From e4fee3fa7d3096dc12b76a2ca47cfb910a0ea4d6 Mon Sep 17 00:00:00 2001 From: awstools Date: Wed, 2 Aug 2023 18:12:30 +0000 Subject: [PATCH] feat(client-cognito-identity-provider): New feature that logs Cognito user pool error messages to CloudWatch logs. --- .../README.md | 89 ++- .../src/CognitoIdentityProvider.ts | 119 ++- .../src/CognitoIdentityProviderClient.ts | 85 +- .../commands/AddCustomAttributesCommand.ts | 20 + .../commands/AdminAddUserToGroupCommand.ts | 21 +- .../src/commands/AdminConfirmSignUpCommand.ts | 21 +- .../src/commands/AdminCreateUserCommand.ts | 26 +- .../AdminDeleteUserAttributesCommand.ts | 21 +- .../src/commands/AdminDeleteUserCommand.ts | 21 +- .../AdminDisableProviderForUserCommand.ts | 26 +- .../src/commands/AdminDisableUserCommand.ts | 26 +- .../src/commands/AdminEnableUserCommand.ts | 21 +- .../src/commands/AdminForgetDeviceCommand.ts | 21 +- .../src/commands/AdminGetDeviceCommand.ts | 21 +- .../src/commands/AdminGetUserCommand.ts | 21 +- .../src/commands/AdminInitiateAuthCommand.ts | 25 +- .../AdminLinkProviderForUserCommand.ts | 25 +- .../src/commands/AdminListDevicesCommand.ts | 21 +- .../commands/AdminListGroupsForUserCommand.ts | 21 +- .../AdminListUserAuthEventsCommand.ts | 20 + .../AdminRemoveUserFromGroupCommand.ts | 21 +- .../commands/AdminResetUserPasswordCommand.ts | 41 +- .../AdminRespondToAuthChallengeCommand.ts | 29 +- .../AdminSetUserMFAPreferenceCommand.ts | 20 + .../commands/AdminSetUserPasswordCommand.ts | 31 + .../commands/AdminSetUserSettingsCommand.ts | 20 + .../AdminUpdateAuthEventFeedbackCommand.ts | 20 + .../AdminUpdateDeviceStatusCommand.ts | 21 +- .../AdminUpdateUserAttributesCommand.ts | 43 +- .../commands/AdminUserGlobalSignOutCommand.ts | 35 +- .../commands/AssociateSoftwareTokenCommand.ts | 9 +- .../src/commands/ChangePasswordCommand.ts | 9 +- .../src/commands/ConfirmDeviceCommand.ts | 9 +- .../commands/ConfirmForgotPasswordCommand.ts | 9 +- .../src/commands/ConfirmSignUpCommand.ts | 13 +- .../src/commands/CreateGroupCommand.ts | 21 +- .../commands/CreateIdentityProviderCommand.ts | 20 + .../commands/CreateResourceServerCommand.ts | 20 + .../commands/CreateUserImportJobCommand.ts | 22 +- .../commands/CreateUserPoolClientCommand.ts | 23 + .../src/commands/CreateUserPoolCommand.ts | 33 +- .../commands/CreateUserPoolDomainCommand.ts | 20 + .../commands/DeleteUserAttributesCommand.ts | 9 +- .../src/commands/DeleteUserCommand.ts | 11 +- .../commands/DescribeUserPoolClientCommand.ts | 20 + .../src/commands/DescribeUserPoolCommand.ts | 20 + .../src/commands/ForgetDeviceCommand.ts | 9 +- .../src/commands/ForgotPasswordCommand.ts | 23 +- .../src/commands/GetDeviceCommand.ts | 9 +- .../GetLogDeliveryConfigurationCommand.ts | 182 +++++ .../commands/GetSigningCertificateCommand.ts | 8 +- ...GetUserAttributeVerificationCodeCommand.ts | 13 +- .../src/commands/GetUserCommand.ts | 9 +- .../src/commands/GlobalSignOutCommand.ts | 20 +- .../src/commands/InitiateAuthCommand.ts | 13 +- .../src/commands/ListDevicesCommand.ts | 9 +- .../src/commands/ListGroupsCommand.ts | 21 +- .../commands/ListIdentityProvidersCommand.ts | 20 + .../commands/ListResourceServersCommand.ts | 20 + .../src/commands/ListUserImportJobsCommand.ts | 22 +- .../commands/ListUserPoolClientsCommand.ts | 20 + .../src/commands/ListUserPoolsCommand.ts | 20 + .../src/commands/ListUsersCommand.ts | 22 +- .../src/commands/ListUsersInGroupCommand.ts | 21 +- .../commands/ResendConfirmationCodeCommand.ts | 13 +- .../commands/RespondToAuthChallengeCommand.ts | 17 +- .../src/commands/RevokeTokenCommand.ts | 13 +- .../SetLogDeliveryConfigurationCommand.ts | 191 +++++ .../commands/SetRiskConfigurationCommand.ts | 8 +- .../src/commands/SetUICustomizationCommand.ts | 2 +- .../commands/SetUserMFAPreferenceCommand.ts | 11 +- .../commands/SetUserPoolMfaConfigCommand.ts | 6 +- .../src/commands/SetUserSettingsCommand.ts | 11 +- .../src/commands/SignUpCommand.ts | 13 +- .../UpdateAuthEventFeedbackCommand.ts | 6 + .../src/commands/UpdateDeviceStatusCommand.ts | 9 +- .../src/commands/UpdateGroupCommand.ts | 21 +- .../commands/UpdateIdentityProviderCommand.ts | 20 + .../commands/UpdateResourceServerCommand.ts | 20 + .../commands/UpdateUserAttributesCommand.ts | 17 +- .../commands/UpdateUserPoolClientCommand.ts | 23 +- .../src/commands/UpdateUserPoolCommand.ts | 35 +- .../commands/UpdateUserPoolDomainCommand.ts | 20 + .../commands/VerifySoftwareTokenCommand.ts | 12 +- .../commands/VerifyUserAttributeCommand.ts | 22 +- .../src/commands/index.ts | 2 + .../src/index.ts | 73 +- .../src/models/models_0.ts | 756 +++++++++--------- .../src/models/models_1.ts | 312 +++++++- .../src/protocols/Aws_json1_1.ts | 188 ++++- .../aws-models/cognito-identity-provider.json | 596 ++++++++++---- 91 files changed, 3331 insertions(+), 767 deletions(-) create mode 100644 clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts create mode 100644 clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts diff --git a/clients/client-cognito-identity-provider/README.md b/clients/client-cognito-identity-provider/README.md index 2e34224fcad3..a1834754e739 100644 --- a/clients/client-cognito-identity-provider/README.md +++ b/clients/client-cognito-identity-provider/README.md @@ -6,12 +6,73 @@ AWS SDK for JavaScript CognitoIdentityProvider Client for Node.js, Browser and React Native. -

Using the Amazon Cognito user pools API, you can create a user pool to manage directories and -users. You can authenticate a user to obtain tokens related to user identity and access -policies.

-

This API reference provides information about user pools in Amazon Cognito user pools.

-

For more information, see the Amazon Cognito -Documentation.

+

With the Amazon Cognito user pools API, you can set up user pools and app clients, and +authenticate users. To authenticate users from third-party identity providers (IdPs) in +this API, you can link IdP users to native user profiles. Learn more +about the authentication and authorization of federated users in the Using the Amazon Cognito user pools API and user pool endpoints.

+

This API reference provides detailed information about API operations and object types +in Amazon Cognito. At the bottom of the page for each API operation and object, under +See Also, you can learn how to use it in an Amazon Web Services SDK in the +language of your choice.

+

Along with resource management operations, the Amazon Cognito user pools API includes classes +of operations and authorization models for client-side and server-side user operations. +For more information, see Using the Amazon Cognito native and OIDC APIs in the +Amazon Cognito Developer Guide.

+

You can also start reading about the CognitoIdentityProvider client in +the following SDK guides.

+ +

To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services +SDKs.

## Installing @@ -690,6 +751,14 @@ GetIdentityProviderByIdentifier [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/classes/getidentityproviderbyidentifiercommand.html) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/getidentityproviderbyidentifiercommandinput.html) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/getidentityproviderbyidentifiercommandoutput.html) + +
+ +GetLogDeliveryConfiguration + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/classes/getlogdeliveryconfigurationcommand.html) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/getlogdeliveryconfigurationcommandinput.html) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/getlogdeliveryconfigurationcommandoutput.html) +
@@ -850,6 +919,14 @@ RevokeToken [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/classes/revoketokencommand.html) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/revoketokencommandinput.html) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/revoketokencommandoutput.html) +
+
+ +SetLogDeliveryConfiguration + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/classes/setlogdeliveryconfigurationcommand.html) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/setlogdeliveryconfigurationcommandinput.html) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/setlogdeliveryconfigurationcommandoutput.html) +
diff --git a/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts b/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts index e111ca4ebce8..d1d640f53745 100644 --- a/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts +++ b/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts @@ -283,6 +283,11 @@ import { GetIdentityProviderByIdentifierCommandInput, GetIdentityProviderByIdentifierCommandOutput, } from "./commands/GetIdentityProviderByIdentifierCommand"; +import { + GetLogDeliveryConfigurationCommand, + GetLogDeliveryConfigurationCommandInput, + GetLogDeliveryConfigurationCommandOutput, +} from "./commands/GetLogDeliveryConfigurationCommand"; import { GetSigningCertificateCommand, GetSigningCertificateCommandInput, @@ -363,6 +368,11 @@ import { RespondToAuthChallengeCommandOutput, } from "./commands/RespondToAuthChallengeCommand"; import { RevokeTokenCommand, RevokeTokenCommandInput, RevokeTokenCommandOutput } from "./commands/RevokeTokenCommand"; +import { + SetLogDeliveryConfigurationCommand, + SetLogDeliveryConfigurationCommandInput, + SetLogDeliveryConfigurationCommandOutput, +} from "./commands/SetLogDeliveryConfigurationCommand"; import { SetRiskConfigurationCommand, SetRiskConfigurationCommandInput, @@ -518,6 +528,7 @@ const commands = { GetDeviceCommand, GetGroupCommand, GetIdentityProviderByIdentifierCommand, + GetLogDeliveryConfigurationCommand, GetSigningCertificateCommand, GetUICustomizationCommand, GetUserCommand, @@ -538,6 +549,7 @@ const commands = { ResendConfirmationCodeCommand, RespondToAuthChallengeCommand, RevokeTokenCommand, + SetLogDeliveryConfigurationCommand, SetRiskConfigurationCommand, SetUICustomizationCommand, SetUserMFAPreferenceCommand, @@ -1498,6 +1510,23 @@ export interface CognitoIdentityProvider { cb: (err: any, data?: GetIdentityProviderByIdentifierCommandOutput) => void ): void; + /** + * @see {@link GetLogDeliveryConfigurationCommand} + */ + getLogDeliveryConfiguration( + args: GetLogDeliveryConfigurationCommandInput, + options?: __HttpHandlerOptions + ): Promise; + getLogDeliveryConfiguration( + args: GetLogDeliveryConfigurationCommandInput, + cb: (err: any, data?: GetLogDeliveryConfigurationCommandOutput) => void + ): void; + getLogDeliveryConfiguration( + args: GetLogDeliveryConfigurationCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: GetLogDeliveryConfigurationCommandOutput) => void + ): void; + /** * @see {@link GetSigningCertificateCommand} */ @@ -1790,6 +1819,23 @@ export interface CognitoIdentityProvider { cb: (err: any, data?: RevokeTokenCommandOutput) => void ): void; + /** + * @see {@link SetLogDeliveryConfigurationCommand} + */ + setLogDeliveryConfiguration( + args: SetLogDeliveryConfigurationCommandInput, + options?: __HttpHandlerOptions + ): Promise; + setLogDeliveryConfiguration( + args: SetLogDeliveryConfigurationCommandInput, + cb: (err: any, data?: SetLogDeliveryConfigurationCommandOutput) => void + ): void; + setLogDeliveryConfiguration( + args: SetLogDeliveryConfigurationCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: SetLogDeliveryConfigurationCommandOutput) => void + ): void; + /** * @see {@link SetRiskConfigurationCommand} */ @@ -2120,12 +2166,73 @@ export interface CognitoIdentityProvider { /** * @public - *

Using the Amazon Cognito user pools API, you can create a user pool to manage directories and - * users. You can authenticate a user to obtain tokens related to user identity and access - * policies.

- *

This API reference provides information about user pools in Amazon Cognito user pools.

- *

For more information, see the Amazon Cognito - * Documentation.

+ *

With the Amazon Cognito user pools API, you can set up user pools and app clients, and + * authenticate users. To authenticate users from third-party identity providers (IdPs) in + * this API, you can link IdP users to native user profiles. Learn more + * about the authentication and authorization of federated users in the Using the Amazon Cognito user pools API and user pool endpoints.

+ *

This API reference provides detailed information about API operations and object types + * in Amazon Cognito. At the bottom of the page for each API operation and object, under + * See Also, you can learn how to use it in an Amazon Web Services SDK in the + * language of your choice.

+ *

Along with resource management operations, the Amazon Cognito user pools API includes classes + * of operations and authorization models for client-side and server-side user operations. + * For more information, see Using the Amazon Cognito native and OIDC APIs in the + * Amazon Cognito Developer Guide.

+ *

You can also start reading about the CognitoIdentityProvider client in + * the following SDK guides.

+ * + *

To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services + * SDKs.

