TokenType': 'string',
'RefreshToken': 'string',
'IdToken': 'string',
'NewDeviceMetadata': {
'DeviceKey': 'string',
'DeviceGroupKey': 'string'
}
}
}
Response Structure
(dict) --
Initiates the authentication response, as an administrator.
ChallengeName (string) --
The name of the challenge which you are responding to with this call. This is returned to you in the AdminInitiateAuth response if you need to pass another challenge.
SMS_MFA : Next challenge is to supply an SMS_MFA_CODE , delivered via SMS.
PASSWORD_VERIFIER : Next challenge is to supply PASSWORD_CLAIM_SIGNATURE , PASSWORD_CLAIM_SECRET_BLOCK , and TIMESTAMP after the client-side SRP calculations.
CUSTOM_CHALLENGE : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.
DEVICE_SRP_AUTH : If device tracking was enabled on your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.
DEVICE_PASSWORD_VERIFIER : Similar to PASSWORD_VERIFIER , but for devices only.
ADMIN_NO_SRP_AUTH : This is returned if you need to authenticate with USERNAME and PASSWORD directly. An app client must be enabled to use this flow.
NEW_PASSWORD_REQUIRED : For users which are required to change their passwords after successful first login. This challenge should be passed with NEW_PASSWORD and any other required attributes.
Session (string) --
The session which should be passed both ways in challenge-response calls to the service. If AdminInitiateAuth or AdminRespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next AdminRespondToAuthChallenge API call.
ChallengeParameters (dict) --
The challenge parameters. These are returned to you in the AdminInitiateAuth response if you need to pass another challenge. The responses in this parameter should be used to compute inputs to the next call ( AdminRespondToAuthChallenge ).
All challenges require USERNAME and SECRET_HASH (if applicable).
The value of the USER_IF_FOR_SRP attribute will be the user's actual username, not an alias (such as email address or phone number), even if you specified an alias in your call to AdminInitiateAuth . This is because, in the AdminRespondToAuthChallenge API ChallengeResponses , the USERNAME attribute cannot be an alias.
(string) --
(string) --
AuthenticationResult (dict) --
The result of the authentication response. This is only returned if the caller does not need to pass another challenge. If the caller does need to pass another challenge before it gets tokens, ChallengeName , ChallengeParameters , and Session are returned.
AccessToken (string) --
The access token.
ExpiresIn (integer) --
The expiration period of the authentication result.
TokenType (string) --
The token type.
RefreshToken (string) --
The refresh token.
IdToken (string) --
The ID token.
NewDeviceMetadata (dict) --
The new device metadata from an authentication result.
DeviceKey (string) --
The device key.
DeviceGroupKey (string) --
The device group key.
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'ChallengeName': {'SELECT_MFA_TYPE', 'MFA_SETUP', 'SOFTWARE_TOKEN_MFA'},
'ContextData': {'EncodedData': 'string',
'HttpHeaders': [{'headerName': 'string',
'headerValue': 'string'}],
'IpAddress': 'string',
'ServerName': 'string',
'ServerPath': 'string'}}
Response {'ChallengeName': {'SELECT_MFA_TYPE', 'MFA_SETUP', 'SOFTWARE_TOKEN_MFA'}}
Responds to an authentication challenge, as an administrator.
Requires developer credentials.
See also: AWS API Documentation
Request Syntax
client.admin_respond_to_auth_challenge(
UserPoolId='string',
ClientId='string',
ChallengeName='SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
ChallengeResponses={
'string': 'string'
},
Session='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
ContextData={
'IpAddress': 'string',
'ServerName': 'string',
'ServerPath': 'string',
'HttpHeaders': [
{
'headerName': 'string',
'headerValue': 'string'
},
],
'EncodedData': 'string'
}
)
string
[REQUIRED]
The ID of the Amazon Cognito user pool.
string
[REQUIRED]
The app client ID.
string
[REQUIRED]
The challenge name. For more information, see .
dict
The challenge responses. These are inputs corresponding to the value of ChallengeName , for example:
SMS_MFA : SMS_MFA_CODE , USERNAME , SECRET_HASH (if app client is configured with client secret).
PASSWORD_VERIFIER : PASSWORD_CLAIM_SIGNATURE , PASSWORD_CLAIM_SECRET_BLOCK , TIMESTAMP , USERNAME , SECRET_HASH (if app client is configured with client secret).
ADMIN_NO_SRP_AUTH : PASSWORD , USERNAME , SECRET_HASH (if app client is configured with client secret).
NEW_PASSWORD_REQUIRED : NEW_PASSWORD , any other required attributes, USERNAME , SECRET_HASH (if app client is configured with client secret).
The value of the USERNAME attribute must be the user's actual username, not an alias (such as email address or phone number). To make this easier, the AdminInitiateAuth response includes the actual username value in the USERNAMEUSER_ID_FOR_SRP attribute, even if you specified an alias in your call to AdminInitiateAuth .
(string) --
(string) --
string
The session which should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
dict
The analytics metadata for collecting Amazon Pinpoint metrics for AdminRespondToAuthChallenge calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
IpAddress (string) -- [REQUIRED]
Source IP address of your user.
ServerName (string) -- [REQUIRED]
Your server endpoint where this API is invoked.
ServerPath (string) -- [REQUIRED]
Your server path where this API is invoked.
HttpHeaders (list) -- [REQUIRED]
HttpHeaders received on your server in same order.
(dict) --
The HTTP header.
headerName (string) --
The header name
headerValue (string) --
The header value.
EncodedData (string) --
Encoded data containing device fingerprinting details, collected using the Amazon Cognito context data collection library.
dict
Response Syntax
{
'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
'Session': 'string',
'ChallengeParameters': {
'string': 'string'
},
'AuthenticationResult': {
'AccessToken': 'string',
'ExpiresIn': 123,
'TokenType': 'string',
'RefreshToken': 'string',
'IdToken': 'string',
'NewDeviceMetadata': {
'DeviceKey': 'string',
'DeviceGroupKey': 'string'
}
}
}
Response Structure
(dict) --
Responds to the authentication challenge, as an administrator.
ChallengeName (string) --
The name of the challenge. For more information, see .
Session (string) --
The session which should be passed both ways in challenge-response calls to the service. If the or API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
ChallengeParameters (dict) --
The challenge parameters. For more information, see .
(string) --
(string) --
AuthenticationResult (dict) --
The result returned by the server in response to the authentication request.
AccessToken (string) --
The access token.
ExpiresIn (integer) --
The expiration period of the authentication result.
TokenType (string) --
The token type.
RefreshToken (string) --
The refresh token.
IdToken (string) --
The ID token.
NewDeviceMetadata (dict) --
The new device metadata from an authentication result.
DeviceKey (string) --
The device key.
DeviceGroupKey (string) --
The device group key.
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'UserContextData': {'EncodedData': 'string'}}
Allows a user to enter a confirmation code to reset a forgotten password.
See also: AWS API Documentation
Request Syntax
client.confirm_forgot_password(
ClientId='string',
SecretHash='string',
Username='string',
ConfirmationCode='string',
Password='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
}
)
string
[REQUIRED]
The app client ID of the app associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
string
[REQUIRED]
The user name of the user for whom you want to enter a code to retrieve a forgotten password.
string
[REQUIRED]
The confirmation code sent by a user's request to retrieve a forgotten password. For more information, see
string
[REQUIRED]
The password sent by a user's request to retrieve a forgotten password.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for ConfirmForgotPassword calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
Response Syntax
{}
Response Structure
(dict) --
The response from the server that results from a user's request to retrieve a forgotten password.
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'UserContextData': {'EncodedData': 'string'}}
Confirms registration of a user and handles the existing alias from a previous user.
