Stacktape
Stacktape


User Auth Pool

This example shows a basic user auth pool configuration.

User pool resource

  • Fully managed sign-ups, logins and authorization for your users with pay-per-use pricing.

Basic example

resources:
myUserAuthPool:
type: user-auth-pool
properties:
# Ensures that new accounts can only be created using admin create flows
#
# - If this is disabled, users can sign themselves up.
#
# - Type: boolean
# - Required: false
allowOnlyAdminsToCreateAccount: true
# Maximum number of days that unused accounts will be preserved
#
# - Type: number
# - Required: false
unusedAccountValidityDays: 100
# Enforces email verification for new accounts
#
# - Type: boolean
# - Required: false
requireEmailVerification: true
# Enforces phone number verification for new accounts
#
# - Type: boolean
# - Required: false
requirePhoneNumberVerification: true
# Enables hosted UI for the userpool
#
# - Type: boolean
# - Required: false
# - Default: false
enableHostedUi: false
# Domain prefix for the hosted UI
#
# - Type: string
# - Required: false
hostedUiDomainPrefix: example-value
# CSS applied to your hosted UI
#
# - Type: string
# - Required: false
hostedUiCSS: example-value
# Function hooks that will be triggered on certain events that happen inside the userpool
#
# - To better understand user pool hooks, refer to
# [AWS Docs](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html)
#
# - Type: object
# - Required: false
hooks:
#
# - Type: string
# - Required: false
customMessage: example-value
#
# - Type: string
# - Required: false
postAuthentication: example-value
#
# - Type: string
# - Required: false
postConfirmation: example-value
#
# - Type: string
# - Required: false
preAuthentication: example-value
#
# - Type: string
# - Required: false
preSignUp: example-value
#
# - Type: string
# - Required: false
preTokenGeneration: example-value
#
# - Type: string
# - Required: false
userMigration: example-value
#
# - Type: string
# - Required: false
createAuthChallenge: example-value
#
# - Type: string
# - Required: false
defineAuthChallenge: example-value
#
# - Type: string
# - Required: false
verifyAuthChallengeResponse: example-value
# Configuration for emails sent by Cognito User Pool
#
# - Type: object
# - Required: false
emailConfiguration:
#
# - Type: string
# - Required: false
sesAddressArn: example-value
#
# - Type: string
# - Required: false
from: example-value
#
# - Type: string
# - Required: false
replyToEmailAddress: user@example.com
# Configuration of invite message for new users
#
# - Type: object
# - Required: false
inviteMessageConfig:
#
# - Type: string
# - Required: false
emailMessage: example-value
#
# - Type: string
# - Required: false
emailSubject: example-value
#
# - Type: string
# - Required: false
smsMessage: example-value
# Configuration of user verification type
#
# - `none` - no verification is required
# - `email-link` - user receives a link that he needs to click via an email
# - `email-code` - user receives a code that he needs to enter via an email
# - `sms` - user receives a code that he needs to enter via a SMS
#
# - Type: enum: [email-code, email-link, none, sms]
# - Required: false
# - Allowed values: [email-code, email-link, none, sms]
userVerificationType: email-code
# Configures the user verification message
#
# - Type: object
# - Required: false
userVerificationMessageConfig:
#
# - Type: string
# - Required: false
emailMessageUsingCode: example-value
#
# - Type: string
# - Required: false
emailMessageUsingLink: example-value
#
# - Type: string
# - Required: false
emailSubjectUsingCode: example-value
#
# - Type: string
# - Required: false
emailSubjectUsingLink: example-value
#
# - Type: string
# - Required: false
smsMessage: example-value
# Configures Multi-factor Authentication for this userpool
#
# - Type: object
# - Required: false
mfaConfiguration:
#
# - Type: enum: [OFF, ON, OPTIONAL]
# - Required: false
# - Allowed values: [OFF, ON, OPTIONAL]
status: OFF
#
# - Type: array<string>
# - Required: false
enabledTypes:
- SMS
# Requirements for the password
#
# - Applies for users created using directly using cognito
#
# - Type: object
# - Required: false
passwordPolicy:
#
# - Type: number
# - Required: false
minimumLength: 100
#
# - Type: boolean
# - Required: false
requireLowercase: true
#
# - Type: boolean
# - Required: false
requireNumbers: true
#
# - Type: boolean
# - Required: false
requireSymbols: true
#
# - Type: boolean
# - Required: false
requireUppercase: true
#
# - Type: number
# - Required: false
temporaryPasswordValidityDays: 100
#
# - Type: array<object (reference)>
# - Required: false
schema:
- name: example-name
# Allows phone number to be used as a username
#
#
# - Type: boolean
# - Required: false
# - Default: true
allowPhoneNumberAsUserName: true
# Allows email to be used as a username
#
#
# - Type: boolean
# - Required: false
# - Default: true
allowEmailAsUserName: true
# Duration (in seconds) until the access token expires
#
# - To better understand tokens used in in cognito user pools, refer
# to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
#
# - Type: number
# - Required: false
accessTokenValiditySeconds: 100
# Duration (in seconds) until the identity token expires
#
# - To better understand tokens used in in cognito user pools, refer
# to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
#
# - Type: number
# - Required: false
idTokenValiditySeconds: 100
# Duration (in seconds) until the refresh token expires
#
# - To better understand tokens used in in cognito user pools, refer
# to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
#
# - Type: number
# - Required: false
refreshTokenValidityDays: 100
# Oauth flows allowed for this user pool
#
# - To better understand Oauth flows, refer
# to [AWS blog post](https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/)
#
# - Type: array<object (reference)>
# - Required: false
allowedOAuthFlows:
- example-value
# Oauth scopes allowed for this user pool
#
# - Type: array<string>
# - Required: false
allowedOAuthScopes:
- example-value
# User will be redirected to this URL after a successful authentication
#
# - Type: array<string>
# - Required: false
callbackURLs:
- https://example.com
# User will be redirected to this URL after a logout
#
# - Type: array<string>
# - Required: false
logoutURLs:
- https://example.com
# Configuration for external identity providers
#
# - Type: array<object (reference)>
# - Required: false
identityProviders:
- clientId: example-value
clientSecret: example-value
type: Facebook
# Name of the 'web-app-firewall' resource type that will be used to protect this user pool
#
# - You can use `web-app-firewall` to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.
# - Web app firewall protects your application by filtering dangerous requests coming to your app.
# You can read more about the firewall [in our docs](https://docs.stacktape.com/security-resources/web-app-firewalls/).
#
# - Type: string
# - Required: false
useFirewall: example-value
# Generates secret for a user pool client
#
# - By default, client secret is not generated.
# - When enabled, this property instructs the system to generate a unique secret associated with the app client. This secret is used in conjunction with the client ID to authenticate the app client in server-to-server interactions.
# - The client secret adds an additional layer of security for applications that can securely store secrets. It is particularly useful for backend applications where the secret can be kept confidential.
#
# - Type: boolean
# - Required: false
# - Default: false
generateClientSecret: false
# Enables exclusive use of external identity providers for authentication, disabling user pool's built-in sign-in mechanism
#
# - Disables Cognito User Pool authentication: Users will not be able to sign up or sign in using Cognito's built-in username and password mechanism.
# - Requires external identity providers: Authentication must be performed through configured external identity providers such as Google, Facebook, or SAML-based services.
#
# - Type: boolean
# - Required: false
# - Default: false
allowOnlyExternalIdentityProviders: false

Contents

  •  Basic example