*/ export class CognitoIdentityProvider extends CognitoIdentityProviderClient implements CognitoIdentityProvider {} createAggregatedClient(commands, CognitoIdentityProvider); diff --git a/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts b/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts index ced29976bd5a..72c7bf2919d9 100644 --- a/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts +++ b/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts @@ -212,6 +212,10 @@ import { GetIdentityProviderByIdentifierCommandInput, GetIdentityProviderByIdentifierCommandOutput, } from "./commands/GetIdentityProviderByIdentifierCommand"; +import { + GetLogDeliveryConfigurationCommandInput, + GetLogDeliveryConfigurationCommandOutput, +} from "./commands/GetLogDeliveryConfigurationCommand"; import { GetSigningCertificateCommandInput, GetSigningCertificateCommandOutput, @@ -259,6 +263,10 @@ import { RespondToAuthChallengeCommandOutput, } from "./commands/RespondToAuthChallengeCommand"; import { RevokeTokenCommandInput, RevokeTokenCommandOutput } from "./commands/RevokeTokenCommand"; +import { + SetLogDeliveryConfigurationCommandInput, + SetLogDeliveryConfigurationCommandOutput, +} from "./commands/SetLogDeliveryConfigurationCommand"; import { SetRiskConfigurationCommandInput, SetRiskConfigurationCommandOutput, @@ -387,6 +395,7 @@ export type ServiceInputTypes = | GetDeviceCommandInput | GetGroupCommandInput | GetIdentityProviderByIdentifierCommandInput + | GetLogDeliveryConfigurationCommandInput | GetSigningCertificateCommandInput | GetUICustomizationCommandInput | GetUserAttributeVerificationCodeCommandInput @@ -407,6 +416,7 @@ export type ServiceInputTypes = | ResendConfirmationCodeCommandInput | RespondToAuthChallengeCommandInput | RevokeTokenCommandInput + | SetLogDeliveryConfigurationCommandInput | SetRiskConfigurationCommandInput | SetUICustomizationCommandInput | SetUserMFAPreferenceCommandInput @@ -493,6 +503,7 @@ export type ServiceOutputTypes = | GetDeviceCommandOutput | GetGroupCommandOutput | GetIdentityProviderByIdentifierCommandOutput + | GetLogDeliveryConfigurationCommandOutput | GetSigningCertificateCommandOutput | GetUICustomizationCommandOutput | GetUserAttributeVerificationCodeCommandOutput @@ -513,6 +524,7 @@ export type ServiceOutputTypes = | ResendConfirmationCodeCommandOutput | RespondToAuthChallengeCommandOutput | RevokeTokenCommandOutput + | SetLogDeliveryConfigurationCommandOutput | SetRiskConfigurationCommandOutput | SetUICustomizationCommandOutput | SetUserMFAPreferenceCommandOutput @@ -699,12 +711,73 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden /** * @public - *

Using the Amazon Cognito user pools API, you can create a user pool to manage directories and - * users. You can authenticate a user to obtain tokens related to user identity and access - * policies.

- *

This API reference provides information about user pools in Amazon Cognito user pools.

- *

For more information, see the Amazon Cognito - * Documentation.

+ *

With the Amazon Cognito user pools API, you can set up user pools and app clients, and + * authenticate users. To authenticate users from third-party identity providers (IdPs) in + * this API, you can link IdP users to native user profiles. Learn more + * about the authentication and authorization of federated users in the Using the Amazon Cognito user pools API and user pool endpoints.

+ *

This API reference provides detailed information about API operations and object types + * in Amazon Cognito. At the bottom of the page for each API operation and object, under + * See Also, you can learn how to use it in an Amazon Web Services SDK in the + * language of your choice.

+ *

Along with resource management operations, the Amazon Cognito user pools API includes classes + * of operations and authorization models for client-side and server-side user operations. + * For more information, see Using the Amazon Cognito native and OIDC APIs in the + * Amazon Cognito Developer Guide.

+ *

You can also start reading about the CognitoIdentityProvider client in + * the following SDK guides.

+ * + *

To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services + * SDKs.

*/ export class CognitoIdentityProviderClient extends __Client< __HttpHandlerOptions, diff --git a/clients/client-cognito-identity-provider/src/commands/AddCustomAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AddCustomAttributesCommand.ts index 84774c7ea2f4..0b8a70e185c5 100644 --- a/clients/client-cognito-identity-provider/src/commands/AddCustomAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AddCustomAttributesCommand.ts @@ -42,6 +42,26 @@ export interface AddCustomAttributesCommandOutput extends AddCustomAttributesRes /** * @public *

Adds additional user attributes to the user pool schema.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminAddUserToGroupCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminAddUserToGroupCommand.ts index 538dbbcaf98e..ace3958eb432 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminAddUserToGroupCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminAddUserToGroupCommand.ts @@ -42,7 +42,26 @@ export interface AdminAddUserToGroupCommandOutput extends __MetadataBearer {} /** * @public *

Adds the specified user to the specified group.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts index 8ac3d34fa1ba..5b2504fcd5c5 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts @@ -47,7 +47,26 @@ export interface AdminConfirmSignUpCommandOutput extends AdminConfirmSignUpRespo * @public *

Confirms user registration as an admin without using a confirmation code. Works on any * user.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts index a89c0ee1908a..b32c4353bd48 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts @@ -63,7 +63,7 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _ * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* *

This message is based on a template that you configured in your call to create or @@ -73,8 +73,26 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _ * for the MessageAction parameter, and Amazon Cognito won't send any email.

*

In either case, the user will be in the FORCE_CHANGE_PASSWORD state until * they sign in and change their password.

- *

- * AdminCreateUser requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -162,7 +180,7 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _ * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminDeleteUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminDeleteUserAttributesCommand.ts index 3b504cdec0a5..ad7bbbc22402 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminDeleteUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminDeleteUserAttributesCommand.ts @@ -47,7 +47,26 @@ export interface AdminDeleteUserAttributesCommandOutput extends AdminDeleteUserA * @public *

Deletes the user attributes in a user pool as an administrator. Works on any * user.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminDeleteUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminDeleteUserCommand.ts index e5633e23a288..b06e56164c64 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminDeleteUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminDeleteUserCommand.ts @@ -42,7 +42,26 @@ export interface AdminDeleteUserCommandOutput extends __MetadataBearer {} /** * @public *

Deletes a user as an administrator. Works on any user.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminDisableProviderForUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminDisableProviderForUserCommand.ts index 249a85f35b5f..647b4798f4d0 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminDisableProviderForUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminDisableProviderForUserCommand.ts @@ -50,8 +50,6 @@ export interface AdminDisableProviderForUserCommandOutput * user is removed. When the external user signs in again, and the user is no longer * attached to the previously linked DestinationUser, the user must create a * new user account. See AdminLinkProviderForUser.

- *

This action is enabled only for admin access and requires developer - * credentials.

*

The ProviderName must match the value specified when creating an IdP for * the pool.

*

To deactivate a native username + password user, the ProviderName value @@ -71,6 +69,26 @@ export interface AdminDisableProviderForUserCommandOutput * ProviderAttributeName must be Cognito_Subject and * ProviderAttributeValue must be the subject of the SAML * assertion.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -99,8 +117,8 @@ export interface AdminDisableProviderForUserCommandOutput * * @throws {@link AliasExistsException} (client fault) *

This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

* diff --git a/clients/client-cognito-identity-provider/src/commands/AdminDisableUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminDisableUserCommand.ts index 088369e993f1..177586d640b2 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminDisableUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminDisableUserCommand.ts @@ -45,9 +45,29 @@ export interface AdminDisableUserCommandOutput extends AdminDisableUserResponse, /** * @public - *

Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, - * but still appears in the responses to GetUser and ListUsers API requests.

- *

You must make this API request with Amazon Web Services credentials that have cognito-idp:AdminDisableUser permissions.

+ *

Deactivates a user and revokes all access tokens for the user. A deactivated user + * can't sign in, but still appears in the responses to GetUser and + * ListUsers API requests.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminEnableUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminEnableUserCommand.ts index fe59f17496c0..709feb9be905 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminEnableUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminEnableUserCommand.ts @@ -46,7 +46,26 @@ export interface AdminEnableUserCommandOutput extends AdminEnableUserResponse, _ /** * @public *

Enables the specified user as an administrator. Works on any user.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminForgetDeviceCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminForgetDeviceCommand.ts index c2fad42e8738..58a4f5d920da 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminForgetDeviceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminForgetDeviceCommand.ts @@ -42,7 +42,26 @@ export interface AdminForgetDeviceCommandOutput extends __MetadataBearer {} /** * @public *

Forgets the device, as an administrator.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminGetDeviceCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminGetDeviceCommand.ts index f668bc4d6f36..b822f0ea7513 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminGetDeviceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminGetDeviceCommand.ts @@ -47,7 +47,26 @@ export interface AdminGetDeviceCommandOutput extends AdminGetDeviceResponse, __M /** * @public *

Gets the device, as an administrator.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminGetUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminGetUserCommand.ts index aba824bdfa45..0d9e8604a895 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminGetUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminGetUserCommand.ts @@ -48,7 +48,26 @@ export interface AdminGetUserCommandOutput extends AdminGetUserResponse, __Metad * @public *

Gets the specified user by user name in a user pool as an administrator. Works on any * user.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts index 37f1e4eff795..cd3eb08c7689 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts @@ -61,10 +61,29 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* - *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -143,7 +162,7 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link InvalidUserPoolConfigurationException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminLinkProviderForUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminLinkProviderForUserCommand.ts index 35baad25e106..ee2f028cf5fe 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminLinkProviderForUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminLinkProviderForUserCommand.ts @@ -58,7 +58,26 @@ export interface AdminLinkProviderForUserCommandOutput extends AdminLinkProvider * an existing user in the user pool, it is critical that it only be used with external * IdPs and provider attributes that have been trusted by the application owner.

* - *

This action is administrative and requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -92,8 +111,8 @@ export interface AdminLinkProviderForUserCommandOutput extends AdminLinkProvider * * @throws {@link AliasExistsException} (client fault) *

This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

* diff --git a/clients/client-cognito-identity-provider/src/commands/AdminListDevicesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminListDevicesCommand.ts index 9d330bd5de8b..fbf6e2343e5f 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminListDevicesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminListDevicesCommand.ts @@ -47,7 +47,26 @@ export interface AdminListDevicesCommandOutput extends AdminListDevicesResponse, /** * @public *

Lists devices, as an administrator.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminListGroupsForUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminListGroupsForUserCommand.ts index 08f12119ce04..6c4dfa97ae57 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminListGroupsForUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminListGroupsForUserCommand.ts @@ -46,7 +46,26 @@ export interface AdminListGroupsForUserCommandOutput extends AdminListGroupsForU /** * @public *

Lists the groups that the user belongs to.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminListUserAuthEventsCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminListUserAuthEventsCommand.ts index 7e300ce096fa..f87d20009aa3 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminListUserAuthEventsCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminListUserAuthEventsCommand.ts @@ -47,6 +47,26 @@ export interface AdminListUserAuthEventsCommandOutput extends AdminListUserAuthE * @public *

A history of user activity and any risks detected as part of Amazon Cognito advanced * security.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminRemoveUserFromGroupCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminRemoveUserFromGroupCommand.ts index 66d0b43aa3a6..38dcd10cb129 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminRemoveUserFromGroupCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminRemoveUserFromGroupCommand.ts @@ -42,7 +42,26 @@ export interface AdminRemoveUserFromGroupCommandOutput extends __MetadataBearer /** * @public *

Removes the specified user from the specified group.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts index d40e8dede979..28c91ef97372 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts @@ -47,14 +47,6 @@ export interface AdminResetUserPasswordCommandOutput extends AdminResetUserPassw * @public *

Resets the specified user's password in a user pool as an administrator. Works on any * user.

- *

When a developer calls this API, the current password is invalidated, so it must be - * changed. If a user tries to sign in after the API is called, the app will get a - * PasswordResetRequiredException exception back and should direct the user down the flow - * to reset the password, which is the same as the forgot password flow. In addition, if - * the user pool has phone verification selected and a verified phone number exists for the - * user, or if email verification is selected and a verified email exists for the user, - * calling this API will also result in sending a message to the end user with the code to - * change their password.

* *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages @@ -69,10 +61,37 @@ export interface AdminResetUserPasswordCommandOutput extends AdminResetUserPassw * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* - *

Calling this action requires developer credentials.

+ *

Deactivates a user's password, requiring them to change it. If a user tries to sign in + * after the API is called, Amazon Cognito responds with a + * PasswordResetRequiredException error. Your app must then perform the + * actions that reset your user's password: the forgot-password flow. In addition, if the + * user pool has phone verification selected and a verified phone number exists for the + * user, or if email verification is selected and a verified email exists for the user, + * calling this API will also result in sending a message to the end user with the code to + * change their password.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -119,7 +138,7 @@ export interface AdminResetUserPasswordCommandOutput extends AdminResetUserPassw * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts index a89c9973388a..c34cb37fecc4 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts @@ -63,10 +63,29 @@ export interface AdminRespondToAuthChallengeCommandOutput * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* - *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -131,8 +150,8 @@ export interface AdminRespondToAuthChallengeCommandOutput * * @throws {@link AliasExistsException} (client fault) *

This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

* @@ -163,7 +182,7 @@ export interface AdminRespondToAuthChallengeCommandOutput * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link InvalidUserPoolConfigurationException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminSetUserMFAPreferenceCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminSetUserMFAPreferenceCommand.ts index 0d8627cedfc9..374e63e5a614 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminSetUserMFAPreferenceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminSetUserMFAPreferenceCommand.ts @@ -50,6 +50,26 @@ export interface AdminSetUserMFAPreferenceCommandOutput extends AdminSetUserMFAP * preferred MFA factor will be used to authenticate a user if multiple factors are * activated. If multiple options are activated and no preference is set, a challenge to * choose an MFA option will be returned during sign-in.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts index 50cf13388794..661f36c4546b 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts @@ -55,6 +55,37 @@ export interface AdminSetUserPasswordCommandOutput extends AdminSetUserPasswordR * password.