See also: AWS API Documentation
Request Syntax
client.confirm_sign_up(
ClientId='string',
SecretHash='string',
Username='string',
ConfirmationCode='string',
ForceAliasCreation=True|False,
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
}
)
string
[REQUIRED]
The ID of the app client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
string
[REQUIRED]
The user name of the user whose registration you wish to confirm.
string
[REQUIRED]
The confirmation code sent by a user's request to confirm registration.
boolean
Boolean to be specified to force user confirmation irrespective of existing alias. By default set to False . If this parameter is set to True and the phone number/email used for sign up confirmation already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user being confirmed. If set to False , the API will throw an AliasExistsException error.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for ConfirmSignUp calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
Response Syntax
{}
Response Structure
(dict) --
Represents the response from the server for the registration confirmation.
{'LambdaConfig': {'PreTokenGeneration': 'string'},
'UserPoolAddOns': {'AdvancedSecurityMode': 'OFF | AUDIT | ENFORCED'}}
Response {'UserPool': {'LambdaConfig': {'PreTokenGeneration': 'string'},
'UserPoolAddOns': {'AdvancedSecurityMode': 'OFF | AUDIT | '
'ENFORCED'}}}
Creates a new Amazon Cognito user pool and sets the password policy for the pool.
See also: AWS API Documentation
Request Syntax
client.create_user_pool(
PoolName='string',
Policies={
'PasswordPolicy': {
'MinimumLength': 123,
'RequireUppercase': True|False,
'RequireLowercase': True|False,
'RequireNumbers': True|False,
'RequireSymbols': True|False
}
},
LambdaConfig={
'PreSignUp': 'string',
'CustomMessage': 'string',
'PostConfirmation': 'string',
'PreAuthentication': 'string',
'PostAuthentication': 'string',
'DefineAuthChallenge': 'string',
'CreateAuthChallenge': 'string',
'VerifyAuthChallengeResponse': 'string',
'PreTokenGeneration': 'string'
},
AutoVerifiedAttributes=[
'phone_number'|'email',
],
AliasAttributes=[
'phone_number'|'email'|'preferred_username',
],
UsernameAttributes=[
'phone_number'|'email',
],
SmsVerificationMessage='string',
EmailVerificationMessage='string',
EmailVerificationSubject='string',
VerificationMessageTemplate={
'SmsMessage': 'string',
'EmailMessage': 'string',
'EmailSubject': 'string',
'EmailMessageByLink': 'string',
'EmailSubjectByLink': 'string',
'DefaultEmailOption': 'CONFIRM_WITH_LINK'|'CONFIRM_WITH_CODE'
},
SmsAuthenticationMessage='string',
MfaConfiguration='OFF'|'ON'|'OPTIONAL',
DeviceConfiguration={
'ChallengeRequiredOnNewDevice': True|False,
'DeviceOnlyRememberedOnUserPrompt': True|False
},
EmailConfiguration={
'SourceArn': 'string',
'ReplyToEmailAddress': 'string'
},
SmsConfiguration={
'SnsCallerArn': 'string',
'ExternalId': 'string'
},
UserPoolTags={
'string': 'string'
},
AdminCreateUserConfig={
'AllowAdminCreateUserOnly': True|False,
'UnusedAccountValidityDays': 123,
'InviteMessageTemplate': {
'SMSMessage': 'string',
'EmailMessage': 'string',
'EmailSubject': 'string'
}
},
Schema=[
{
'Name': 'string',
'AttributeDataType': 'String'|'Number'|'DateTime'|'Boolean',
'DeveloperOnlyAttribute': True|False,
'Mutable': True|False,
'Required': True|False,
'NumberAttributeConstraints': {
'MinValue': 'string',
'MaxValue': 'string'
},
'StringAttributeConstraints': {
'MinLength': 'string',
'MaxLength': 'string'
}
},
],
UserPoolAddOns={
'AdvancedSecurityMode': 'OFF'|'AUDIT'|'ENFORCED'
}
)
string
[REQUIRED]
A string used to name the user pool.
dict
The policies associated with the new user pool.
PasswordPolicy (dict) --
The password policy.
MinimumLength (integer) --
The minimum length of the password policy that you have set. Cannot be less than 6.
RequireUppercase (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
RequireLowercase (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.
RequireNumbers (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
RequireSymbols (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
dict
The Lambda trigger configuration information for the new user pool.
PreSignUp (string) --
A pre-registration AWS Lambda trigger.
CustomMessage (string) --
A custom Message AWS Lambda trigger.
PostConfirmation (string) --
A post-confirmation AWS Lambda trigger.
PreAuthentication (string) --
A pre-authentication AWS Lambda trigger.
PostAuthentication (string) --
A post-authentication AWS Lambda trigger.
DefineAuthChallenge (string) --
Defines the authentication challenge.
CreateAuthChallenge (string) --
Creates an authentication challenge.
VerifyAuthChallengeResponse (string) --
Verifies the authentication challenge response.
PreTokenGeneration (string) --
A Lambda trigger that is invoked before token generation.
list
The attributes to be auto-verified. Possible values: email , phone_number .
(string) --
list
Attributes supported as an alias for this user pool. Possible values: phone_number , email , or preferred_username .
(string) --
list
Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up.
(string) --
string
A string representing the SMS verification message.
string
A string representing the email verification message.
string
A string representing the email verification subject.
dict
The template for the verification message that the user sees when the app requests permission to access the user's information.
SmsMessage (string) --
The SMS message template.
EmailMessage (string) --
The email message template.
EmailSubject (string) --
The subject line for the email message template.
EmailMessageByLink (string) --
The email message template for sending a confirmation link to the user.
EmailSubjectByLink (string) --
The subject line for the email message template for sending a confirmation link to the user.
DefaultEmailOption (string) --
The default email option.
string
A string representing the SMS authentication message.
string
Specifies MFA configuration details.
dict
The device configuration.
ChallengeRequiredOnNewDevice (boolean) --
Indicates whether a challenge is required on a new device. Only applicable to a new device.
DeviceOnlyRememberedOnUserPrompt (boolean) --
If true, a device is only remembered on user prompt.
dict
The email configuration.
SourceArn (string) --
The Amazon Resource Name (ARN) of the email source.
ReplyToEmailAddress (string) --
The destination to which the receiver of the email should reply to.
dict
The SMS configuration.
SnsCallerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.
ExternalId (string) --
The external ID.
dict
The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to Your User Pool
(string) --
(string) --
dict
The configuration for AdminCreateUser requests.
AllowAdminCreateUserOnly (boolean) --
Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
UnusedAccountValidityDays (integer) --
The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter. The default value for this parameter is 7.
InviteMessageTemplate (dict) --
The message template to be used for the welcome message to new users.
See also Customizing User Invitation Messages.
SMSMessage (string) --
The message template for SMS messages.
EmailMessage (string) --
The message template for email messages.
EmailSubject (string) --
The subject line for email messages.
list
An array of schema attributes for the new user pool. These attributes can be standard or custom attributes.
(dict) --
Contains information about the schema attribute.
Name (string) --
A schema attribute of the name type.
AttributeDataType (string) --
The attribute data type.
DeveloperOnlyAttribute (boolean) --
Specifies whether the attribute type is developer only.
Mutable (boolean) --
Specifies whether the attribute can be changed once it has been created.
Required (boolean) --
Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.
NumberAttributeConstraints (dict) --
Specifies the constraints for an attribute of the number type.
MinValue (string) --
The minimum value of an attribute that is of the number data type.
MaxValue (string) --
The maximum value of an attribute that is of the number data type.
StringAttributeConstraints (dict) --
Specifies the constraints for an attribute of the string type.
MinLength (string) --
The minimum length.
MaxLength (string) --
The maximum length.
dict
Used to enable advanced security risk detection. Set the key AdvancedSecurityMode to the value "AUDIT".
