📊Tracking: Cognito

[nija-at]

Add your +1 👍 to help us prioritize high-level constructs for this service

---

Overview:

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services.

AWS Docs for User Pools

AWS Docs for Identity Pools

CDK API reference page

Maturity: Experimental

See the AWS Construct Library Module Lifecycle doc for more information about maturity levels.

Features & Support

User Pool

Done	Item	Needed for Graduation	Link to issue or docs
✔️	initialization & import	✔️	construction & import
✔️	sign in & sign up configuration, auto verification	✔️	sign up & sign in
✔️	basic security (mfa, password policy, etc.)	✔️	security
✔️	standard and custom attributes	✔️	attributes
✔️	triggers	✔️	lambda triggers
✔️	app clients	✔️	app clients
✔️	domains	✔️	domains
	users & groups	✔️
	message template builder		#6811
	advanced security		#7405
✔️	route53 integration with user pool domain	✔️	search for 'user pool domain' here
	Simple Email Service integration	❓	#6768
	identity providers	✔️	#6853
	hosted UI customization		#6953
	risk configuration
	resource server

Identity Pool

Done	Item	Needed for Graduation	Link to issue or docs
	initialization & import	✔️
	public identity providers & access control	✔️
	role mapping & mapping rules	✔️
	OpenIdConnect & SAML and developer-authenticated identity providers	❓

See the CDK API Reference for more implementation details.

Issues

All open Cognito issues can be found here

---

This is a 📊Tracking Issue

[0xdevalias]

Linking to the RFC for better discoverability:

• Cognito Construct Library aws-cdk-rfcs#95

Also, for anyone who needs it in the interim, i've been posting my workaround code snippets in aws/aws-cdk-rfcs#95 (comment)

[0xdevalias]

Added a new issue for Hosted UI customisations: #6953

[markcarroll]

Added new issue #7011 for custom attributes which are currently set to immutable

[0xdevalias]

This may need to be captured in a new issue, but should the UserPool have grant* methods on it to give other resources (eg. lambda functions) access to various API/SDK methods?

Captured in #7112

References, Examples, Code Samples, etc

CDK

• https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cognito.UserPool.html
• https://docs.aws.amazon.com/cdk/api/latest/docs/aws-iam-readme.html
• https://docs.aws.amazon.com/cdk/latest/guide/permissions.html

Cognito

• https://docs.aws.amazon.com/cognito/latest/developerguide/resource-permissions.html
• https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html
  • eg. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetUser.html
• https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html
  • eg. https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminGetUser-property

Policies

• https://awspolicygen.s3.amazonaws.com/policygen.html

  • ARN should follow the following format: arn:aws:cognito-idp:<region>:<account>:<resourceType>/<resourcePath>

eg.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1585721272022",
      "Action": [
        "cognito-idp:AdminDisableUser",
        "cognito-idp:AdminEnableUser",
        "cognito-idp:AdminGetUser"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}"
    }
  ]
}

import { UserPool } from '@aws-cdk/aws-cognito'
import { Effect, PolicyStatement } from '@aws-cdk/aws-iam'

// ..snip..

    /**
     * Lookup authentication UserPool
     */
    const userPool = UserPool.fromUserPoolId(this, 'UserPool', userPoolId)

// ..snip..

    fnHandler.addToRolePolicy(
      new PolicyStatement({
        effect: Effect.ALLOW,
        actions: [
          'cognito-idp:AdminGetUser',
          'cognito-idp:AdminEnableUser',
          'cognito-idp:AdminDisableUser',
          // etc
        ],
        resources: [
          `arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}`,
        ],
      })
    )

[nija-at]

@0xdevalias - please open a new issue for this request. Thanks!

[brainstorm]

Added new issue for some UserPool attributes that are present on the Web Console (post deploy) but that I'm not able to reach via CDK (Java): #7245

[brainstorm]

"Advanced security" is in issue #7405 (to be added on the summary above).

[nija-at]

This has been forked into two separate tracking issues - one tracking user pools and the other tracking identity pools.

Please transfer your upvotes (👍) to the respective issues, so we know which one of the two you're interested in.