*

Once the user has set a new password, or the password is permanent, the user status is * set to Confirmed.

+ *

+ * AdminSetUserPassword can set a password for the user profile that Amazon Cognito + * creates for third-party federated users. When you set a password, the federated user's + * status changes from EXTERNAL_PROVIDER to CONFIRMED. A user in + * this state can sign in as a federated user, and initiate authentication flows in the API + * like a linked native user. They can also modify their password and attributes in + * token-authenticated API requests like ChangePassword and + * UpdateUserAttributes. As a best security practice and to keep users in + * sync with your external IdP, don't set passwords on federated user profiles. To set up a + * federated user for native sign-in with a linked native user, refer to Linking federated users to an existing user + * profile.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminSetUserSettingsCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminSetUserSettingsCommand.ts index 5f2704cdda1d..7745082cf058 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminSetUserSettingsCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminSetUserSettingsCommand.ts @@ -49,6 +49,26 @@ export interface AdminSetUserSettingsCommandOutput extends AdminSetUserSettingsR * This action is no longer supported. You can use it to configure * only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software * token MFA. To configure either type of MFA, use AdminSetUserMFAPreference instead.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminUpdateAuthEventFeedbackCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminUpdateAuthEventFeedbackCommand.ts index a16c0f2b7c10..44a5ecb9f58a 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminUpdateAuthEventFeedbackCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminUpdateAuthEventFeedbackCommand.ts @@ -53,6 +53,26 @@ export interface AdminUpdateAuthEventFeedbackCommandOutput *

Provides feedback for an authentication event indicating if it was from a valid user. * This feedback is used for improving the risk evaluation decision for the user pool as * part of Amazon Cognito advanced security.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminUpdateDeviceStatusCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminUpdateDeviceStatusCommand.ts index 0a6631fe0dbd..52c78f988d03 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminUpdateDeviceStatusCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminUpdateDeviceStatusCommand.ts @@ -46,7 +46,26 @@ export interface AdminUpdateDeviceStatusCommandOutput extends AdminUpdateDeviceS /** * @public *

Updates the device status as an administrator.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts index 803e22b238d6..ff98f3264d82 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts @@ -45,13 +45,7 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA /** * @public - *

Updates the specified user's attributes, including developer attributes, as an - * administrator. Works on any user.

- *

For custom attributes, you must prepend the custom: prefix to the - * attribute name.

- *

In addition to updating user attributes, this API can also be used to mark phone and - * email as verified.

- * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -65,10 +59,35 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* - *

Calling this action requires developer credentials.

+ *

Updates the specified user's attributes, including developer attributes, as an + * administrator. Works on any user.

+ *

For custom attributes, you must prepend the custom: prefix to the + * attribute name.

+ *

In addition to updating user attributes, this API can also be used to mark phone and + * email as verified.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -102,8 +121,8 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA * * @throws {@link AliasExistsException} (client fault) *

This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

* @@ -128,7 +147,7 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminUserGlobalSignOutCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminUserGlobalSignOutCommand.ts index f079a8b2aa39..5d11bb7232fa 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminUserGlobalSignOutCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminUserGlobalSignOutCommand.ts @@ -45,13 +45,34 @@ export interface AdminUserGlobalSignOutCommandOutput extends AdminUserGlobalSign /** * @public - *

Signs out a user from all devices. You must sign AdminUserGlobalSignOut requests - * with Amazon Web Services credentials. It also invalidates all refresh tokens that Amazon Cognito has issued to - * a user. The user's current access and ID tokens remain valid until they expire. By - * default, access and ID tokens expire one hour after they're issued. A user can still use - * a hosted UI cookie to retrieve new tokens for the duration of the cookie validity period - * of 1 hour.

- *

Calling this action requires developer credentials.

+ *

Signs out a user from all devices. AdminUserGlobalSignOut invalidates all + * identity, access and refresh tokens that Amazon Cognito has issued to a user. A user can still + * use a hosted UI cookie to retrieve new tokens for the duration of the 1-hour cookie + * validity period.

+ *

Your app isn't aware that a user's access token is revoked unless it attempts to + * authorize a user pools API request with an access token that contains the scope + * aws.cognito.signin.user.admin. Your app might otherwise accept access + * tokens until they expire.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts b/clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts index b4e70c30c908..cdd5331c66a1 100644 --- a/clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts @@ -63,6 +63,12 @@ export interface AssociateSoftwareTokenCommandOutput extends AssociateSoftwareTo * SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to * this challenge with your user's TOTP.

* + * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -93,7 +99,8 @@ export interface AssociateSoftwareTokenCommandOutput extends AssociateSoftwareTo * concurrently.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts index 3a5786db0670..fb45abf055f5 100644 --- a/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts @@ -45,6 +45,12 @@ export interface ChangePasswordCommandOutput extends ChangePasswordResponse, __M /** * @public *

Changes the password for a specified user in a user pool.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -69,7 +75,8 @@ export interface ChangePasswordCommandOutput extends ChangePasswordResponse, __M * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/ConfirmDeviceCommand.ts b/clients/client-cognito-identity-provider/src/commands/ConfirmDeviceCommand.ts index 0d345c53a202..427e6ce38532 100644 --- a/clients/client-cognito-identity-provider/src/commands/ConfirmDeviceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ConfirmDeviceCommand.ts @@ -47,6 +47,12 @@ export interface ConfirmDeviceCommandOutput extends ConfirmDeviceResponse, __Met * @public *

Confirms tracking of the device. This API call is the call that begins device * tracking.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -77,7 +83,8 @@ export interface ConfirmDeviceCommandOutput extends ConfirmDeviceResponse, __Met * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts index 5058eef39f09..6c710b50d0b6 100644 --- a/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts @@ -45,6 +45,12 @@ export interface ConfirmForgotPasswordCommandOutput extends ConfirmForgotPasswor /** * @public *

Allows a user to enter a confirmation code to reset a forgotten password.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -88,7 +94,8 @@ export interface ConfirmForgotPasswordCommandOutput extends ConfirmForgotPasswor *

This exception is thrown if a code has expired.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/ConfirmSignUpCommand.ts b/clients/client-cognito-identity-provider/src/commands/ConfirmSignUpCommand.ts index 65e9ae04ef94..e65d5043bd92 100644 --- a/clients/client-cognito-identity-provider/src/commands/ConfirmSignUpCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ConfirmSignUpCommand.ts @@ -45,6 +45,12 @@ export interface ConfirmSignUpCommandOutput extends ConfirmSignUpResponse, __Met /** * @public *

Confirms registration of a new user.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -82,8 +88,8 @@ export interface ConfirmSignUpCommandOutput extends ConfirmSignUpResponse, __Met * * @throws {@link AliasExistsException} (client fault) *

This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

* @@ -95,7 +101,8 @@ export interface ConfirmSignUpCommandOutput extends ConfirmSignUpResponse, __Met *

This exception is thrown if a code has expired.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/CreateGroupCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateGroupCommand.ts index 5251742cc6c0..bc9584f8e659 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateGroupCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateGroupCommand.ts @@ -42,7 +42,26 @@ export interface CreateGroupCommandOutput extends CreateGroupResponse, __Metadat /** * @public *

Creates a new group in the specified user pool.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/CreateIdentityProviderCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateIdentityProviderCommand.ts index 5b89f985076c..bf317e691a06 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateIdentityProviderCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateIdentityProviderCommand.ts @@ -42,6 +42,26 @@ export interface CreateIdentityProviderCommandOutput extends CreateIdentityProvi /** * @public *

Creates an IdP for a user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/CreateResourceServerCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateResourceServerCommand.ts index fb0bdcbd0470..05ed2ce69faf 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateResourceServerCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateResourceServerCommand.ts @@ -42,6 +42,26 @@ export interface CreateResourceServerCommandOutput extends CreateResourceServerR /** * @public *

Creates a new OAuth2.0 resource server and defines custom scopes within it.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserImportJobCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserImportJobCommand.ts index 6e5a08ec7459..d872ea6395bb 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateUserImportJobCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateUserImportJobCommand.ts @@ -41,7 +41,27 @@ export interface CreateUserImportJobCommandOutput extends CreateUserImportJobRes /** * @public - *

Creates the user import job.

+ *

Creates a user import job.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts index 538d45591c60..9e917fe9e0ed 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts @@ -48,6 +48,29 @@ export interface CreateUserPoolClientCommandOutput extends CreateUserPoolClientR *

Creates the user pool client.

*

When you create a new user pool client, token revocation is automatically activated. * For more information about revoking tokens, see RevokeToken.

+ * + *

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

+ * + * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts index 6c6858eaa418..2be4c189a044 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts @@ -41,9 +41,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M /** * @public - *

Creates a new Amazon Cognito user pool and sets the password policy for the - * pool.

- * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -57,9 +55,34 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* + *

Creates a new Amazon Cognito user pool and sets the password policy for the + * pool.

+ * + *

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

+ * + * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -349,7 +372,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts index 6045b6cb7208..da9de32e5e23 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts @@ -42,6 +42,26 @@ export interface CreateUserPoolDomainCommandOutput extends CreateUserPoolDomainR /** * @public *

Creates a new domain for a user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/DeleteUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/DeleteUserAttributesCommand.ts index 6a601cfe5fa0..a44756e4a7b6 100644 --- a/clients/client-cognito-identity-provider/src/commands/DeleteUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/DeleteUserAttributesCommand.ts @@ -45,6 +45,12 @@ export interface DeleteUserAttributesCommandOutput extends DeleteUserAttributesR /** * @public *

Deletes the attributes for a user.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -70,7 +76,8 @@ export interface DeleteUserAttributesCommandOutput extends DeleteUserAttributesR * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/DeleteUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/DeleteUserCommand.ts index ce71e2844a89..52c74907e99c 100644 --- a/clients/client-cognito-identity-provider/src/commands/DeleteUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/DeleteUserCommand.ts @@ -40,7 +40,13 @@ export interface DeleteUserCommandOutput extends __MetadataBearer {} /** * @public - *

Allows a user to delete himself or herself.

+ *

Allows a user to delete their own user profile.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -63,7 +69,8 @@ export interface DeleteUserCommandOutput extends __MetadataBearer {} * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts index d0bfff68a624..c41b8a6f3194 100644 --- a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts @@ -48,6 +48,26 @@ export interface DescribeUserPoolClientCommandOutput extends DescribeUserPoolCli * @public *

Client method for returning the configuration information and metadata of the * specified user pool app client.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts index 7aba560ab469..a95e61e720ed 100644 --- a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts @@ -42,6 +42,26 @@ export interface DescribeUserPoolCommandOutput extends DescribeUserPoolResponse, /** * @public *

Returns the configuration information and metadata of the specified user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ForgetDeviceCommand.ts b/clients/client-cognito-identity-provider/src/commands/ForgetDeviceCommand.ts index dbfe4dca7412..51b6c3b26c18 100644 --- a/clients/client-cognito-identity-provider/src/commands/ForgetDeviceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ForgetDeviceCommand.ts @@ -42,6 +42,12 @@ export interface ForgetDeviceCommandOutput extends __MetadataBearer {} /** * @public *

Forgets the specified device.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -65,7 +71,8 @@ export interface ForgetDeviceCommandOutput extends __MetadataBearer {} * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts index 9d4973179c39..066b169ed75b 100644 --- a/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts @@ -48,10 +48,18 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M * that is required to change the user's password. For the Username parameter, * you can use the username or user alias. The method used to send the confirmation code is * sent according to the specified AccountRecoverySetting. For more information, see Recovering - * User Accounts in the Amazon Cognito Developer Guide. If - * neither a verified phone number nor a verified email exists, an - * InvalidParameterException is thrown. To use the confirmation code for - * resetting the password, call ConfirmForgotPassword.

+ * User Accounts in the Amazon Cognito Developer Guide. To + * use the confirmation code for resetting the password, call ConfirmForgotPassword.

+ *

If neither a verified phone number nor a verified email exists, this API returns + * InvalidParameterException. If your app client has a client secret and + * you don't provide a SECRET_HASH parameter, this API returns + * NotAuthorizedException.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages @@ -66,7 +74,7 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* * @example @@ -113,7 +121,8 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M * successfully.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

@@ -136,7 +145,7 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/GetDeviceCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetDeviceCommand.ts index 2b46d7f948bd..3dae91059a5d 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetDeviceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetDeviceCommand.ts @@ -47,6 +47,12 @@ export interface GetDeviceCommandOutput extends GetDeviceResponse, __MetadataBea /** * @public *

Gets the device.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -83,7 +89,8 @@ export interface GetDeviceCommandOutput extends GetDeviceResponse, __MetadataBea * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts new file mode 100644 index 000000000000..405090ed1229 --- /dev/null +++ b/clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts @@ -0,0 +1,182 @@ +// smithy-typescript generated code +import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing"; +import { EndpointParameterInstructions, getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@smithy/protocol-http"; +import { Command as $Command } from "@smithy/smithy-client"; +import { + FinalizeHandlerArguments, + Handler, + HandlerExecutionContext, + HttpHandlerOptions as __HttpHandlerOptions, + MetadataBearer as __MetadataBearer, + MiddlewareStack, + SerdeContext as __SerdeContext, +} from "@smithy/types"; + +import { + CognitoIdentityProviderClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes, +} from "../CognitoIdentityProviderClient"; +import { GetLogDeliveryConfigurationRequest, GetLogDeliveryConfigurationResponse } from "../models/models_0"; +import { de_GetLogDeliveryConfigurationCommand, se_GetLogDeliveryConfigurationCommand } from "../protocols/Aws_json1_1"; + +/** + * @public + */ +export { __MetadataBearer, $Command }; +/** + * @public + * + * The input for {@link GetLogDeliveryConfigurationCommand}. + */ +export interface GetLogDeliveryConfigurationCommandInput extends GetLogDeliveryConfigurationRequest {} +/** + * @public + * + * The output of {@link GetLogDeliveryConfigurationCommand}. + */ +export interface GetLogDeliveryConfigurationCommandOutput + extends GetLogDeliveryConfigurationResponse, + __MetadataBearer {} + +/** + * @public + *

Gets the detailed activity logging configuration for a user pool.