AdvancedSecurityMode (string) -- [REQUIRED]
The advanced security mode.
dict
Response Syntax
{
'UserPool': {
'Id': 'string',
'Name': 'string',
'Policies': {
'PasswordPolicy': {
'MinimumLength': 123,
'RequireUppercase': True|False,
'RequireLowercase': True|False,
'RequireNumbers': True|False,
'RequireSymbols': True|False
}
},
'LambdaConfig': {
'PreSignUp': 'string',
'CustomMessage': 'string',
'PostConfirmation': 'string',
'PreAuthentication': 'string',
'PostAuthentication': 'string',
'DefineAuthChallenge': 'string',
'CreateAuthChallenge': 'string',
'VerifyAuthChallengeResponse': 'string',
'PreTokenGeneration': 'string'
},
'Status': 'Enabled'|'Disabled',
'LastModifiedDate': datetime(2015, 1, 1),
'CreationDate': datetime(2015, 1, 1),
'SchemaAttributes': [
{
'Name': 'string',
'AttributeDataType': 'String'|'Number'|'DateTime'|'Boolean',
'DeveloperOnlyAttribute': True|False,
'Mutable': True|False,
'Required': True|False,
'NumberAttributeConstraints': {
'MinValue': 'string',
'MaxValue': 'string'
},
'StringAttributeConstraints': {
'MinLength': 'string',
'MaxLength': 'string'
}
},
],
'AutoVerifiedAttributes': [
'phone_number'|'email',
],
'AliasAttributes': [
'phone_number'|'email'|'preferred_username',
],
'UsernameAttributes': [
'phone_number'|'email',
],
'SmsVerificationMessage': 'string',
'EmailVerificationMessage': 'string',
'EmailVerificationSubject': 'string',
'VerificationMessageTemplate': {
'SmsMessage': 'string',
'EmailMessage': 'string',
'EmailSubject': 'string',
'EmailMessageByLink': 'string',
'EmailSubjectByLink': 'string',
'DefaultEmailOption': 'CONFIRM_WITH_LINK'|'CONFIRM_WITH_CODE'
},
'SmsAuthenticationMessage': 'string',
'MfaConfiguration': 'OFF'|'ON'|'OPTIONAL',
'DeviceConfiguration': {
'ChallengeRequiredOnNewDevice': True|False,
'DeviceOnlyRememberedOnUserPrompt': True|False
},
'EstimatedNumberOfUsers': 123,
'EmailConfiguration': {
'SourceArn': 'string',
'ReplyToEmailAddress': 'string'
},
'SmsConfiguration': {
'SnsCallerArn': 'string',
'ExternalId': 'string'
},
'UserPoolTags': {
'string': 'string'
},
'SmsConfigurationFailure': 'string',
'EmailConfigurationFailure': 'string',
'AdminCreateUserConfig': {
'AllowAdminCreateUserOnly': True|False,
'UnusedAccountValidityDays': 123,
'InviteMessageTemplate': {
'SMSMessage': 'string',
'EmailMessage': 'string',
'EmailSubject': 'string'
}
},
'UserPoolAddOns': {
'AdvancedSecurityMode': 'OFF'|'AUDIT'|'ENFORCED'
}
}
}
Response Structure
(dict) --
Represents the response from the server for the request to create a user pool.
UserPool (dict) --
A container for the user pool details.
Id (string) --
The ID of the user pool.
Name (string) --
The name of the user pool.
Policies (dict) --
The policies associated with the user pool.
PasswordPolicy (dict) --
The password policy.
MinimumLength (integer) --
The minimum length of the password policy that you have set. Cannot be less than 6.
RequireUppercase (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
RequireLowercase (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.
RequireNumbers (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
RequireSymbols (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
LambdaConfig (dict) --
The AWS Lambda triggers associated with tue user pool.
PreSignUp (string) --
A pre-registration AWS Lambda trigger.
CustomMessage (string) --
A custom Message AWS Lambda trigger.
PostConfirmation (string) --
A post-confirmation AWS Lambda trigger.
PreAuthentication (string) --
A pre-authentication AWS Lambda trigger.
PostAuthentication (string) --
A post-authentication AWS Lambda trigger.
DefineAuthChallenge (string) --
Defines the authentication challenge.
CreateAuthChallenge (string) --
Creates an authentication challenge.
VerifyAuthChallengeResponse (string) --
Verifies the authentication challenge response.
PreTokenGeneration (string) --
A Lambda trigger that is invoked before token generation.
Status (string) --
The status of a user pool.
LastModifiedDate (datetime) --
The date the user pool was last modified.
CreationDate (datetime) --
The date the user pool was created.
SchemaAttributes (list) --
A container with the schema attributes of a user pool.
(dict) --
Contains information about the schema attribute.
Name (string) --
A schema attribute of the name type.
AttributeDataType (string) --
The attribute data type.
DeveloperOnlyAttribute (boolean) --
Specifies whether the attribute type is developer only.
Mutable (boolean) --
Specifies whether the attribute can be changed once it has been created.
Required (boolean) --
Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.
NumberAttributeConstraints (dict) --
Specifies the constraints for an attribute of the number type.
MinValue (string) --
The minimum value of an attribute that is of the number data type.
MaxValue (string) --
The maximum value of an attribute that is of the number data type.
StringAttributeConstraints (dict) --
Specifies the constraints for an attribute of the string type.
MinLength (string) --
The minimum length.
MaxLength (string) --
The maximum length.
AutoVerifiedAttributes (list) --
Specifies the attributes that are auto-verified in a user pool.
(string) --
AliasAttributes (list) --
Specifies the attributes that are aliased in a user pool.
(string) --
UsernameAttributes (list) --
Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up.
(string) --
SmsVerificationMessage (string) --
The contents of the SMS verification message.
EmailVerificationMessage (string) --
The contents of the email verification message.
EmailVerificationSubject (string) --
The subject of the email verification message.
VerificationMessageTemplate (dict) --
The template for verification messages.
SmsMessage (string) --
The SMS message template.
EmailMessage (string) --
The email message template.
EmailSubject (string) --
The subject line for the email message template.
EmailMessageByLink (string) --
The email message template for sending a confirmation link to the user.
EmailSubjectByLink (string) --
The subject line for the email message template for sending a confirmation link to the user.
DefaultEmailOption (string) --
The default email option.
SmsAuthenticationMessage (string) --
The contents of the SMS authentication message.
MfaConfiguration (string) --
Can be one of the following values:
OFF - MFA tokens are not required and cannot be specified during user registration.
ON - MFA tokens are required for all user registrations. You can only specify required when you are initially creating a user pool.
OPTIONAL - Users have the option when registering to create an MFA token.
DeviceConfiguration (dict) --
The device configuration.
ChallengeRequiredOnNewDevice (boolean) --
Indicates whether a challenge is required on a new device. Only applicable to a new device.
DeviceOnlyRememberedOnUserPrompt (boolean) --
If true, a device is only remembered on user prompt.
EstimatedNumberOfUsers (integer) --
A number estimating the size of the user pool.
EmailConfiguration (dict) --
The email configuration.
SourceArn (string) --
The Amazon Resource Name (ARN) of the email source.
ReplyToEmailAddress (string) --
The destination to which the receiver of the email should reply to.
SmsConfiguration (dict) --
The SMS configuration.
SnsCallerArn (string) --
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.
ExternalId (string) --
The external ID.
UserPoolTags (dict) --
The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to Your User Pool
(string) --
(string) --
SmsConfigurationFailure (string) --
The reason why the SMS configuration cannot send the messages to your users.
EmailConfigurationFailure (string) --
The reason why the email configuration cannot send the messages to your users.
AdminCreateUserConfig (dict) --
The configuration for AdminCreateUser requests.
AllowAdminCreateUserOnly (boolean) --
Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
UnusedAccountValidityDays (integer) --
The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter. The default value for this parameter is 7.
InviteMessageTemplate (dict) --
The message template to be used for the welcome message to new users.
See also Customizing User Invitation Messages.
SMSMessage (string) --
The message template for SMS messages.
EmailMessage (string) --
The message template for email messages.
EmailSubject (string) --
The subject line for email messages.
UserPoolAddOns (dict) --
The user pool add-ons.
AdvancedSecurityMode (string) --
The advanced security mode.
{'AnalyticsConfiguration': {'ApplicationId': 'string',
'ExternalId': 'string',
'RoleArn': 'string',
'UserDataShared': 'boolean'}}
Response {'UserPoolClient': {'AnalyticsConfiguration': {'ApplicationId': 'string',
'ExternalId': 'string',
'RoleArn': 'string',
'UserDataShared': 'boolean'}}}
Creates the user pool client.
