User Auth Pool
This example shows a basic user auth pool configuration.
User pool resource
- Fully managed sign-ups, logins and authorization for your users with pay-per-use pricing.
Basic example
resources:myUserAuthPool:type: user-auth-poolproperties:# Ensures that new accounts can only be created using admin create flows## - If this is disabled, users can sign themselves up.## - Type: boolean# - Required: falseallowOnlyAdminsToCreateAccount: true# Maximum number of days that unused accounts will be preserved## - Type: number# - Required: falseunusedAccountValidityDays: 100# Enforces email verification for new accounts## - Type: boolean# - Required: falserequireEmailVerification: true# Enforces phone number verification for new accounts## - Type: boolean# - Required: falserequirePhoneNumberVerification: true# Enables hosted UI for the userpool## - Type: boolean# - Required: false# - Default: falseenableHostedUi: false# Domain prefix for the hosted UI## - Type: string# - Required: falsehostedUiDomainPrefix: example-value# CSS applied to your hosted UI## - Type: string# - Required: falsehostedUiCSS: example-value# Function hooks that will be triggered on certain events that happen inside the userpool## - To better understand user pool hooks, refer to# [AWS Docs](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html)## - Type: object# - Required: falsehooks:## - Type: string# - Required: falsecustomMessage: example-value## - Type: string# - Required: falsepostAuthentication: example-value## - Type: string# - Required: falsepostConfirmation: example-value## - Type: string# - Required: falsepreAuthentication: example-value## - Type: string# - Required: falsepreSignUp: example-value## - Type: string# - Required: falsepreTokenGeneration: example-value## - Type: string# - Required: falseuserMigration: example-value## - Type: string# - Required: falsecreateAuthChallenge: example-value## - Type: string# - Required: falsedefineAuthChallenge: example-value## - Type: string# - Required: falseverifyAuthChallengeResponse: example-value# Configuration for emails sent by Cognito User Pool## - Type: object# - Required: falseemailConfiguration:## - Type: string# - Required: falsesesAddressArn: example-value## - Type: string# - Required: falsefrom: example-value## - Type: string# - Required: falsereplyToEmailAddress: user@example.com# Configuration of invite message for new users## - Type: object# - Required: falseinviteMessageConfig:## - Type: string# - Required: falseemailMessage: example-value## - Type: string# - Required: falseemailSubject: example-value## - Type: string# - Required: falsesmsMessage: example-value# Configuration of user verification type## - `none` - no verification is required# - `email-link` - user receives a link that he needs to click via an email# - `email-code` - user receives a code that he needs to enter via an email# - `sms` - user receives a code that he needs to enter via a SMS## - Type: enum: [email-code, email-link, none, sms]# - Required: false# - Allowed values: [email-code, email-link, none, sms]userVerificationType: email-code# Configures the user verification message## - Type: object# - Required: falseuserVerificationMessageConfig:## - Type: string# - Required: falseemailMessageUsingCode: example-value## - Type: string# - Required: falseemailMessageUsingLink: example-value## - Type: string# - Required: falseemailSubjectUsingCode: example-value## - Type: string# - Required: falseemailSubjectUsingLink: example-value## - Type: string# - Required: falsesmsMessage: example-value# Configures Multi-factor Authentication for this userpool## - Type: object# - Required: falsemfaConfiguration:## - Type: enum: [OFF, ON, OPTIONAL]# - Required: false# - Allowed values: [OFF, ON, OPTIONAL]status: OFF## - Type: array<string># - Required: falseenabledTypes:- SMS# Requirements for the password## - Applies for users created using directly using cognito## - Type: object# - Required: falsepasswordPolicy:## - Type: number# - Required: falseminimumLength: 100## - Type: boolean# - Required: falserequireLowercase: true## - Type: boolean# - Required: falserequireNumbers: true## - Type: boolean# - Required: falserequireSymbols: true## - Type: boolean# - Required: falserequireUppercase: true## - Type: number# - Required: falsetemporaryPasswordValidityDays: 100## - Type: array<object (reference)># - Required: falseschema:- name: example-name# Allows phone number to be used as a username### - Type: boolean# - Required: false# - Default: trueallowPhoneNumberAsUserName: true# Allows email to be used as a username### - Type: boolean# - Required: false# - Default: trueallowEmailAsUserName: true# Duration (in seconds) until the access token expires## - To better understand tokens used in in cognito user pools, refer# to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)## - Type: number# - Required: falseaccessTokenValiditySeconds: 100# Duration (in seconds) until the identity token expires## - To better understand tokens used in in cognito user pools, refer# to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)## - Type: number# - Required: falseidTokenValiditySeconds: 100# Duration (in seconds) until the refresh token expires## - To better understand tokens used in in cognito user pools, refer# to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)## - Type: number# - Required: falserefreshTokenValidityDays: 100# Oauth flows allowed for this user pool## - To better understand Oauth flows, refer# to [AWS blog post](https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/)## - Type: array<object (reference)># - Required: falseallowedOAuthFlows:- example-value# Oauth scopes allowed for this user pool## - Type: array<string># - Required: falseallowedOAuthScopes:- example-value# User will be redirected to this URL after a successful authentication## - Type: array<string># - Required: falsecallbackURLs:- https://example.com# User will be redirected to this URL after a logout## - Type: array<string># - Required: falselogoutURLs:- https://example.com# Configuration for external identity providers## - Type: array<object (reference)># - Required: falseidentityProviders:- clientId: example-valueclientSecret: example-valuetype: Facebook# Name of the 'web-app-firewall' resource type that will be used to protect this user pool## - You can use `web-app-firewall` to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.# - Web app firewall protects your application by filtering dangerous requests coming to your app.# You can read more about the firewall [in our docs](https://docs.stacktape.com/security-resources/web-app-firewalls/).## - Type: string# - Required: falseuseFirewall: example-value# Generates secret for a user pool client## - By default, client secret is not generated.# - When enabled, this property instructs the system to generate a unique secret associated with the app client. This secret is used in conjunction with the client ID to authenticate the app client in server-to-server interactions.# - The client secret adds an additional layer of security for applications that can securely store secrets. It is particularly useful for backend applications where the secret can be kept confidential.## - Type: boolean# - Required: false# - Default: falsegenerateClientSecret: false# Enables exclusive use of external identity providers for authentication, disabling user pool's built-in sign-in mechanism## - Disables Cognito User Pool authentication: Users will not be able to sign up or sign in using Cognito's built-in username and password mechanism.# - Requires external identity providers: Authentication must be performed through configured external identity providers such as Google, Facebook, or SAML-based services.## - Type: boolean# - Required: false# - Default: falseallowOnlyExternalIdentityProviders: false