+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { CognitoIdentityProviderClient, GetLogDeliveryConfigurationCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import + * // const { CognitoIdentityProviderClient, GetLogDeliveryConfigurationCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import + * const client = new CognitoIdentityProviderClient(config); + * const input = { // GetLogDeliveryConfigurationRequest + * UserPoolId: "STRING_VALUE", // required + * }; + * const command = new GetLogDeliveryConfigurationCommand(input); + * const response = await client.send(command); + * // { // GetLogDeliveryConfigurationResponse + * // LogDeliveryConfiguration: { // LogDeliveryConfigurationType + * // UserPoolId: "STRING_VALUE", // required + * // LogConfigurations: [ // LogConfigurationListType // required + * // { // LogConfigurationType + * // LogLevel: "ERROR", // required + * // EventSource: "userNotification", // required + * // CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType + * // LogGroupArn: "STRING_VALUE", + * // }, + * // }, + * // ], + * // }, + * // }; + * + * ``` + * + * @param GetLogDeliveryConfigurationCommandInput - {@link GetLogDeliveryConfigurationCommandInput} + * @returns {@link GetLogDeliveryConfigurationCommandOutput} + * @see {@link GetLogDeliveryConfigurationCommandInput} for command's `input` shape. + * @see {@link GetLogDeliveryConfigurationCommandOutput} for command's `response` shape. + * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. + * + * @throws {@link InternalErrorException} (server fault) + *

This exception is thrown when Amazon Cognito encounters an internal error.

+ * + * @throws {@link InvalidParameterException} (client fault) + *

This exception is thrown when the Amazon Cognito service encounters an invalid + * parameter.

+ * + * @throws {@link NotAuthorizedException} (client fault) + *

This exception is thrown when a user isn't authorized.

+ * + * @throws {@link ResourceNotFoundException} (client fault) + *

This exception is thrown when the Amazon Cognito service can't find the requested + * resource.

+ * + * @throws {@link TooManyRequestsException} (client fault) + *

This exception is thrown when the user has made too many requests for a given + * operation.

+ * + * @throws {@link CognitoIdentityProviderServiceException} + *

Base exception class for all service exceptions from CognitoIdentityProvider service.

+ * + */ +export class GetLogDeliveryConfigurationCommand extends $Command< + GetLogDeliveryConfigurationCommandInput, + GetLogDeliveryConfigurationCommandOutput, + CognitoIdentityProviderClientResolvedConfig +> { + // Start section: command_properties + // End section: command_properties + + public static getEndpointParameterInstructions(): EndpointParameterInstructions { + return { + UseFIPS: { type: "builtInParams", name: "useFipsEndpoint" }, + Endpoint: { type: "builtInParams", name: "endpoint" }, + Region: { type: "builtInParams", name: "region" }, + UseDualStack: { type: "builtInParams", name: "useDualstackEndpoint" }, + }; + } + + /** + * @public + */ + constructor(readonly input: GetLogDeliveryConfigurationCommandInput) { + // Start section: command_constructor + super(); + // End section: command_constructor + } + + /** + * @internal + */ + resolveMiddleware( + clientStack: MiddlewareStack, + configuration: CognitoIdentityProviderClientResolvedConfig, + options?: __HttpHandlerOptions + ): Handler { + this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize)); + this.middlewareStack.use( + getEndpointPlugin(configuration, GetLogDeliveryConfigurationCommand.getEndpointParameterInstructions()) + ); + this.middlewareStack.use(getAwsAuthPlugin(configuration)); + + const stack = clientStack.concat(this.middlewareStack); + + const { logger } = configuration; + const clientName = "CognitoIdentityProviderClient"; + const commandName = "GetLogDeliveryConfigurationCommand"; + const handlerExecutionContext: HandlerExecutionContext = { + logger, + clientName, + commandName, + inputFilterSensitiveLog: (_: any) => _, + outputFilterSensitiveLog: (_: any) => _, + }; + const { requestHandler } = configuration; + return stack.resolve( + (request: FinalizeHandlerArguments) => + requestHandler.handle(request.request as __HttpRequest, options || {}), + handlerExecutionContext + ); + } + + /** + * @internal + */ + private serialize(input: GetLogDeliveryConfigurationCommandInput, context: __SerdeContext): Promise<__HttpRequest> { + return se_GetLogDeliveryConfigurationCommand(input, context); + } + + /** + * @internal + */ + private deserialize( + output: __HttpResponse, + context: __SerdeContext + ): Promise { + return de_GetLogDeliveryConfigurationCommand(output, context); + } + + // Start section: command_body_extra + // End section: command_body_extra +} diff --git a/clients/client-cognito-identity-provider/src/commands/GetSigningCertificateCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetSigningCertificateCommand.ts index 01023e67e9f7..5e4a51b58bca 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetSigningCertificateCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetSigningCertificateCommand.ts @@ -41,9 +41,11 @@ export interface GetSigningCertificateCommandOutput extends GetSigningCertificat /** * @public - *

This method takes a user pool ID, and returns the signing certificate. The issued certificate is valid for 10 years from the date of issue.

- *

Amazon Cognito issues and assigns a new signing certificate annually. This process returns a new value in the response to GetSigningCertificate, - * but doesn't invalidate the original certificate.

+ *

This method takes a user pool ID, and returns the signing certificate. The issued + * certificate is valid for 10 years from the date of issue.

+ *

Amazon Cognito issues and assigns a new signing certificate annually. This process returns a + * new value in the response to GetSigningCertificate, but doesn't invalidate + * the original certificate.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts index 0a1bcbee1fd0..ea47d5a8d417 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts @@ -53,6 +53,12 @@ export interface GetUserAttributeVerificationCodeCommandOutput * message to a user with a code that they must return in a VerifyUserAttribute * request.

* + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -66,7 +72,7 @@ export interface GetUserAttributeVerificationCodeCommandOutput * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* * @example @@ -105,7 +111,8 @@ export interface GetUserAttributeVerificationCodeCommandOutput * successfully.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

@@ -128,7 +135,7 @@ export interface GetUserAttributeVerificationCodeCommandOutput * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserCommand.ts index 430fbf099f5b..099d3ea23298 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetUserCommand.ts @@ -46,6 +46,12 @@ export interface GetUserCommandOutput extends GetUserResponse, __MetadataBearer /** * @public *

Gets the user attributes and metadata for a user.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -86,7 +92,8 @@ export interface GetUserCommandOutput extends GetUserResponse, __MetadataBearer * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/GlobalSignOutCommand.ts b/clients/client-cognito-identity-provider/src/commands/GlobalSignOutCommand.ts index c04963b72608..968357370f45 100644 --- a/clients/client-cognito-identity-provider/src/commands/GlobalSignOutCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GlobalSignOutCommand.ts @@ -45,9 +45,20 @@ export interface GlobalSignOutCommandOutput extends GlobalSignOutResponse, __Met /** * @public - *

Signs out users from all devices. It also invalidates all refresh tokens that Amazon Cognito - * has issued to a user. A user can still use a hosted UI cookie to retrieve new tokens - * for the duration of the 1-hour cookie validity period.

+ *

Signs out a user from all devices. GlobalSignOut invalidates all + * identity, access and refresh tokens that Amazon Cognito has issued to a user. A user can still + * use a hosted UI cookie to retrieve new tokens for the duration of the 1-hour cookie + * validity period.

+ *

Your app isn't aware that a user's access token is revoked unless it attempts to + * authorize a user pools API request with an access token that contains the scope + * aws.cognito.signin.user.admin. Your app might otherwise accept access + * tokens until they expire.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -70,7 +81,8 @@ export interface GlobalSignOutCommandOutput extends GlobalSignOutResponse, __Met * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts b/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts index 21f2bc0dc42a..8a39e012e70a 100644 --- a/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts @@ -48,6 +48,12 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad *

Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user * with a federated IdP with InitiateAuth. For more information, see Adding user pool sign-in through a third party.

* + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -61,7 +67,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* * @example @@ -117,7 +123,8 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

@@ -136,7 +143,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link InvalidUserPoolConfigurationException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/ListDevicesCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListDevicesCommand.ts index dabf9a88cfc9..b5aece357f4e 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListDevicesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListDevicesCommand.ts @@ -47,6 +47,12 @@ export interface ListDevicesCommandOutput extends ListDevicesResponse, __Metadat /** * @public *

Lists the sign-in devices that Amazon Cognito has registered to the current user.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -87,7 +93,8 @@ export interface ListDevicesCommandOutput extends ListDevicesResponse, __Metadat * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/ListGroupsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListGroupsCommand.ts index dadc73b6af20..6b319a53f426 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListGroupsCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListGroupsCommand.ts @@ -42,7 +42,26 @@ export interface ListGroupsCommandOutput extends ListGroupsResponse, __MetadataB /** * @public *

Lists the groups associated with a user pool.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ListIdentityProvidersCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListIdentityProvidersCommand.ts index 110ed4cedff2..71eeeee2beb5 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListIdentityProvidersCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListIdentityProvidersCommand.ts @@ -42,6 +42,26 @@ export interface ListIdentityProvidersCommandOutput extends ListIdentityProvider /** * @public *

Lists information about all IdPs for a user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ListResourceServersCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListResourceServersCommand.ts index c85bc3af19a0..a7fcc5119c0b 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListResourceServersCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListResourceServersCommand.ts @@ -42,6 +42,26 @@ export interface ListResourceServersCommandOutput extends ListResourceServersRes /** * @public *

Lists the resource servers for a user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ListUserImportJobsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUserImportJobsCommand.ts index 36dfe4189bac..0518d23e6926 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListUserImportJobsCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListUserImportJobsCommand.ts @@ -41,7 +41,27 @@ export interface ListUserImportJobsCommandOutput extends ListUserImportJobsRespo /** * @public - *

Lists the user import jobs.

+ *

Lists user import jobs for a user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ListUserPoolClientsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUserPoolClientsCommand.ts index 4433687fc7e1..6ff0b33f8156 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListUserPoolClientsCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListUserPoolClientsCommand.ts @@ -46,6 +46,26 @@ export interface ListUserPoolClientsCommandOutput extends ListUserPoolClientsRes /** * @public *

Lists the clients that have been created for the specified user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ListUserPoolsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUserPoolsCommand.ts index c0d878f1fd45..322813cddbd1 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListUserPoolsCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListUserPoolsCommand.ts @@ -42,6 +42,26 @@ export interface ListUserPoolsCommandOutput extends ListUserPoolsResponse, __Met /** * @public *

Lists the user pools associated with an Amazon Web Services account.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ListUsersCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUsersCommand.ts index dfbea3344948..77d1a0a2804d 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListUsersCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListUsersCommand.ts @@ -41,7 +41,27 @@ export interface ListUsersCommandOutput extends ListUsersResponse, __MetadataBea /** * @public - *

Lists the users in the Amazon Cognito user pool.

+ *

Lists users and their basic details in a user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ListUsersInGroupCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUsersInGroupCommand.ts index 46f0eadeb633..7bb6bbab1663 100644 --- a/clients/client-cognito-identity-provider/src/commands/ListUsersInGroupCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ListUsersInGroupCommand.ts @@ -46,7 +46,26 @@ export interface ListUsersInGroupCommandOutput extends ListUsersInGroupResponse, /** * @public *

Lists the users in the specified group.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts index 1a5b7dfb296b..c3d0a941f069 100644 --- a/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts @@ -47,6 +47,12 @@ export interface ResendConfirmationCodeCommandOutput extends ResendConfirmationC *

Resends the confirmation (for confirmation of registration) to a specific user in the * user pool.

* + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -60,7 +66,7 @@ export interface ResendConfirmationCodeCommandOutput extends ResendConfirmationC * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* * @example @@ -107,7 +113,8 @@ export interface ResendConfirmationCodeCommandOutput extends ResendConfirmationC * successfully.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

@@ -130,7 +137,7 @@ export interface ResendConfirmationCodeCommandOutput extends ResendConfirmationC * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts b/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts index 414bb7982d9d..293a9bb379d0 100644 --- a/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts @@ -47,6 +47,12 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * @public *

Responds to the authentication challenge.

* + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -60,7 +66,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* * @example @@ -118,8 +124,8 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * * @throws {@link AliasExistsException} (client fault) *

This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

* @@ -131,7 +137,8 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle *

This exception is thrown if a code has expired.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

@@ -153,7 +160,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link InvalidUserPoolConfigurationException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts b/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts index 7c30a5c3e651..9f42b6a43bde 100644 --- a/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts @@ -42,8 +42,14 @@ export interface RevokeTokenCommandOutput extends RevokeTokenResponse, __Metadat /** * @public *

Revokes all of the access tokens generated by, and at the same time as, the specified - * refresh token. After a token is revoked, you can't use the revoked token to access - * Amazon Cognito user APIs, or to authorize access to your resource server.

+ * refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito + * user APIs, or to authorize access to your resource server.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -68,7 +74,8 @@ export interface RevokeTokenCommandOutput extends RevokeTokenResponse, __Metadat * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts new file mode 100644 index 000000000000..c3724a913d3d --- /dev/null +++ b/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts @@ -0,0 +1,191 @@ +// smithy-typescript generated code +import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing"; +import { EndpointParameterInstructions, getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@smithy/protocol-http"; +import { Command as $Command } from "@smithy/smithy-client"; +import { + FinalizeHandlerArguments, + Handler, + HandlerExecutionContext, + HttpHandlerOptions as __HttpHandlerOptions, + MetadataBearer as __MetadataBearer, + MiddlewareStack, + SerdeContext as __SerdeContext, +} from "@smithy/types"; + +import { + CognitoIdentityProviderClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes, +} from "../CognitoIdentityProviderClient"; +import { SetLogDeliveryConfigurationRequest, SetLogDeliveryConfigurationResponse } from "../models/models_0"; +import { de_SetLogDeliveryConfigurationCommand, se_SetLogDeliveryConfigurationCommand } from "../protocols/Aws_json1_1"; + +/** + * @public + */ +export { __MetadataBearer, $Command }; +/** + * @public + * + * The input for {@link SetLogDeliveryConfigurationCommand}. + */ +export interface SetLogDeliveryConfigurationCommandInput extends SetLogDeliveryConfigurationRequest {} +/** + * @public + * + * The output of {@link SetLogDeliveryConfigurationCommand}. + */ +export interface SetLogDeliveryConfigurationCommandOutput + extends SetLogDeliveryConfigurationResponse, + __MetadataBearer {} + +/** + * @public + *

Sets up or modifies the detailed activity logging configuration of a user pool.

+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { CognitoIdentityProviderClient, SetLogDeliveryConfigurationCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import + * // const { CognitoIdentityProviderClient, SetLogDeliveryConfigurationCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import + * const client = new CognitoIdentityProviderClient(config); + * const input = { // SetLogDeliveryConfigurationRequest + * UserPoolId: "STRING_VALUE", // required + * LogConfigurations: [ // LogConfigurationListType // required + * { // LogConfigurationType + * LogLevel: "ERROR", // required + * EventSource: "userNotification", // required + * CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType + * LogGroupArn: "STRING_VALUE", + * }, + * }, + * ], + * }; + * const command = new SetLogDeliveryConfigurationCommand(input); + * const response = await client.send(command); + * // { // SetLogDeliveryConfigurationResponse + * // LogDeliveryConfiguration: { // LogDeliveryConfigurationType + * // UserPoolId: "STRING_VALUE", // required + * // LogConfigurations: [ // LogConfigurationListType // required + * // { // LogConfigurationType + * // LogLevel: "ERROR", // required + * // EventSource: "userNotification", // required + * // CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType + * // LogGroupArn: "STRING_VALUE", + * // }, + * // }, + * // ], + * // }, + * // }; + * + * ``` + * + * @param SetLogDeliveryConfigurationCommandInput - {@link SetLogDeliveryConfigurationCommandInput} + * @returns {@link SetLogDeliveryConfigurationCommandOutput} + * @see {@link SetLogDeliveryConfigurationCommandInput} for command's `input` shape. + * @see {@link SetLogDeliveryConfigurationCommandOutput} for command's `response` shape. + * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. + * + * @throws {@link InternalErrorException} (server fault) + *

This exception is thrown when Amazon Cognito encounters an internal error.

+ * + * @throws {@link InvalidParameterException} (client fault) + *

This exception is thrown when the Amazon Cognito service encounters an invalid + * parameter.

+ * + * @throws {@link NotAuthorizedException} (client fault) + *

This exception is thrown when a user isn't authorized.

+ * + * @throws {@link ResourceNotFoundException} (client fault) + *

This exception is thrown when the Amazon Cognito service can't find the requested + * resource.

+ * + * @throws {@link TooManyRequestsException} (client fault) + *

This exception is thrown when the user has made too many requests for a given + * operation.

+ * + * @throws {@link CognitoIdentityProviderServiceException} + *

Base exception class for all service exceptions from CognitoIdentityProvider service.

+ * + */ +export class SetLogDeliveryConfigurationCommand extends $Command< + SetLogDeliveryConfigurationCommandInput, + SetLogDeliveryConfigurationCommandOutput, + CognitoIdentityProviderClientResolvedConfig +> { + // Start section: command_properties + // End section: command_properties + + public static getEndpointParameterInstructions(): EndpointParameterInstructions { + return { + UseFIPS: { type: "builtInParams", name: "useFipsEndpoint" }, + Endpoint: { type: "builtInParams", name: "endpoint" }, + Region: { type: "builtInParams", name: "region" }, + UseDualStack: { type: "builtInParams", name: "useDualstackEndpoint" }, + }; + } + + /** + * @public + */ + constructor(readonly input: SetLogDeliveryConfigurationCommandInput) { + // Start section: command_constructor + super(); + // End section: command_constructor + } + + /** + * @internal + */ + resolveMiddleware( + clientStack: MiddlewareStack, + configuration: CognitoIdentityProviderClientResolvedConfig, + options?: __HttpHandlerOptions + ): Handler { + this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize)); + this.middlewareStack.use( + getEndpointPlugin(configuration, SetLogDeliveryConfigurationCommand.getEndpointParameterInstructions()) + ); + this.middlewareStack.use(getAwsAuthPlugin(configuration)); + + const stack = clientStack.concat(this.middlewareStack); + + const { logger } = configuration; + const clientName = "CognitoIdentityProviderClient"; + const commandName = "SetLogDeliveryConfigurationCommand"; + const handlerExecutionContext: HandlerExecutionContext = { + logger, + clientName, + commandName, + inputFilterSensitiveLog: (_: any) => _, + outputFilterSensitiveLog: (_: any) => _, + }; + const { requestHandler } = configuration; + return stack.resolve( + (request: FinalizeHandlerArguments) => + requestHandler.handle(request.request as __HttpRequest, options || {}), + handlerExecutionContext + ); + } + + /** + * @internal + */ + private serialize(input: SetLogDeliveryConfigurationCommandInput, context: __SerdeContext): Promise<__HttpRequest> { + return se_SetLogDeliveryConfigurationCommand(input, context); + } + + /** + * @internal + */ + private deserialize( + output: __HttpResponse, + context: __SerdeContext + ): Promise { + return de_SetLogDeliveryConfigurationCommand(output, context); + } + + // Start section: command_body_extra + // End section: command_body_extra +} diff --git a/clients/client-cognito-identity-provider/src/commands/SetRiskConfigurationCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetRiskConfigurationCommand.ts index 47639c90c092..13a93fe695c5 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetRiskConfigurationCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetRiskConfigurationCommand.ts @@ -19,12 +19,8 @@ import { ServiceInputTypes, ServiceOutputTypes, } from "../CognitoIdentityProviderClient"; -import { - SetRiskConfigurationRequest, - SetRiskConfigurationRequestFilterSensitiveLog, - SetRiskConfigurationResponse, - SetRiskConfigurationResponseFilterSensitiveLog, -} from "../models/models_0"; +import { SetRiskConfigurationRequest, SetRiskConfigurationRequestFilterSensitiveLog } from "../models/models_0"; +import { SetRiskConfigurationResponse, SetRiskConfigurationResponseFilterSensitiveLog } from "../models/models_1"; import { de_SetRiskConfigurationCommand, se_SetRiskConfigurationCommand } from "../protocols/Aws_json1_1"; /** diff --git a/clients/client-cognito-identity-provider/src/commands/SetUICustomizationCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUICustomizationCommand.ts index a0dcdd289e51..7476759c6f9f 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetUICustomizationCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetUICustomizationCommand.ts @@ -24,7 +24,7 @@ import { SetUICustomizationRequestFilterSensitiveLog, SetUICustomizationResponse, SetUICustomizationResponseFilterSensitiveLog, -} from "../models/models_0"; +} from "../models/models_1"; import { de_SetUICustomizationCommand, se_SetUICustomizationCommand } from "../protocols/Aws_json1_1"; /** diff --git a/clients/client-cognito-identity-provider/src/commands/SetUserMFAPreferenceCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUserMFAPreferenceCommand.ts index caf2ee25ad8e..580c2c63405e 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetUserMFAPreferenceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetUserMFAPreferenceCommand.ts @@ -23,7 +23,7 @@ import { SetUserMFAPreferenceRequest, SetUserMFAPreferenceRequestFilterSensitiveLog, SetUserMFAPreferenceResponse, -} from "../models/models_0"; +} from "../models/models_1"; import { de_SetUserMFAPreferenceCommand, se_SetUserMFAPreferenceCommand } from "../protocols/Aws_json1_1"; /** @@ -54,6 +54,12 @@ export interface SetUserMFAPreferenceCommandOutput extends SetUserMFAPreferenceR * unless device tracking is turned on and the device has been trusted. If you want MFA to * be applied selectively based on the assessed risk level of sign-in attempts, deactivate * MFA for users and turn on Adaptive Authentication for the user pool.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -84,7 +90,8 @@ export interface SetUserMFAPreferenceCommandOutput extends SetUserMFAPreferenceR * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts index 86f49f9fcca6..cd06819b2d55 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts @@ -19,7 +19,7 @@ import { ServiceInputTypes, ServiceOutputTypes, } from "../CognitoIdentityProviderClient"; -import { SetUserPoolMfaConfigRequest, SetUserPoolMfaConfigResponse } from "../models/models_0"; +import { SetUserPoolMfaConfigRequest, SetUserPoolMfaConfigResponse } from "../models/models_1"; import { de_SetUserPoolMfaConfigCommand, se_SetUserPoolMfaConfigCommand } from "../protocols/Aws_json1_1"; /** @@ -56,7 +56,7 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* * @example @@ -119,7 +119,7 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/SetUserSettingsCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUserSettingsCommand.ts index 4fc4fcc21620..d9678630b593 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetUserSettingsCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetUserSettingsCommand.ts @@ -22,7 +22,7 @@ import { SetUserSettingsRequest, SetUserSettingsRequestFilterSensitiveLog, SetUserSettingsResponse, -} from "../models/models_0"; +} from "../models/models_1"; import { de_SetUserSettingsCommand, se_SetUserSettingsCommand } from "../protocols/Aws_json1_1"; /** @@ -48,6 +48,12 @@ export interface SetUserSettingsCommandOutput extends SetUserSettingsResponse, _ * This action is no longer supported. You can use it to configure * only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software * token MFA. To configure either type of MFA, use SetUserMFAPreference instead.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -76,7 +82,8 @@ export interface SetUserSettingsCommandOutput extends SetUserSettingsResponse, _ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts b/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts index 8d6181eaa242..a2a6dcf1f9c0 100644 --- a/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts @@ -43,6 +43,12 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {} *

Registers the user in the specified user pool and creates a user name, password, and * user attributes.

* + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -56,7 +62,7 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {} * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* * @example @@ -118,7 +124,8 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {} * successfully.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

@@ -144,7 +151,7 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {} * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateAuthEventFeedbackCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateAuthEventFeedbackCommand.ts index ecb1b5894fea..5b877dcb7b9d 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateAuthEventFeedbackCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateAuthEventFeedbackCommand.ts @@ -48,6 +48,12 @@ export interface UpdateAuthEventFeedbackCommandOutput extends UpdateAuthEventFee *

Provides the feedback for an authentication event, whether it was from a valid user or * not. This feedback is used for improving the risk evaluation decision for the user pool * as part of Amazon Cognito advanced security.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateDeviceStatusCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateDeviceStatusCommand.ts index bf65e8da991f..613007fa3c29 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateDeviceStatusCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateDeviceStatusCommand.ts @@ -46,6 +46,12 @@ export interface UpdateDeviceStatusCommandOutput extends UpdateDeviceStatusRespo /** * @public *

Updates the device status.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -70,7 +76,8 @@ export interface UpdateDeviceStatusCommandOutput extends UpdateDeviceStatusRespo * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape. * * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateGroupCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateGroupCommand.ts index 485be6591576..6c474f5592cf 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateGroupCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateGroupCommand.ts @@ -42,7 +42,26 @@ export interface UpdateGroupCommandOutput extends UpdateGroupResponse, __Metadat /** * @public *

Updates the specified group with the specified attributes.

- *

Calling this action requires developer credentials.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateIdentityProviderCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateIdentityProviderCommand.ts index 6b20f80bb8f4..eb01a9062ed3 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateIdentityProviderCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateIdentityProviderCommand.ts @@ -42,6 +42,26 @@ export interface UpdateIdentityProviderCommandOutput extends UpdateIdentityProvi /** * @public *

Updates IdP information for a user pool.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateResourceServerCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateResourceServerCommand.ts index 79bf9fcb6410..97fcc83ae57c 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateResourceServerCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateResourceServerCommand.ts @@ -46,6 +46,26 @@ export interface UpdateResourceServerCommandOutput extends UpdateResourceServerR *

If you don't provide a value for an attribute, it is set to the default * value.

* + * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts index 0e2a48462554..551d4e3ed850 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts @@ -46,6 +46,12 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR * @public *

Allows a user to update a specific attribute (one at a time).

* + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -59,7 +65,7 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* * @example @@ -102,8 +108,8 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR * * @throws {@link AliasExistsException} (client fault) *

This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

* @@ -119,7 +125,8 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR *

This exception is thrown if a code has expired.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

@@ -142,7 +149,7 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolClientCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolClientCommand.ts index 99cae22a87e7..1f631abb66b3 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolClientCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolClientCommand.ts @@ -49,11 +49,30 @@ export interface UpdateUserPoolClientCommandOutput extends UpdateUserPoolClientR *

Updates the specified user pool app client with the specified attributes. You can get * a list of the current user pool app client settings using DescribeUserPoolClient.

* - *

If you don't provide a value for an attribute, it will be set to the default - * value.