See also: AWS API Documentation
Request Syntax
client.create_user_pool_client(
UserPoolId='string',
ClientName='string',
GenerateSecret=True|False,
RefreshTokenValidity=123,
ReadAttributes=[
'string',
],
WriteAttributes=[
'string',
],
ExplicitAuthFlows=[
'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
],
SupportedIdentityProviders=[
'string',
],
CallbackURLs=[
'string',
],
LogoutURLs=[
'string',
],
DefaultRedirectURI='string',
AllowedOAuthFlows=[
'code'|'implicit'|'client_credentials',
],
AllowedOAuthScopes=[
'string',
],
AllowedOAuthFlowsUserPoolClient=True|False,
AnalyticsConfiguration={
'ApplicationId': 'string',
'RoleArn': 'string',
'ExternalId': 'string',
'UserDataShared': True|False
}
)
string
[REQUIRED]
The user pool ID for the user pool where you want to create a user pool client.
string
[REQUIRED]
The client name for the user pool client you would like to create.
boolean
Boolean to specify whether you want to generate a secret for the user pool client being created.
integer
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
list
The read attributes.
(string) --
list
The write attributes.
(string) --
list
The explicit authentication flows.
(string) --
list
A list of provider names for the identity providers that are supported on this client.
(string) --
list
A list of allowed callback URLs for the identity providers.
(string) --
list
A list of allowed logout URLs for the identity providers.
(string) --
string
The default redirect URI. Must be in the CallbackURLs list.
list
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
list
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
boolean
Set to True if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
dict
The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
ApplicationId (string) -- [REQUIRED]
The application ID for an Amazon Pinpoint application.
RoleArn (string) -- [REQUIRED]
The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
ExternalId (string) -- [REQUIRED]
The external ID.
UserDataShared (boolean) --
If UserDataShared is true , Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
dict
Response Syntax
{
'UserPoolClient': {
'UserPoolId': 'string',
'ClientName': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'LastModifiedDate': datetime(2015, 1, 1),
'CreationDate': datetime(2015, 1, 1),
'RefreshTokenValidity': 123,
'ReadAttributes': [
'string',
],
'WriteAttributes': [
'string',
],
'ExplicitAuthFlows': [
'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
],
'SupportedIdentityProviders': [
'string',
],
'CallbackURLs': [
'string',
],
'LogoutURLs': [
'string',
],
'DefaultRedirectURI': 'string',
'AllowedOAuthFlows': [
'code'|'implicit'|'client_credentials',
],
'AllowedOAuthScopes': [
'string',
],
'AllowedOAuthFlowsUserPoolClient': True|False,
'AnalyticsConfiguration': {
'ApplicationId': 'string',
'RoleArn': 'string',
'ExternalId': 'string',
'UserDataShared': True|False
}
}
}
Response Structure
(dict) --
Represents the response from the server to create a user pool client.
UserPoolClient (dict) --
The user pool client that was just created.
UserPoolId (string) --
The user pool ID for the user pool client.
ClientName (string) --
The client name from the user pool request of the client type.
ClientId (string) --
The ID of the client associated with the user pool.
ClientSecret (string) --
The client secret from the user pool request of the client type.
LastModifiedDate (datetime) --
The date the user pool client was last modified.
CreationDate (datetime) --
The date the user pool client was created.
RefreshTokenValidity (integer) --
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
ReadAttributes (list) --
The Read-only attributes.
(string) --
WriteAttributes (list) --
The writeable attributes.
(string) --
ExplicitAuthFlows (list) --
The explicit authentication flows.
(string) --
SupportedIdentityProviders (list) --
A list of provider names for the identity providers that are supported on this client.
(string) --
CallbackURLs (list) --
A list of allowed callback URLs for the identity providers.
(string) --
LogoutURLs (list) --
A list of allowed logout URLs for the identity providers.
(string) --
DefaultRedirectURI (string) --
The default redirect URI. Must be in the CallbackURLs list.
AllowedOAuthFlows (list) --
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
AllowedOAuthScopes (list) --
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
AllowedOAuthFlowsUserPoolClient (boolean) --
Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
AnalyticsConfiguration (dict) --
The Amazon Pinpoint analytics configuration for the user pool client.
ApplicationId (string) --
The application ID for an Amazon Pinpoint application.
RoleArn (string) --
The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
ExternalId (string) --
The external ID.
UserDataShared (boolean) --
If UserDataShared is true , Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
{'UserPool': {'LambdaConfig': {'PreTokenGeneration': 'string'},
'UserPoolAddOns': {'AdvancedSecurityMode': 'OFF | AUDIT | '
'ENFORCED'}}}
Returns the configuration information and metadata of the specified user pool.
See also: AWS API Documentation
Request Syntax
client.describe_user_pool(
UserPoolId='string'
)
string
[REQUIRED]
The user pool ID for the user pool you want to describe.
dict
Response Syntax
{
'UserPool': {
'Id': 'string',
'Name': 'string',
'Policies': {
'PasswordPolicy': {
'MinimumLength': 123,
'RequireUppercase': True|False,
'RequireLowercase': True|False,
'RequireNumbers': True|False,
'RequireSymbols': True|False
}
},
'LambdaConfig': {
'PreSignUp': 'string',
'CustomMessage': 'string',
'PostConfirmation': 'string',
'PreAuthentication': 'string',
'PostAuthentication': 'string',
'DefineAuthChallenge': 'string',
'CreateAuthChallenge': 'string',
'VerifyAuthChallengeResponse': 'string',
'PreTokenGeneration': 'string'
},
'Status': 'Enabled'|'Disabled',
'LastModifiedDate': datetime(2015, 1, 1),
'CreationDate': datetime(2015, 1, 1),
'SchemaAttributes': [
{
'Name': 'string',
'AttributeDataType': 'String'|'Number'|'DateTime'|'Boolean',
'DeveloperOnlyAttribute': True|False,
'Mutable': True|False,
'Required': True|False,
'NumberAttributeConstraints': {
'MinValue': 'string',
'MaxValue': 'string'
},
'StringAttributeConstraints': {
'MinLength': 'string',
'MaxLength': 'string'
}
},
],
'AutoVerifiedAttributes': [
'phone_number'|'email',
],
'AliasAttributes': [
'phone_number'|'email'|'preferred_username',
],
'UsernameAttributes': [
'phone_number'|'email',
],
'SmsVerificationMessage': 'string',
'EmailVerificationMessage': 'string',
'EmailVerificationSubject': 'string',
'VerificationMessageTemplate': {
'SmsMessage': 'string',
'EmailMessage': 'string',
'EmailSubject': 'string',
'EmailMessageByLink': 'string',
'EmailSubjectByLink': 'string',
'DefaultEmailOption': 'CONFIRM_WITH_LINK'|'CONFIRM_WITH_CODE'
},
'SmsAuthenticationMessage': 'string',
'MfaConfiguration': 'OFF'|'ON'|'OPTIONAL',
'DeviceConfiguration': {
'ChallengeRequiredOnNewDevice': True|False,
'DeviceOnlyRememberedOnUserPrompt': True|False
},
'EstimatedNumberOfUsers': 123,
'EmailConfiguration': {
'SourceArn': 'string',
'ReplyToEmailAddress': 'string'
},
'SmsConfiguration': {
'SnsCallerArn': 'string',
'ExternalId': 'string'
},
'UserPoolTags': {
'string': 'string'
},
'SmsConfigurationFailure': 'string',
'EmailConfigurationFailure': 'string',
'AdminCreateUserConfig': {
'AllowAdminCreateUserOnly': True|False,
'UnusedAccountValidityDays': 123,
'InviteMessageTemplate': {
'SMSMessage': 'string',
'EmailMessage': 'string',
'EmailSubject': 'string'
}
},
'UserPoolAddOns': {
'AdvancedSecurityMode': 'OFF'|'AUDIT'|'ENFORCED'
}
}
}
Response Structure
(dict) --
Represents the response to describe the user pool.
UserPool (dict) --
The container of metadata returned by the server to describe the pool.
Id (string) --
The ID of the user pool.
Name (string) --
The name of the user pool.
Policies (dict) --
The policies associated with the user pool.
PasswordPolicy (dict) --
The password policy.
MinimumLength (integer) --
The minimum length of the password policy that you have set. Cannot be less than 6.
RequireUppercase (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
RequireLowercase (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.
RequireNumbers (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
RequireSymbols (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
LambdaConfig (dict) --
The AWS Lambda triggers associated with tue user pool.
PreSignUp (string) --
A pre-registration AWS Lambda trigger.
CustomMessage (string) --
A custom Message AWS Lambda trigger.
PostConfirmation (string) --
A post-confirmation AWS Lambda trigger.
PreAuthentication (string) --
A pre-authentication AWS Lambda trigger.
PostAuthentication (string) --
A post-authentication AWS Lambda trigger.
DefineAuthChallenge (string) --
Defines the authentication challenge.
CreateAuthChallenge (string) --
Creates an authentication challenge.
VerifyAuthChallengeResponse (string) --
Verifies the authentication challenge response.
PreTokenGeneration (string) --
A Lambda trigger that is invoked before token generation.
Status (string) --
The status of a user pool.
LastModifiedDate (datetime) --
The date the user pool was last modified.
CreationDate (datetime) --
The date the user pool was created.
SchemaAttributes (list) --
A container with the schema attributes of a user pool.
(dict) --
Contains information about the schema attribute.
Name (string) --
A schema attribute of the name type.
AttributeDataType (string) --
The attribute data type.
DeveloperOnlyAttribute (boolean) --
Specifies whether the attribute type is developer only.
Mutable (boolean) --
Specifies whether the attribute can be changed once it has been created.
Required (boolean) --
Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.
NumberAttributeConstraints (dict) --
Specifies the constraints for an attribute of the number type.
MinValue (string) --
The minimum value of an attribute that is of the number data type.
MaxValue (string) --
The maximum value of an attribute that is of the number data type.
StringAttributeConstraints (dict) --
Specifies the constraints for an attribute of the string type.
MinLength (string) --
The minimum length.
MaxLength (string) --
The maximum length.
AutoVerifiedAttributes (list) --
Specifies the attributes that are auto-verified in a user pool.
(string) --
AliasAttributes (list) --
Specifies the attributes that are aliased in a user pool.
(string) --
UsernameAttributes (list) --
Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up.
(string) --
SmsVerificationMessage (string) --
The contents of the SMS verification message.
EmailVerificationMessage (string) --
The contents of the email verification message.
EmailVerificationSubject (string) --
The subject of the email verification message.
VerificationMessageTemplate (dict) --
The template for verification messages.
SmsMessage (string) --
The SMS message template.
EmailMessage (string) --
The email message template.
EmailSubject (string) --
The subject line for the email message template.
EmailMessageByLink (string) --
The email message template for sending a confirmation link to the user.
EmailSubjectByLink (string) --
The subject line for the email message template for sending a confirmation link to the user.
DefaultEmailOption (string) --
The default email option.
SmsAuthenticationMessage (string) --
The contents of the SMS authentication message.
MfaConfiguration (string) --
Can be one of the following values:
OFF - MFA tokens are not required and cannot be specified during user registration.
ON - MFA tokens are required for all user registrations. You can only specify required when you are initially creating a user pool.
OPTIONAL - Users have the option when registering to create an MFA token.
DeviceConfiguration (dict) --
The device configuration.
ChallengeRequiredOnNewDevice (boolean) --
Indicates whether a challenge is required on a new device. Only applicable to a new device.
DeviceOnlyRememberedOnUserPrompt (boolean) --
If true, a device is only remembered on user prompt.
EstimatedNumberOfUsers (integer) --
A number estimating the size of the user pool.
EmailConfiguration (dict) --
The email configuration.
SourceArn (string) --
The Amazon Resource Name (ARN) of the email source.
ReplyToEmailAddress (string) --
The destination to which the receiver of the email should reply to.
SmsConfiguration (dict) --
The SMS configuration.
SnsCallerArn (string) --
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.
ExternalId (string) --
The external ID.
UserPoolTags (dict) --
The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to Your User Pool
(string) --
(string) --
SmsConfigurationFailure (string) --
The reason why the SMS configuration cannot send the messages to your users.
EmailConfigurationFailure (string) --
The reason why the email configuration cannot send the messages to your users.
AdminCreateUserConfig (dict) --
The configuration for AdminCreateUser requests.
AllowAdminCreateUserOnly (boolean) --
Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
UnusedAccountValidityDays (integer) --
The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter. The default value for this parameter is 7.
InviteMessageTemplate (dict) --
The message template to be used for the welcome message to new users.
See also Customizing User Invitation Messages.
SMSMessage (string) --
The message template for SMS messages.
EmailMessage (string) --
The message template for email messages.
EmailSubject (string) --
The subject line for email messages.
UserPoolAddOns (dict) --
The user pool add-ons.
AdvancedSecurityMode (string) --
The advanced security mode.
{'UserPoolClient': {'AnalyticsConfiguration': {'ApplicationId': 'string',
'ExternalId': 'string',
'RoleArn': 'string',
'UserDataShared': 'boolean'}}}
Client method for returning the configuration information and metadata of the specified user pool client.
See also: AWS API Documentation
Request Syntax
client.describe_user_pool_client(
UserPoolId='string',
ClientId='string'
)
string
[REQUIRED]
The user pool ID for the user pool you want to describe.
string
[REQUIRED]
The app client ID of the app associated with the user pool.
dict
Response Syntax
{
'UserPoolClient': {
'UserPoolId': 'string',
'ClientName': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'LastModifiedDate': datetime(2015, 1, 1),
'CreationDate': datetime(2015, 1, 1),
'RefreshTokenValidity': 123,
'ReadAttributes': [
'string',
],
'WriteAttributes': [
'string',
],
'ExplicitAuthFlows': [
'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
],
'SupportedIdentityProviders': [
'string',
],
'CallbackURLs': [
'string',
],
'LogoutURLs': [
'string',
],
'DefaultRedirectURI': 'string',
'AllowedOAuthFlows': [
'code'|'implicit'|'client_credentials',
],
'AllowedOAuthScopes': [
'string',
],
'AllowedOAuthFlowsUserPoolClient': True|False,
'AnalyticsConfiguration': {
'ApplicationId': 'string',
'RoleArn': 'string',
'ExternalId': 'string',
'UserDataShared': True|False
}
}
}
Response Structure
(dict) --
Represents the response from the server from a request to describe the user pool client.
UserPoolClient (dict) --
The user pool client from a server response to describe the user pool client.
UserPoolId (string) --
The user pool ID for the user pool client.
ClientName (string) --
The client name from the user pool request of the client type.
ClientId (string) --
The ID of the client associated with the user pool.
ClientSecret (string) --
The client secret from the user pool request of the client type.
LastModifiedDate (datetime) --
The date the user pool client was last modified.
CreationDate (datetime) --
The date the user pool client was created.
RefreshTokenValidity (integer) --
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
ReadAttributes (list) --
The Read-only attributes.
(string) --
WriteAttributes (list) --
The writeable attributes.
(string) --
ExplicitAuthFlows (list) --
The explicit authentication flows.
(string) --
SupportedIdentityProviders (list) --
A list of provider names for the identity providers that are supported on this client.
(string) --
CallbackURLs (list) --
A list of allowed callback URLs for the identity providers.
(string) --
LogoutURLs (list) --
A list of allowed logout URLs for the identity providers.
(string) --
DefaultRedirectURI (string) --
The default redirect URI. Must be in the CallbackURLs list.
AllowedOAuthFlows (list) --
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
AllowedOAuthScopes (list) --
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
AllowedOAuthFlowsUserPoolClient (boolean) --
Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
AnalyticsConfiguration (dict) --
The Amazon Pinpoint analytics configuration for the user pool client.
ApplicationId (string) --
The application ID for an Amazon Pinpoint application.
RoleArn (string) --
The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
ExternalId (string) --
The external ID.