+ *

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

* *

You can also use this operation to enable token revocation for user pool clients. For * more information about revoking tokens, see RevokeToken.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts index 10df097f6464..657a5ed00626 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts @@ -41,11 +41,7 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M /** * @public - *

Updates the specified user pool with the specified attributes. You can get a list of - * the current user pool settings using DescribeUserPool. If you don't provide a value for an attribute, it will be - * set to the default value. - *

- * + * *

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers * require you to register an origination phone number before you can send SMS messages * to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a @@ -59,9 +55,34 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M * mode * , you can send messages only to verified phone * numbers. After you test your app while in the sandbox environment, you can move out - * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito + * of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito * Developer Guide.

* + *

Updates the specified user pool with the specified attributes. You can get a list of + * the current user pool settings using DescribeUserPool.

+ * + *

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

+ * + * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -197,7 +218,7 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

* * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolDomainCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolDomainCommand.ts index d90a1291f52e..867f7b12a710 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolDomainCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolDomainCommand.ts @@ -60,6 +60,26 @@ export interface UpdateUserPoolDomainCommandOutput extends UpdateUserPoolDomainR *

After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new * certificate to your custom domain.

*

For more information about adding a custom domain to your user pool, see Using Your Own Domain for the Hosted UI.

+ * + *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you must use IAM credentials to authorize requests, and you must + * grant yourself the corresponding IAM permission in a policy.

+ *

+ * Learn more + *

+ * + * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cognito-identity-provider/src/commands/VerifySoftwareTokenCommand.ts b/clients/client-cognito-identity-provider/src/commands/VerifySoftwareTokenCommand.ts index 50a4b761d200..bc0fbe79545c 100644 --- a/clients/client-cognito-identity-provider/src/commands/VerifySoftwareTokenCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/VerifySoftwareTokenCommand.ts @@ -23,7 +23,6 @@ import { VerifySoftwareTokenRequest, VerifySoftwareTokenRequestFilterSensitiveLog, VerifySoftwareTokenResponse, - VerifySoftwareTokenResponseFilterSensitiveLog, } from "../models/models_1"; import { de_VerifySoftwareTokenCommand, se_VerifySoftwareTokenCommand } from "../protocols/Aws_json1_1"; @@ -49,6 +48,12 @@ export interface VerifySoftwareTokenCommandOutput extends VerifySoftwareTokenRes *

Use this API to register a user's entered time-based one-time password (TOTP) code and * mark the user's software token MFA status as "verified" if successful. The request takes * an access token or a session string, but not both.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -85,7 +90,8 @@ export interface VerifySoftwareTokenCommandOutput extends VerifySoftwareTokenRes * configure the software token TOTP multi-factor authentication (MFA).

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

@@ -175,7 +181,7 @@ export class VerifySoftwareTokenCommand extends $Command< clientName, commandName, inputFilterSensitiveLog: VerifySoftwareTokenRequestFilterSensitiveLog, - outputFilterSensitiveLog: VerifySoftwareTokenResponseFilterSensitiveLog, + outputFilterSensitiveLog: (_: any) => _, }; const { requestHandler } = configuration; return stack.resolve( diff --git a/clients/client-cognito-identity-provider/src/commands/VerifyUserAttributeCommand.ts b/clients/client-cognito-identity-provider/src/commands/VerifyUserAttributeCommand.ts index 17e687f991d7..13805439c488 100644 --- a/clients/client-cognito-identity-provider/src/commands/VerifyUserAttributeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/VerifyUserAttributeCommand.ts @@ -45,12 +45,15 @@ export interface VerifyUserAttributeCommandOutput extends VerifyUserAttributeRes /** * @public *

Verifies the specified user attributes in the user pool.

- *

- * If your user pool requires verification before Amazon Cognito updates the attribute value, - * VerifyUserAttribute updates the affected attribute to its pending value. For more information, - * see - * UserAttributeUpdateSettingsType. - *

+ *

If your user pool requires verification before Amazon Cognito updates the attribute value, + * VerifyUserAttribute updates the affected attribute to its pending value. For more + * information, see UserAttributeUpdateSettingsType.

+ * + *

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For + * this operation, you can't use IAM credentials to authorize requests, and you can't + * grant IAM permissions in policies. For more information about authorization models in + * Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

+ * * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -76,8 +79,8 @@ export interface VerifyUserAttributeCommandOutput extends VerifyUserAttributeRes * * @throws {@link AliasExistsException} (client fault) *

This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

* @@ -89,7 +92,8 @@ export interface VerifyUserAttributeCommandOutput extends VerifyUserAttributeRes *

This exception is thrown if a code has expired.

* * @throws {@link ForbiddenException} (client fault) - *

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

+ *

This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

* * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

diff --git a/clients/client-cognito-identity-provider/src/commands/index.ts b/clients/client-cognito-identity-provider/src/commands/index.ts index 0ee4039e7972..fa54dc3f6a53 100644 --- a/clients/client-cognito-identity-provider/src/commands/index.ts +++ b/clients/client-cognito-identity-provider/src/commands/index.ts @@ -59,6 +59,7 @@ export * from "./GetCSVHeaderCommand"; export * from "./GetDeviceCommand"; export * from "./GetGroupCommand"; export * from "./GetIdentityProviderByIdentifierCommand"; +export * from "./GetLogDeliveryConfigurationCommand"; export * from "./GetSigningCertificateCommand"; export * from "./GetUICustomizationCommand"; export * from "./GetUserAttributeVerificationCodeCommand"; @@ -79,6 +80,7 @@ export * from "./ListUsersInGroupCommand"; export * from "./ResendConfirmationCodeCommand"; export * from "./RespondToAuthChallengeCommand"; export * from "./RevokeTokenCommand"; +export * from "./SetLogDeliveryConfigurationCommand"; export * from "./SetRiskConfigurationCommand"; export * from "./SetUICustomizationCommand"; export * from "./SetUserMFAPreferenceCommand"; diff --git a/clients/client-cognito-identity-provider/src/index.ts b/clients/client-cognito-identity-provider/src/index.ts index 63581f4abe7c..2938839ab74d 100644 --- a/clients/client-cognito-identity-provider/src/index.ts +++ b/clients/client-cognito-identity-provider/src/index.ts @@ -1,12 +1,73 @@ // smithy-typescript generated code /* eslint-disable */ /** - *

Using the Amazon Cognito user pools API, you can create a user pool to manage directories and - * users. You can authenticate a user to obtain tokens related to user identity and access - * policies.

- *

This API reference provides information about user pools in Amazon Cognito user pools.

- *

For more information, see the Amazon Cognito - * Documentation.

+ *

With the Amazon Cognito user pools API, you can set up user pools and app clients, and + * authenticate users. To authenticate users from third-party identity providers (IdPs) in + * this API, you can link IdP users to native user profiles. Learn more + * about the authentication and authorization of federated users in the Using the Amazon Cognito user pools API and user pool endpoints.

+ *

This API reference provides detailed information about API operations and object types + * in Amazon Cognito. At the bottom of the page for each API operation and object, under + * See Also, you can learn how to use it in an Amazon Web Services SDK in the + * language of your choice.

+ *

Along with resource management operations, the Amazon Cognito user pools API includes classes + * of operations and authorization models for client-side and server-side user operations. + * For more information, see Using the Amazon Cognito native and OIDC APIs in the + * Amazon Cognito Developer Guide.

+ *

You can also start reading about the CognitoIdentityProvider client in + * the following SDK guides.

+ * + *

To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services + * SDKs.

* * @packageDocumentation */ diff --git a/clients/client-cognito-identity-provider/src/models/models_0.ts b/clients/client-cognito-identity-provider/src/models/models_0.ts index b69a83ae956a..c0b171102109 100644 --- a/clients/client-cognito-identity-provider/src/models/models_0.ts +++ b/clients/client-cognito-identity-provider/src/models/models_0.ts @@ -272,18 +272,26 @@ export interface StringAttributeConstraintsType { /** * @public - *

Contains information about the schema attribute.

+ *

A list of the user attributes and their properties in your user pool. The attribute + * schema contains standard attributes, custom attributes with a custom: + * prefix, and developer attributes with a dev: prefix. For more information, + * see User pool + * attributes.

+ *

Developer-only attributes are a legacy feature of user pools, are read-only to all app + * clients. You can create and update developer-only attributes only with IAM-authenticated + * API operations. Use app client read/write permissions instead.

*/ export interface SchemaAttributeType { /** * @public - *

A schema attribute of the name type.

+ *

The name of your user pool attribute, for example username or + * custom:costcenter.

*/ Name?: string; /** * @public - *

The attribute data type.

+ *

The data format of the values for your attribute.

*/ AttributeDataType?: AttributeDataType | string; @@ -304,10 +312,10 @@ export interface SchemaAttributeType { /** * @public *

Specifies whether the value of the attribute can be changed.

- *

For any user pool attribute that is mapped to an IdP attribute, you must set this - * parameter to true. Amazon Cognito updates mapped attributes when users sign in to - * your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error - * when it attempts to update the attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User + *

Any user pool attribute whose value you map from an IdP attribute must be mutable, + * with a parameter value of true. Amazon Cognito updates mapped attributes when users + * sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws + * an error when it attempts to update the attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User * Pool.

*/ Mutable?: boolean; @@ -526,7 +534,7 @@ export class UserNotFoundException extends __BaseException { /** * @public - *

Represents the request to confirm user registration.

+ *

Confirm a user's registration as a user pool administrator.

*/ export interface AdminConfirmSignUpRequest { /** @@ -816,9 +824,9 @@ export interface AdminCreateUserRequest { *

This parameter isn't required. If you don't specify a value, Amazon Cognito generates one for * you.

*

The temporary password can only be used until the user account expiration limit that - * you specified when you created the user pool. To reset the account after that time - * limit, you must call AdminCreateUser again, specifying - * "RESEND" for the MessageAction parameter.

+ * you set for your user pool. To reset the account after that time limit, you must call + * AdminCreateUser again and specify RESEND for the + * MessageAction parameter.

*/ TemporaryPassword?: string; @@ -958,7 +966,7 @@ export interface UserType { /** * @public - *

The last modified date of the user.

+ *

The date and time, in ISO 8601 format, when the item was modified.

*/ UserLastModifiedDate?: Date; @@ -982,9 +990,6 @@ export interface UserType { *

EXTERNAL_PROVIDER - User signed in with a third-party IdP.

* *
  • - *

    ARCHIVED - User is no longer active.

    - *
    • - *
  • *

    UNKNOWN - User status isn't known.

    *
    • *
  • @@ -1085,7 +1090,7 @@ export class InvalidSmsRoleAccessPolicyException extends __BaseException { * @public *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    */ export class InvalidSmsRoleTrustRelationshipException extends __BaseException { @@ -1325,8 +1330,8 @@ export interface AdminDisableProviderForUserResponse {} /** * @public *

    This exception is thrown when a user tries to confirm the account with an email - * address or phone number that has already been supplied as an alias for a different - * user profile. This exception indicates that an account with this email address or phone + * address or phone number that has already been supplied as an alias for a different user + * profile. This exception indicates that an account with this email address or phone * already exists in a user pool that you've configured to use email address or phone * number as a sign-in alias.

    */ @@ -1489,7 +1494,7 @@ export interface DeviceType { /** * @public - *

    The last modified date of the device.

    + *

    The date and time, in ISO 8601 format, when the item was modified.

    */ DeviceLastModifiedDate?: Date; @@ -1539,7 +1544,7 @@ export interface AdminGetUserRequest { export interface AdminGetUserResponse { /** * @public - *

    The user name of the user about whom you're receiving information.

    + *

    The username of the user that you requested.

    */ Username: string | undefined; @@ -1557,7 +1562,7 @@ export interface AdminGetUserResponse { /** * @public - *

    The date the user was last modified.

    + *

    The date and time, in ISO 8601 format, when the item was modified.

    */ UserLastModifiedDate?: Date; @@ -1578,9 +1583,6 @@ export interface AdminGetUserResponse { *

    CONFIRMED - User has been confirmed.

    *
    • *
  • - *

    ARCHIVED - User is no longer active.

    - *
    • - *
  • *

    UNKNOWN - User status isn't known.

    *
    • *
  • @@ -1796,16 +1798,16 @@ export interface AdminInitiateAuthRequest { * client is configured with a client secret), DEVICE_KEY.

    *
    • *
  • + *

    For ADMIN_USER_PASSWORD_AUTH: USERNAME (required), + * PASSWORD (required), SECRET_HASH (required if the + * app client is configured with a client secret), DEVICE_KEY.

    + *
    • + *
  • *

    For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN * (required), SECRET_HASH (required if the app client is configured * with a client secret), DEVICE_KEY.

    *
    • *
  • - *

    For ADMIN_NO_SRP_AUTH: USERNAME (required), - * SECRET_HASH (if app client is configured with client secret), - * PASSWORD (required), DEVICE_KEY.

    - *
    • - *
  • *

    For CUSTOM_AUTH: USERNAME (required), * SECRET_HASH (if app client is configured with client secret), * DEVICE_KEY. To start the authentication flow with password @@ -1813,6 +1815,8 @@ export interface AdminInitiateAuthRequest { * SRP_A Value).

    *
    • * + *

    For more information about SECRET_HASH, see Computing secret hash values. For information about + * DEVICE_KEY, see Working with user devices in your user pool.

    */ AuthParameters?: Record; @@ -2187,7 +2191,7 @@ export interface AdminLinkProviderForUserRequest { /** * @public *

    The existing user in the user pool that you want to assign to the external IdP user - * account. This user can be a native (Username + Password) Amazon Cognito user pools user or a + * account. This user can be a local (Username + Password) Amazon Cognito user pools user or a * federated user (for example, a SAML or Facebook user). If the user doesn't exist, Amazon Cognito * generates an exception. Amazon Cognito returns this user when the new user (with the linked IdP * attribute) signs in.