UserDataShared (boolean) --
If UserDataShared is true , Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'UserContextData': {'EncodedData': 'string'}}
Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the Username parameter, you can use the username or user alias. If a verified phone number exists for the user, the confirmation code is sent to the phone number. Otherwise, if a verified email exists, the confirmation code is sent to the email. If neither a verified phone number nor a verified email exists, InvalidParameterException is thrown. To use the confirmation code for resetting the password, call .
See also: AWS API Documentation
Request Syntax
client.forgot_password(
ClientId='string',
SecretHash='string',
UserContextData={
'EncodedData': 'string'
},
Username='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
}
)
string
[REQUIRED]
The ID of the client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
string
[REQUIRED]
The user name of the user for whom you want to enter a code to reset a forgotten password.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for ForgotPassword calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Response Syntax
{
'CodeDeliveryDetails': {
'Destination': 'string',
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
}
}
Response Structure
(dict) --
Respresents the response from the server regarding the request to reset a password.
CodeDeliveryDetails (dict) --
The code delivery details returned by the server in response to the request to reset a password.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The attribute name.
{'PreferredMfaSetting': 'string', 'UserMFASettingList': ['string']}
Gets the user attributes and metadata for a user.
See also: AWS API Documentation
Request Syntax
client.get_user(
AccessToken='string'
)
string
[REQUIRED]
The access token returned by the server response to get information about the user.
dict
Response Syntax
{
'Username': 'string',
'UserAttributes': [
{
'Name': 'string',
'Value': 'string'
},
],
'MFAOptions': [
{
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
},
],
'PreferredMfaSetting': 'string',
'UserMFASettingList': [
'string',
]
}
Response Structure
(dict) --
Represents the response from the server from the request to get information about the user.
Username (string) --
The user name of the user you wish to retrieve from the get user request.
UserAttributes (list) --
An array of name-value pairs representing user attributes.
For custom attributes, you must prepend the custom: prefix to the attribute name.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) --
The name of the attribute.
Value (string) --
The value of the attribute.
MFAOptions (list) --
Specifies the options for MFA (e.g., email or phone number).
(dict) --
Specifies the different settings for multi-factor authentication (MFA).
DeliveryMedium (string) --
The delivery medium (email message or SMS message) to send the MFA code.
AttributeName (string) --
The attribute name of the MFA option type.
PreferredMfaSetting (string) --
UserMFASettingList (list) --
(string) --
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'UserContextData': {'EncodedData': 'string'}}
Response {'ChallengeName': {'SELECT_MFA_TYPE', 'MFA_SETUP', 'SOFTWARE_TOKEN_MFA'}}
Initiates the authentication flow.
See also: AWS API Documentation
Request Syntax
client.initiate_auth(
AuthFlow='USER_SRP_AUTH'|'REFRESH_TOKEN_AUTH'|'REFRESH_TOKEN'|'CUSTOM_AUTH'|'ADMIN_NO_SRP_AUTH',
AuthParameters={
'string': 'string'
},
ClientMetadata={
'string': 'string'
},
ClientId='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
}
)
string
[REQUIRED]
The authentication flow for this call to execute. The API action will depend on this value. For example:
REFRESH_TOKEN_AUTH will take in a valid refresh token and return new tokens.
USER_SRP_AUTH will take in USERNAME and SRP_A and return the SRP variables to be used for next challenge execution.
Valid values include:
USER_SRP_AUTH : Authentication flow for the Secure Remote Password (SRP) protocol.
REFRESH_TOKEN_AUTH / REFRESH_TOKEN : Authentication flow for refreshing the access token and ID token by supplying a valid refresh token.
CUSTOM_AUTH : Custom authentication flow.
ADMIN_NO_SRP_AUTH is not a valid value.
dict
The authentication parameters. These are inputs corresponding to the AuthFlow that you are invoking. The required values depend on the value of AuthFlow :
For USER_SRP_AUTH : USERNAME (required), SRP_A (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY
For REFRESH_TOKEN_AUTH/REFRESH_TOKEN : USERNAME (required), SECRET_HASH (required if the app client is configured with a client secret), REFRESH_TOKEN (required), DEVICE_KEY
For CUSTOM_AUTH : USERNAME (required), SECRET_HASH (if app client is configured with client secret), DEVICE_KEY
(string) --
(string) --
dict
This is a random key-value pair map which can contain any key and will be passed to your PreAuthentication Lambda trigger as-is. It can be used to implement additional validations around authentication.
(string) --
(string) --
string
[REQUIRED]
The app client ID.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for InitiateAuth calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
Response Syntax
{
'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
'Session': 'string',
'ChallengeParameters': {
'string': 'string'
},
'AuthenticationResult': {
'AccessToken': 'string',
'ExpiresIn': 123,
'TokenType': 'string',
'RefreshToken': 'string',
'IdToken': 'string',
'NewDeviceMetadata': {
'DeviceKey': 'string',
'DeviceGroupKey': 'string'
}
}
}
Response Structure
(dict) --
Initiates the authentication response.
ChallengeName (string) --
The name of the challenge which you are responding to with this call. This is returned to you in the AdminInitiateAuth response if you need to pass another challenge.
Valid values include the following. Note that all of these challenges require USERNAME and SECRET_HASH (if applicable) in the parameters.
SMS_MFA : Next challenge is to supply an SMS_MFA_CODE , delivered via SMS.
PASSWORD_VERIFIER : Next challenge is to supply PASSWORD_CLAIM_SIGNATURE , PASSWORD_CLAIM_SECRET_BLOCK , and TIMESTAMP after the client-side SRP calculations.
CUSTOM_CHALLENGE : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.
DEVICE_SRP_AUTH : If device tracking was enabled on your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.
DEVICE_PASSWORD_VERIFIER : Similar to PASSWORD_VERIFIER , but for devices only.
NEW_PASSWORD_REQUIRED : For users which are required to change their passwords after successful first login. This challenge should be passed with NEW_PASSWORD and any other required attributes.
Session (string) --
The session which should be passed both ways in challenge-response calls to the service. If the or API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
ChallengeParameters (dict) --
The challenge parameters. These are returned to you in the InitiateAuth response if you need to pass another challenge. The responses in this parameter should be used to compute inputs to the next call ( RespondToAuthChallenge ).
All challenges require USERNAME and SECRET_HASH (if applicable).
(string) --
(string) --
AuthenticationResult (dict) --
The result of the authentication response. This is only returned if the caller does not need to pass another challenge. If the caller does need to pass another challenge before it gets tokens, ChallengeName , ChallengeParameters , and Session are returned.
AccessToken (string) --
The access token.
ExpiresIn (integer) --
The expiration period of the authentication result.
TokenType (string) --
The token type.
RefreshToken (string) --
The refresh token.
IdToken (string) --
The ID token.
NewDeviceMetadata (dict) --
The new device metadata from an authentication result.
DeviceKey (string) --
The device key.
DeviceGroupKey (string) --
The device group key.
{'UserPools': {'LambdaConfig': {'PreTokenGeneration': 'string'}}}
Lists the user pools associated with an AWS account.
See also: AWS API Documentation
Request Syntax
client.list_user_pools(
NextToken='string',
MaxResults=123
)
string
An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.
integer
[REQUIRED]
The maximum number of results you want the request to return when listing the user pools.
dict
Response Syntax
{
'UserPools': [
{
'Id': 'string',
'Name': 'string',
'LambdaConfig': {
'PreSignUp': 'string',
'CustomMessage': 'string',
'PostConfirmation': 'string',
'PreAuthentication': 'string',
'PostAuthentication': 'string',
'DefineAuthChallenge': 'string',
'CreateAuthChallenge': 'string',
'VerifyAuthChallengeResponse': 'string',
'PreTokenGeneration': 'string'
},
'Status': 'Enabled'|'Disabled',
'LastModifiedDate': datetime(2015, 1, 1),
'CreationDate': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Represents the response to list user pools.
UserPools (list) --
The user pools from the response to list users.
(dict) --
A user pool description.
Id (string) --
The ID in a user pool description.
Name (string) --
The name in a user pool description.
LambdaConfig (dict) --
The AWS Lambda configuration information in a user pool description.
PreSignUp (string) --
A pre-registration AWS Lambda trigger.
CustomMessage (string) --
A custom Message AWS Lambda trigger.
PostConfirmation (string) --
A post-confirmation AWS Lambda trigger.
PreAuthentication (string) --
A pre-authentication AWS Lambda trigger.
PostAuthentication (string) --
A post-authentication AWS Lambda trigger.
DefineAuthChallenge (string) --
Defines the authentication challenge.
CreateAuthChallenge (string) --
Creates an authentication challenge.
VerifyAuthChallengeResponse (string) --
Verifies the authentication challenge response.
PreTokenGeneration (string) --
A Lambda trigger that is invoked before token generation.
Status (string) --
The user pool status in a user pool description.
LastModifiedDate (datetime) --
The date the user pool description was last modified.
CreationDate (datetime) --
The date the user pool description was created.
NextToken (string) --
An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'UserContextData': {'EncodedData': 'string'}}
Resends the confirmation (for confirmation of registration) to a specific user in the user pool.
See also: AWS API Documentation
Request Syntax
client.resend_confirmation_code(
ClientId='string',
SecretHash='string',
UserContextData={
'EncodedData': 'string'
},
Username='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
}
)
string
[REQUIRED]
The ID of the client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
string
[REQUIRED]
The user name of the user to whom you wish to resend a confirmation code.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for ResendConfirmationCode calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Response Syntax
{
'CodeDeliveryDetails': {
'Destination': 'string',
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
}
}
Response Structure
(dict) --
The response from the server when the Amazon Cognito Your User Pools service makes the request to resend a confirmation code.
CodeDeliveryDetails (dict) --
The code delivery details returned by the server in response to the request to resend the confirmation code.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The attribute name.
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'ChallengeName': {'SELECT_MFA_TYPE', 'MFA_SETUP', 'SOFTWARE_TOKEN_MFA'},
'UserContextData': {'EncodedData': 'string'}}
Response {'ChallengeName': {'SELECT_MFA_TYPE', 'MFA_SETUP', 'SOFTWARE_TOKEN_MFA'}}
Responds to the authentication challenge.
See also: AWS API Documentation
Request Syntax
client.respond_to_auth_challenge(
ClientId='string',
ChallengeName='SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
Session='string',
ChallengeResponses={
'string': 'string'
},
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
}
)
string
[REQUIRED]
The app client ID.
string
[REQUIRED]
The challenge name. For more information, see .
ADMIN_NO_SRP_AUTH is not a valid value.
string
The session which should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
dict
The challenge responses. These are inputs corresponding to the value of ChallengeName , for example:
SMS_MFA : SMS_MFA_CODE , USERNAME , SECRET_HASH (if app client is configured with client secret).
PASSWORD_VERIFIER : PASSWORD_CLAIM_SIGNATURE , PASSWORD_CLAIM_SECRET_BLOCK , TIMESTAMP , USERNAME , SECRET_HASH (if app client is configured with client secret).
NEW_PASSWORD_REQUIRED : NEW_PASSWORD , any other required attributes, USERNAME , SECRET_HASH (if app client is configured with client secret).
(string) --
(string) --
dict
The Amazon Pinpoint analytics metadata for collecting metrics for RespondToAuthChallenge calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
Response Syntax
{
'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
'Session': 'string',
'ChallengeParameters': {
'string': 'string'
},
'AuthenticationResult': {
'AccessToken': 'string',
'ExpiresIn': 123,
'TokenType': 'string',
'RefreshToken': 'string',
'IdToken': 'string',
'NewDeviceMetadata': {
'DeviceKey': 'string',
'DeviceGroupKey': 'string'
}
}
}
Response Structure
(dict) --
The response to respond to the authentication challenge.
ChallengeName (string) --
The challenge name. For more information, see .
Session (string) --
The session which should be passed both ways in challenge-response calls to the service. If the or API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
ChallengeParameters (dict) --
The challenge parameters. For more information, see .
(string) --
(string) --
AuthenticationResult (dict) --
The result returned by the server in response to the request to respond to the authentication challenge.
AccessToken (string) --
The access token.
ExpiresIn (integer) --
The expiration period of the authentication result.
TokenType (string) --
The token type.
RefreshToken (string) --
The refresh token.
IdToken (string) --
The ID token.
NewDeviceMetadata (dict) --
The new device metadata from an authentication result.
DeviceKey (string) --
The device key.
DeviceGroupKey (string) --
The device group key.
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
'UserContextData': {'EncodedData': 'string'}}
Registers the user in the specified user pool and creates a user name, password, and user attributes.
See also: AWS API Documentation
Request Syntax
client.sign_up(
ClientId='string',
SecretHash='string',
Username='string',
Password='string',
UserAttributes=[
{
'Name': 'string',
'Value': 'string'
},
],
ValidationData=[
{
'Name': 'string',
'Value': 'string'
},
],
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
}
)
string
[REQUIRED]
The ID of the client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
string
[REQUIRED]
The user name of the user you wish to register.
string
[REQUIRED]
The password of the user you wish to register.
list
An array of name-value pairs representing user attributes.
For custom attributes, you must prepend the custom: prefix to the attribute name.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
list
The validation data in the request to register a user.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for SignUp calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
Response Syntax
{
'UserConfirmed': True|False,
'CodeDeliveryDetails': {
'Destination': 'string',
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
},
'UserSub': 'string'
}
Response Structure
(dict) --
The response from the server for a registration request.
UserConfirmed (boolean) --
A response from the server indicating that a user registration has been confirmed.
CodeDeliveryDetails (dict) --
The code delivery details returned by the server response to the user registration request.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The attribute name.
UserSub (string) --
The UUID of the authenticated user. This is not the same as username .
{'LambdaConfig': {'PreTokenGeneration': 'string'},
'UserPoolAddOns': {'AdvancedSecurityMode': 'OFF | AUDIT | ENFORCED'}}
Updates the specified user pool with the specified attributes.
See also: AWS API Documentation
Request Syntax
client.update_user_pool(
UserPoolId='string',
Policies={
'PasswordPolicy': {
'MinimumLength': 123,
'RequireUppercase': True|False,
'RequireLowercase': True|False,
'RequireNumbers': True|False,
'RequireSymbols': True|False
}
},
LambdaConfig={
'PreSignUp': 'string',
'CustomMessage': 'string',
'PostConfirmation': 'string',
'PreAuthentication': 'string',
'PostAuthentication': 'string',
'DefineAuthChallenge': 'string',
'CreateAuthChallenge': 'string',
'VerifyAuthChallengeResponse': 'string',
'PreTokenGeneration': 'string'
},
AutoVerifiedAttributes=[
'phone_number'|'email',
],
SmsVerificationMessage='string',
EmailVerificationMessage='string',
EmailVerificationSubject='string',
VerificationMessageTemplate={
'SmsMessage': 'string',
'EmailMessage': 'string',
'EmailSubject': 'string',
'EmailMessageByLink': 'string',
'EmailSubjectByLink': 'string',
'DefaultEmailOption': 'CONFIRM_WITH_LINK'|'CONFIRM_WITH_CODE'
},
SmsAuthenticationMessage='string',
MfaConfiguration='OFF'|'ON'|'OPTIONAL',
DeviceConfiguration={
'ChallengeRequiredOnNewDevice': True|False,
'DeviceOnlyRememberedOnUserPrompt': True|False
},
EmailConfiguration={
'SourceArn': 'string',
'ReplyToEmailAddress': 'string'
},
SmsConfiguration={
'SnsCallerArn': 'string',
'ExternalId': 'string'
},
UserPoolTags={
'string': 'string'
},
AdminCreateUserConfig={
'AllowAdminCreateUserOnly': True|False,
'UnusedAccountValidityDays': 123,
'InviteMessageTemplate': {
'SMSMessage': 'string',
'EmailMessage': 'string',
'EmailSubject': 'string'
}
},
UserPoolAddOns={
'AdvancedSecurityMode': 'OFF'|'AUDIT'|'ENFORCED'
}
)
string
[REQUIRED]
The user pool ID for the user pool you want to update.
dict
A container with the policies you wish to update in a user pool.