    @@ -2221,13 +2225,19 @@ export interface AdminLinkProviderForUserRequest { * id, sub, or user_id value found in the social * IdP token.

    *

    + *

    For OIDC, the ProviderAttributeName can be any value that matches a claim + * in the ID token, or that your app retrieves from the userInfo endpoint. You + * must map the claim to a user pool attribute in your IdP configuration, and set the user + * pool attribute name as the value of ProviderAttributeName in your + * AdminLinkProviderForUser request.

    *

    For SAML, the ProviderAttributeName can be any value that matches a claim - * in the SAML assertion. If you want to link SAML users based on the subject of the SAML - * assertion, you should map the subject to a claim through the SAML IdP and submit that - * claim name as the ProviderAttributeName. If you set - * ProviderAttributeName to Cognito_Subject, Amazon Cognito will - * automatically parse the default unique identifier found in the subject from the SAML - * token.

    + * in the SAML assertion. To link SAML users based on the subject of the SAML assertion, + * map the subject to a claim through the SAML IdP and set that claim name as the value of + * ProviderAttributeName in your AdminLinkProviderForUser + * request.

    + *

    For both OIDC and SAML users, when you set ProviderAttributeName to + * Cognito_Subject, Amazon Cognito will automatically parse the default unique + * identifier found in the subject from the IdP token.

    */ SourceUser: ProviderUserIdentifierType | undefined; } @@ -2365,13 +2375,13 @@ export interface GroupType { /** * @public - *

    The date the group was last modified.

    + *

    The date and time, in ISO 8601 format, when the item was modified.

    */ LastModifiedDate?: Date; /** * @public - *

    The date the group was created.

    + *

    The date and time, in ISO 8601 format, when the item was created.

    */ CreationDate?: Date; } @@ -2528,7 +2538,11 @@ export type FeedbackValueType = (typeof FeedbackValueType)[keyof typeof Feedback export interface EventFeedbackType { /** * @public - *

    The event feedback value.

    + *

    The authentication event feedback value. When you provide a FeedbackValue + * value of valid, you tell Amazon Cognito that you trust a user session where Amazon Cognito + * has evaluated some level of risk. When you provide a FeedbackValue value of + * invalid, you tell Amazon Cognito that you don't trust a user session, or you + * don't believe that Amazon Cognito evaluated a high-enough risk level.

    */ FeedbackValue: FeedbackValueType | string | undefined; @@ -2651,7 +2665,7 @@ export interface AuthEventType { /** * @public - *

    The creation date

    + *

    The date and time, in ISO 8601 format, when the item was created.

    */ CreationDate?: Date; @@ -2912,6 +2926,8 @@ export interface AdminRespondToAuthChallengeRequest { * AdminInitiateAuth response includes the actual username value in the * USERNAMEUSER_ID_FOR_SRP attribute. This happens even if you specified * an alias in your call to AdminInitiateAuth.

    + *

    For more information about SECRET_HASH, see Computing secret hash values. For information about + * DEVICE_KEY, see Working with user devices in your user pool.

    */ ChallengeResponses?: Record; @@ -3275,7 +3291,11 @@ export interface AdminUpdateAuthEventFeedbackRequest { /** * @public - *

    The authentication event feedback value.

    + *

    The authentication event feedback value. When you provide a FeedbackValue + * value of valid, you tell Amazon Cognito that you trust a user session where Amazon Cognito + * has evaluated some level of risk. When you provide a FeedbackValue value of + * invalid, you tell Amazon Cognito that you don't trust a user session, or you + * don't believe that Amazon Cognito evaluated a high-enough risk level.

    */ FeedbackValue: FeedbackValueType | string | undefined; } @@ -3475,9 +3495,9 @@ export type AliasAttributeType = (typeof AliasAttributeType)[keyof typeof AliasA *

    The Amazon Pinpoint analytics configuration necessary to collect metrics for a user * pool.

    * - *

    In Regions where Amazon Pinpointisn't available, user pools only support sending events to - * Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user pools - * support sending events to Amazon Pinpoint projects within that same Region.

    + *

    In Regions where Amazon Pinpoint isn't available, user pools only support sending + * events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user + * pools support sending events to Amazon Pinpoint projects within that same Region.

    *     */ export interface AnalyticsConfigurationType { @@ -3541,8 +3561,8 @@ export interface AssociateSoftwareTokenRequest { export interface AssociateSoftwareTokenResponse { /** * @public - *

    A unique generated shared secret code that is used in the - * TOTP algorithm to generate a one-time code.

    + *

    A unique generated shared secret code that is used in the TOTP algorithm to generate a + * one-time code.

    */ SecretCode?: string; @@ -3577,7 +3597,8 @@ export class ConcurrentModificationException extends __BaseException { /** * @public - *

    This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

    + *

    This exception is thrown when WAF doesn't allow your request based on a web + * ACL that's associated with your user pool.

    */ export class ForbiddenException extends __BaseException { readonly name: "ForbiddenException" = "ForbiddenException"; @@ -3705,8 +3726,7 @@ export interface ConfirmDeviceResponse { /** * @public *

    Contextual data, such as the user's device fingerprint, IP address, or location, used - * for evaluating the risk of an unexpected event by Amazon Cognito advanced - * security.

    + * for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

    */ export interface UserContextDataType { /** @@ -3737,7 +3757,8 @@ export interface ConfirmForgotPasswordRequest { /** * @public *

    A keyed-hash message authentication code (HMAC) calculated using the secret key of a - * user pool client and username plus the client ID in the message.

    + * user pool client and username plus the client ID in the message. For more information + * about SecretHash, see Computing secret hash values.

    */ SecretHash?: string; @@ -3750,8 +3771,8 @@ export interface ConfirmForgotPasswordRequest { /** * @public - *

    The confirmation code from your user's request to reset their password. For - * more information, see ForgotPassword.

    + *

    The confirmation code from your user's request to reset their password. For more + * information, see ForgotPassword.

    */ ConfirmationCode: string | undefined; @@ -4332,13 +4353,13 @@ export interface IdentityProviderType { /** * @public - *

    The date the IdP was last modified.

    + *

    The date and time, in ISO 8601 format, when the item was modified.

    */ LastModifiedDate?: Date; /** * @public - *

    The date the IdP was created.

    + *

    The date and time, in ISO 8601 format, when the item was created.

    */ CreationDate?: Date; } @@ -4541,7 +4562,7 @@ export interface UserImportJobType { /** * @public - *

    The date the user import job was created.

    + *

    The date and time, in ISO 8601 format, when the item was created.

    */ CreationDate?: Date; @@ -4690,9 +4711,9 @@ export interface DeviceConfigurationType { * and time-based one-time password (TOTP) factors for multi-factor authentication * (MFA).

    * - *

    Whether or not ChallengeRequiredOnNewDevice is true, users who sign in - * with devices that have not been confirmed or remembered must still provide a second - * factor in a user pool that requires MFA.

    + *

    Whether or not ChallengeRequiredOnNewDevice is true, users who sign + * in with devices that have not been confirmed or remembered must still provide a + * second factor in a user pool that requires MFA.

    *     */ ChallengeRequiredOnNewDevice?: boolean; @@ -4700,11 +4721,10 @@ export interface DeviceConfigurationType { /** * @public *

    When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a - * - * ConfirmDevice API request. In your app, create a prompt for - * your user to choose whether they want to remember their device. Return the user's choice - * in an - * UpdateDeviceStatus API request.

    + * + * ConfirmDevice API request. In your app, create a prompt for your user to + * choose whether they want to remember their device. Return the user's choice in an + * UpdateDeviceStatus API request.

    *

    When DeviceOnlyRememberedOnUserPrompt is false, Amazon * Cognito immediately remembers devices that you register in a ConfirmDevice * API request.

    @@ -4740,9 +4760,12 @@ export type EmailSendingAccountType = (typeof EmailSendingAccountType)[keyof typ export interface EmailConfigurationType { /** * @public - *

    The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of - * the following ways, depending on the value that you specify for the - * EmailSendingAccount parameter:

    + *

    The ARN of a verified email address or an address from a verified domain in Amazon SES. You + * can set a SourceArn email from a verified domain only with an API request. + * You can set a verified email address, but not an address in a verified domain, in the + * Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following + * ways, depending on the value that you specify for the EmailSendingAccount + * parameter:

    *
      *
    • *

      If you specify COGNITO_DEFAULT, Amazon Cognito uses this address as the @@ -4781,7 +4804,8 @@ export interface EmailConfigurationType { * default email limit is less than the required delivery volume. To achieve a * higher delivery volume, specify DEVELOPER to use your Amazon SES email * configuration.

      - *

      To look up the email delivery limit for the default option, see Limits in the Amazon Cognito Developer Guide.

      + *

      To look up the email delivery limit for the default option, see Limits in the Amazon Cognito Developer + * Guide.

      *

      The default FROM address is no-reply@verificationemail.com. * To customize the FROM address, provide the Amazon Resource Name (ARN) of an * Amazon SES verified email address for the SourceArn @@ -4799,9 +4823,9 @@ export interface EmailConfigurationType { * call Amazon SES on your behalf. When you update your user pool with this option, * Amazon Cognito creates a service-linked role, which is a type of * role in your Amazon Web Services account. This role contains the permissions - * that allow you to access Amazon SES and send email messages from your email address. For - * more information about the service-linked role that Amazon Cognito creates, see - * Using Service-Linked Roles for Amazon Cognito in the + * that allow you to access Amazon SES and send email messages from your email + * address. For more information about the service-linked role that Amazon Cognito + * creates, see Using Service-Linked Roles for Amazon Cognito in the * Amazon Cognito Developer Guide.

      * * @@ -5138,7 +5162,7 @@ export interface UserAttributeUpdateSettingsType { * this option activated, Amazon Cognito sends a verification message to the new phone number or * email address. Amazon Cognito doesn’t change the value of the attribute until your user responds * to the verification message and confirms the new value.

      - *

      You can verify an updated email address or phone number with a VerifyUserAttribute API request. You can also call the UpdateUserAttributes or AdminUpdateUserAttributes API and set email_verified or + *

      You can verify an updated email address or phone number with a VerifyUserAttribute API request. You can also call the AdminUpdateUserAttributes API and set email_verified or * phone_number_verified to true.

      *

      When AttributesRequireVerificationBeforeUpdate is false, your user pool * doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a @@ -5171,7 +5195,10 @@ export interface UsernameConfigurationType { /** * @public *

      Specifies whether user name case sensitivity will be applied for all users in the user - * pool through Amazon Cognito APIs.

      + * pool through Amazon Cognito APIs. For most use cases, set case sensitivity to False + * (case insensitive) as a best practice. When usernames and email addresses are case + * insensitive, users can sign in as the same user when they enter a different + * capitalization of their user name.

      *

      Valid values include:

      *
      *
      True
      @@ -5183,10 +5210,11 @@ export interface UsernameConfigurationType { *
      False
      *
      *

      Enables case insensitivity for all username input. For example, when this - * option is set to False, users can sign in using either - * "username" or "Username". This option also enables both - * preferred_username and email alias to be case - * insensitive, in addition to the username attribute.

      + * option is set to False, users can sign in using + * username, USERNAME, or UserName. + * This option also enables both preferred_username and + * email alias to be case insensitive, in addition to the + * username attribute.

      *
      *
      */ @@ -5195,12 +5223,16 @@ export interface UsernameConfigurationType { /** * @public - *

      The user pool add-ons type.

      + *

      User pool add-ons. Contains settings for activation of advanced security features. To + * log user security information but take no action, set to AUDIT. To + * configure automatic security responses to risky traffic to your user pool, set to + * ENFORCED.

      + *

      For more information, see Adding advanced security to a user pool.

      */ export interface UserPoolAddOnsType { /** * @public - *

      The advanced security mode.

      + *

      The operating mode of advanced security features in your user pool.

      */ AdvancedSecurityMode: AdvancedSecurityModeType | string | undefined; } @@ -5383,9 +5415,11 @@ export interface CreateUserPoolRequest { /** * @public - *

      The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool.

      + *

      The device-remembering configuration for a user pool. A null value indicates that you + * have deactivated device remembering in your user pool.

      * - *

      When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature.

      + *

      When you provide a value for any DeviceConfiguration field, you + * activate the Amazon Cognito device-remembering feature.

      *       */ DeviceConfiguration?: DeviceConfigurationType; @@ -5430,17 +5464,26 @@ export interface CreateUserPoolRequest { /** * @public - *

      Enables advanced security risk detection. Set the key - * AdvancedSecurityMode to the value "AUDIT".

      + *

      User pool add-ons. Contains settings for activation of advanced security features. To + * log user security information but take no action, set to AUDIT. To + * configure automatic security responses to risky traffic to your user pool, set to + * ENFORCED.

      + *

      For more information, see Adding advanced security to a user pool.

      */ UserPoolAddOns?: UserPoolAddOnsType; /** * @public - *

      Case sensitivity on the username input for the selected sign-in option. For example, - * when case sensitivity is set to False, users can sign in using either - * "username" or "Username". This configuration is immutable once it has been set. For more - * information, see UsernameConfigurationType.

      + *

      Case sensitivity on the username input for the selected sign-in option. When case + * sensitivity is set to False (case insensitive), users can sign in with any + * combination of capital and lowercase letters. For example, username, + * USERNAME, or UserName, or for email, + * email@example.com or EMaiL@eXamplE.Com. For most use + * cases, set case sensitivity to False (case insensitive) as a best practice. + * When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in + * case as the same user, and prevents a case variation from being assigned to the same + * attribute for a different user.

      + *

      This configuration is immutable after you set it. For more information, see UsernameConfigurationType.