PasswordPolicy (dict) --
The password policy.
MinimumLength (integer) --
The minimum length of the password policy that you have set. Cannot be less than 6.
RequireUppercase (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
RequireLowercase (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.
RequireNumbers (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
RequireSymbols (boolean) --
In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
dict
The AWS Lambda configuration information from the request to update the user pool.
PreSignUp (string) --
A pre-registration AWS Lambda trigger.
CustomMessage (string) --
A custom Message AWS Lambda trigger.
PostConfirmation (string) --
A post-confirmation AWS Lambda trigger.
PreAuthentication (string) --
A pre-authentication AWS Lambda trigger.
PostAuthentication (string) --
A post-authentication AWS Lambda trigger.
DefineAuthChallenge (string) --
Defines the authentication challenge.
CreateAuthChallenge (string) --
Creates an authentication challenge.
VerifyAuthChallengeResponse (string) --
Verifies the authentication challenge response.
PreTokenGeneration (string) --
A Lambda trigger that is invoked before token generation.
list
The attributes that are automatically verified when the Amazon Cognito service makes a request to update user pools.
(string) --
string
A container with information about the SMS verification message.
string
The contents of the email verification message.
string
The subject of the email verification message.
dict
The template for verification messages.
SmsMessage (string) --
The SMS message template.
EmailMessage (string) --
The email message template.
EmailSubject (string) --
The subject line for the email message template.
EmailMessageByLink (string) --
The email message template for sending a confirmation link to the user.
EmailSubjectByLink (string) --
The subject line for the email message template for sending a confirmation link to the user.
DefaultEmailOption (string) --
The default email option.
string
The contents of the SMS authentication message.
string
Can be one of the following values:
OFF - MFA tokens are not required and cannot be specified during user registration.
ON - MFA tokens are required for all user registrations. You can only specify required when you are initially creating a user pool.
OPTIONAL - Users have the option when registering to create an MFA token.
dict
Device configuration.
ChallengeRequiredOnNewDevice (boolean) --
Indicates whether a challenge is required on a new device. Only applicable to a new device.
DeviceOnlyRememberedOnUserPrompt (boolean) --
If true, a device is only remembered on user prompt.
dict
Email configuration.
SourceArn (string) --
The Amazon Resource Name (ARN) of the email source.
ReplyToEmailAddress (string) --
The destination to which the receiver of the email should reply to.
dict
SMS configuration.
SnsCallerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.
ExternalId (string) --
The external ID.
dict
The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to Your User Pool
(string) --
(string) --
dict
The configuration for AdminCreateUser requests.
AllowAdminCreateUserOnly (boolean) --
Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
UnusedAccountValidityDays (integer) --
The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter. The default value for this parameter is 7.
InviteMessageTemplate (dict) --
The message template to be used for the welcome message to new users.
See also Customizing User Invitation Messages.
SMSMessage (string) --
The message template for SMS messages.
EmailMessage (string) --
The message template for email messages.
EmailSubject (string) --
The subject line for email messages.
dict
Used to enable advanced security risk detection. Set the key AdvancedSecurityMode to the value "AUDIT".
AdvancedSecurityMode (string) -- [REQUIRED]
The advanced security mode.
dict
Response Syntax
{}
Response Structure
(dict) --
Represents the response from the server when you make a request to update the user pool.
{'AnalyticsConfiguration': {'ApplicationId': 'string',
'ExternalId': 'string',
'RoleArn': 'string',
'UserDataShared': 'boolean'}}
Response {'UserPoolClient': {'AnalyticsConfiguration': {'ApplicationId': 'string',
'ExternalId': 'string',
'RoleArn': 'string',
'UserDataShared': 'boolean'}}}
Allows the developer to update the specified user pool client and password policy.
See also: AWS API Documentation
Request Syntax
client.update_user_pool_client(
UserPoolId='string',
ClientId='string',
ClientName='string',
RefreshTokenValidity=123,
ReadAttributes=[
'string',
],
WriteAttributes=[
'string',
],
ExplicitAuthFlows=[
'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
],
SupportedIdentityProviders=[
'string',
],
CallbackURLs=[
'string',
],
LogoutURLs=[
'string',
],
DefaultRedirectURI='string',
AllowedOAuthFlows=[
'code'|'implicit'|'client_credentials',
],
AllowedOAuthScopes=[
'string',
],
AllowedOAuthFlowsUserPoolClient=True|False,
AnalyticsConfiguration={
'ApplicationId': 'string',
'RoleArn': 'string',
'ExternalId': 'string',
'UserDataShared': True|False
}
)
string
[REQUIRED]
The user pool ID for the user pool where you want to update the user pool client.
string
[REQUIRED]
The ID of the client associated with the user pool.
string
The client name from the update user pool client request.
integer
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
list
The read-only attributes of the user pool.
(string) --
list
The writeable attributes of the user pool.
(string) --
list
Explicit authentication flows.
(string) --
list
A list of provider names for the identity providers that are supported on this client.
(string) --
list
A list of allowed callback URLs for the identity providers.
(string) --
list
A list of allowed logout URLs for the identity providers.
(string) --
string
The default redirect URI. Must be in the CallbackURLs list.
list
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
list
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
boolean
Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
dict
The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
ApplicationId (string) -- [REQUIRED]
The application ID for an Amazon Pinpoint application.
RoleArn (string) -- [REQUIRED]
The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
ExternalId (string) -- [REQUIRED]
The external ID.
UserDataShared (boolean) --
If UserDataShared is true , Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
dict
Response Syntax
{
'UserPoolClient': {
'UserPoolId': 'string',
'ClientName': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'LastModifiedDate': datetime(2015, 1, 1),
'CreationDate': datetime(2015, 1, 1),
'RefreshTokenValidity': 123,
'ReadAttributes': [
'string',
],
'WriteAttributes': [
'string',
],
'ExplicitAuthFlows': [
'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
],
'SupportedIdentityProviders': [
'string',
],
'CallbackURLs': [
'string',
],
'LogoutURLs': [
'string',
],
'DefaultRedirectURI': 'string',
'AllowedOAuthFlows': [
'code'|'implicit'|'client_credentials',
],
'AllowedOAuthScopes': [
'string',
],
'AllowedOAuthFlowsUserPoolClient': True|False,
'AnalyticsConfiguration': {
'ApplicationId': 'string',
'RoleArn': 'string',
'ExternalId': 'string',
'UserDataShared': True|False
}
}
}
Response Structure
(dict) --
Represents the response from the server to the request to update the user pool client.
UserPoolClient (dict) --
The user pool client value from the response from the server when an update user pool client request is made.
UserPoolId (string) --
The user pool ID for the user pool client.
ClientName (string) --
The client name from the user pool request of the client type.
ClientId (string) --
The ID of the client associated with the user pool.
ClientSecret (string) --
The client secret from the user pool request of the client type.
LastModifiedDate (datetime) --
The date the user pool client was last modified.
CreationDate (datetime) --
The date the user pool client was created.
RefreshTokenValidity (integer) --
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
ReadAttributes (list) --
The Read-only attributes.
(string) --
WriteAttributes (list) --
The writeable attributes.
(string) --
ExplicitAuthFlows (list) --
The explicit authentication flows.
(string) --
SupportedIdentityProviders (list) --
A list of provider names for the identity providers that are supported on this client.
(string) --
CallbackURLs (list) --
A list of allowed callback URLs for the identity providers.
(string) --
LogoutURLs (list) --
A list of allowed logout URLs for the identity providers.
(string) --
DefaultRedirectURI (string) --
The default redirect URI. Must be in the CallbackURLs list.
AllowedOAuthFlows (list) --
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
AllowedOAuthScopes (list) --
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
AllowedOAuthFlowsUserPoolClient (boolean) --
Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
AnalyticsConfiguration (dict) --
The Amazon Pinpoint analytics configuration for the user pool client.
ApplicationId (string) --
The application ID for an Amazon Pinpoint application.
RoleArn (string) --
The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
ExternalId (string) --
The external ID.
UserDataShared (boolean) --
If UserDataShared is true , Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.