      */ UsernameConfiguration?: UsernameConfigurationType; @@ -5519,19 +5562,26 @@ export interface UserPoolType { /** * @public - *

      The date the user pool was last modified.

      + *

      The date and time, in ISO 8601 format, when the item was modified.

      */ LastModifiedDate?: Date; /** * @public - *

      The date the user pool was created.

      + *

      The date and time, in ISO 8601 format, when the item was created.

      */ CreationDate?: Date; /** * @public - *

      A container with the schema attributes of a user pool.

      + *

      A list of the user attributes and their properties in your user pool. The attribute + * schema contains standard attributes, custom attributes with a custom: + * prefix, and developer attributes with a dev: prefix. For more information, + * see User pool + * attributes.

      + *

      Developer-only attributes are a legacy feature of user pools, are read-only to all app + * clients. You can create and update developer-only attributes only with IAM-authenticated + * API operations. Use app client read/write permissions instead.

      */ SchemaAttributes?: SchemaAttributeType[]; @@ -5618,9 +5668,11 @@ export interface UserPoolType { /** * @public - *

      The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool.

      + *

      The device-remembering configuration for a user pool. A null value indicates that you + * have deactivated device remembering in your user pool.

      * - *

      When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature.

      + *

      When you provide a value for any DeviceConfiguration field, you + * activate the Amazon Cognito device-remembering feature.

      *       */ DeviceConfiguration?: DeviceConfigurationType; @@ -5634,7 +5686,7 @@ export interface UserPoolType { /** * @public *

      The email configuration of your user pool. The email configuration type sets your - * preferred sending method, Amazon Web Services Region, and sender for messages tfrom your user + * preferred sending method, Amazon Web Services Region, and sender for messages from your user * pool.

      */ EmailConfiguration?: EmailConfigurationType; @@ -5671,9 +5723,9 @@ export interface UserPoolType { *
      *

      The Amazon Web Services account is in the SNS SMS Sandbox and messages will * only reach verified end users. This parameter won’t get populated with - * SNSSandbox if the IAM user creating the user pool doesn’t have SNS - * permissions. To learn how to move your Amazon Web Services account out of the - * sandbox, see Moving out + * SNSSandbox if the user creating the user pool doesn’t have SNS permissions. + * To learn how to move your Amazon Web Services account out of the sandbox, see + * Moving out * of the SMS sandbox.

      *
      * @@ -5711,7 +5763,11 @@ export interface UserPoolType { /** * @public - *

      The user pool add-ons.

      + *

      User pool add-ons. Contains settings for activation of advanced security features. To + * log user security information but take no action, set to AUDIT. To + * configure automatic security responses to risky traffic to your user pool, set to + * ENFORCED.

      + *

      For more information, see Adding advanced security to a user pool.

      */ UserPoolAddOns?: UserPoolAddOnsType; @@ -5850,7 +5906,9 @@ export interface TokenValidityUnitsType { * @public *

      A time unit of seconds, minutes, hours, or * days for the value that you set in the AccessTokenValidity - * parameter. The default AccessTokenValidity time unit is hours.

      + * parameter. The default AccessTokenValidity time unit is hours. + * AccessTokenValidity duration can range from five minutes to one + * day.

      */ AccessToken?: TimeUnitsType | string; @@ -5858,7 +5916,8 @@ export interface TokenValidityUnitsType { * @public *

      A time unit of seconds, minutes, hours, or * days for the value that you set in the IdTokenValidity - * parameter. The default IdTokenValidity time unit is hours.

      + * parameter. The default IdTokenValidity time unit is hours. + * IdTokenValidity duration can range from five minutes to one day.

      */ IdToken?: TimeUnitsType | string; @@ -5867,7 +5926,9 @@ export interface TokenValidityUnitsType { *

      A time unit of seconds, minutes, hours, or * days for the value that you set in the * RefreshTokenValidity parameter. The default - * RefreshTokenValidity time unit is days.

      + * RefreshTokenValidity time unit is days. + * RefreshTokenValidity duration can range from 60 minutes to 10 + * years.

      */ RefreshToken?: TimeUnitsType | string; } @@ -5939,7 +6000,7 @@ export interface CreateUserPoolClientRequest { *

      For example, when you set IdTokenValidity as 10 and * TokenValidityUnits as hours, your user can authenticate their * session with their ID token for 10 hours.

      - *

      The default time unit for AccessTokenValidity in an API request is hours. + *

      The default time unit for IdTokenValidity in an API request is hours. * Valid range is displayed below in seconds.

      *

      If you don't specify otherwise in the configuration of your app client, your ID * tokens are valid for one hour.

      @@ -6020,9 +6081,9 @@ export interface CreateUserPoolClientRequest { * @public *

      A list of provider names for the identity providers (IdPs) that are supported on this * client. The following are supported: COGNITO, Facebook, - * Google, SignInWithApple, and LoginWithAmazon. You can also specify the names - * that you configured for the SAML and OIDC IdPs in your user pool, for example - * MySAMLIdP or MyOIDCIdP.

      + * Google, SignInWithApple, and LoginWithAmazon. + * You can also specify the names that you configured for the SAML and OIDC IdPs in your + * user pool, for example MySAMLIdP or MyOIDCIdP.

      */ SupportedIdentityProviders?: string[]; @@ -6114,8 +6175,33 @@ export interface CreateUserPoolClientRequest { /** * @public - *

      Set to true if the client is allowed to follow the OAuth protocol when interacting - * with Amazon Cognito user pools.

      + *

      Set to true to use OAuth 2.0 features in your user pool app client.

      + *

      + * AllowedOAuthFlowsUserPoolClient must be true before you can configure + * the following features in your app client.

      + *
        + *
      • + *

        + * CallBackURLs: Callback URLs.

        + *
        • + *
      • + *

        + * LogoutURLs: Sign-out redirect URLs.

        + *
        • + *
      • + *

        + * AllowedOAuthScopes: OAuth 2.0 scopes.

        + *
        • + *
      • + *

        + * AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.

        + *
        • + *
      + *

      To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set + * AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or + * UpdateUserPoolClient API request. If you don't set a value for + * AllowedOAuthFlowsUserPoolClient in a request with the CLI or SDKs, it defaults + * to false.

      */ AllowedOAuthFlowsUserPoolClient?: boolean; @@ -6172,7 +6258,7 @@ export interface CreateUserPoolClientRequest { * propagation of user context data, see Adding advanced security to a user pool. If you don’t include this * parameter, you can't send device fingerprint information, including source IP address, * to Amazon Cognito advanced security. You can only activate - * EnablePropagateAdditionalUserContextData in an app client that has a + * EnablePropagateAdditionalUserContextData in an app client that has a * client secret.

      */ EnablePropagateAdditionalUserContextData?: boolean; @@ -6216,13 +6302,13 @@ export interface UserPoolClientType { /** * @public - *

      The date the user pool client was last modified.

      + *

      The date and time, in ISO 8601 format, when the item was modified.

      */ LastModifiedDate?: Date; /** * @public - *

      The date the user pool client was created.

      + *

      The date and time, in ISO 8601 format, when the item was created.

      */ CreationDate?: Date; @@ -6269,7 +6355,7 @@ export interface UserPoolClientType { *

      For example, when you set IdTokenValidity as 10 and * TokenValidityUnits as hours, your user can authenticate their * session with their ID token for 10 hours.

      - *

      The default time unit for AccessTokenValidity in an API request is hours. + *

      The default time unit for IdTokenValidity in an API request is hours. * Valid range is displayed below in seconds.

      *

      If you don't specify otherwise in the configuration of your app client, your ID * tokens are valid for one hour.

      @@ -6343,8 +6429,9 @@ export interface UserPoolClientType { /** * @public *

      A list of provider names for the IdPs that this client supports. The following are - * supported: COGNITO, Facebook, Google, SignInWithApple, - * LoginWithAmazon, and the names of your own SAML and OIDC providers.

      + * supported: COGNITO, Facebook, Google, + * SignInWithApple, LoginWithAmazon, and the names of your + * own SAML and OIDC providers.

      */ SupportedIdentityProviders?: string[]; @@ -6437,8 +6524,33 @@ export interface UserPoolClientType { /** * @public - *

      Set to true if the client is allowed to follow the OAuth protocol when interacting - * with Amazon Cognito user pools.

      + *

      Set to true to use OAuth 2.0 features in your user pool app client.

      + *

      + * AllowedOAuthFlowsUserPoolClient must be true before you can configure + * the following features in your app client.

      + *
        + *
      • + *

        + * CallBackURLs: Callback URLs.

        + *
        • + *
      • + *

        + * LogoutURLs: Sign-out redirect URLs.

        + *
        • + *
      • + *

        + * AllowedOAuthScopes: OAuth 2.0 scopes.

        + *
        • + *
      • + *

        + * AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.

        + *
        • + *
      + *

      To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set + * AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or + * UpdateUserPoolClient API request. If you don't set a value for + * AllowedOAuthFlowsUserPoolClient in a request with the CLI or SDKs, it defaults + * to false.

      */ AllowedOAuthFlowsUserPoolClient?: boolean; @@ -6982,7 +7094,7 @@ export interface RiskConfigurationType { /** * @public - *

      The last modified date.

      + *

      The date and time, in ISO 8601 format, when the item was modified.

      */ LastModifiedDate?: Date; } @@ -7147,7 +7259,8 @@ export interface DomainDescriptionType { /** * @public - *

      The Amazon Resource Name (ARN) of the Amazon CloudFront distribution.

      + *

      The Amazon CloudFront endpoint that you use as the target of the alias that you set up with + * your Domain Name Service (DNS) provider.

      */ CloudFrontDistribution?: string; @@ -7437,6 +7550,110 @@ export interface GetIdentityProviderByIdentifierResponse { IdentityProvider: IdentityProviderType | undefined; } +/** + * @public + */ +export interface GetLogDeliveryConfigurationRequest { + /** + * @public + *

      The ID of the user pool where you want to view detailed activity logging configuration.

      + */ + UserPoolId: string | undefined; +} + +/** + * @public + *

      The CloudWatch logging destination of a user pool detailed activity logging configuration.

      + */ +export interface CloudWatchLogsConfigurationType { + /** + * @public + *

      The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. + * The log group must not be encrypted with Key Management Service and must be in the same Amazon Web Services account + * as your user pool.

      + */ + LogGroupArn?: string; +} + +/** + * @public + * @enum + */ +export const EventSourceName = { + USER_NOTIFICATION: "userNotification", +} as const; + +/** + * @public + */ +export type EventSourceName = (typeof EventSourceName)[keyof typeof EventSourceName]; + +/** + * @public + * @enum + */ +export const LogLevel = { + ERROR: "ERROR", +} as const; + +/** + * @public + */ +export type LogLevel = (typeof LogLevel)[keyof typeof LogLevel]; + +/** + * @public + *

      The logging parameters of a user pool.

      + */ +export interface LogConfigurationType { + /** + * @public + *

      The errorlevel selection of logs that a user pool sends for detailed activity logging.

      + */ + LogLevel: LogLevel | string | undefined; + + /** + * @public + *

      The source of events that your user pool sends for detailed activity logging.

      + */ + EventSource: EventSourceName | string | undefined; + + /** + * @public + *

      The CloudWatch logging destination of a user pool.

      + */ + CloudWatchLogsConfiguration?: CloudWatchLogsConfigurationType; +} + +/** + * @public + *

      The logging parameters of a user pool.

      + */ +export interface LogDeliveryConfigurationType { + /** + * @public + *

      The ID of the user pool where you configured detailed activity logging.

      + */ + UserPoolId: string | undefined; + + /** + * @public + *

      The detailed activity logging destination of a user pool.

      + */ + LogConfigurations: LogConfigurationType[] | undefined; +} + +/** + * @public + */ +export interface GetLogDeliveryConfigurationResponse { + /** + * @public + *

      The detailed activity logging configuration of the requested user pool.

      + */ + LogDeliveryConfiguration?: LogDeliveryConfigurationType; +} + /** * @public *

      Request to get a signing certificate from Amazon Cognito.

      @@ -7516,13 +7733,13 @@ export interface UICustomizationType { /** * @public - *

      The last-modified date for the UI customization.

      + *

      The date and time, in ISO 8601 format, when the item was modified.

      */ LastModifiedDate?: Date; /** * @public - *

      The creation date for the UI customization.

      + *

      The date and time, in ISO 8601 format, when the item was created.

      */ CreationDate?: Date; } @@ -7558,7 +7775,7 @@ export interface GetUserRequest { export interface GetUserResponse { /** * @public - *

      The user name of the user you want to retrieve from the get user request.

      + *

      The username of the user that you requested.

      */ Username: string | undefined; @@ -7836,6 +8053,11 @@ export interface InitiateAuthRequest { * client is configured with a client secret), DEVICE_KEY.

      *
      • *
    • + *

      For USER_PASSWORD_AUTH: USERNAME (required), + * PASSWORD (required), SECRET_HASH (required if the + * app client is configured with a client secret), DEVICE_KEY.

      + *
      • + *
    • *

      For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN * (required), SECRET_HASH (required if the app client is configured * with a client secret), DEVICE_KEY.

      @@ -7848,6 +8070,8 @@ export interface InitiateAuthRequest { * SRP_A Value).

      *
      • *
    + *

    For more information about SECRET_HASH, see Computing secret hash values. For information about + * DEVICE_KEY, see Working with user devices in your user pool.

    */ AuthParameters?: Record; @@ -8184,7 +8408,7 @@ export interface ProviderDescription { /** * @public - *

    The date the provider was added to the user pool.

    + *

    The date and time, in ISO 8601 format, when the item was created.

    */ CreationDate?: Date; } @@ -8435,13 +8659,13 @@ export interface UserPoolDescriptionType { /** * @public - *

    The date the user pool description was last modified.

    + *

    The date and time, in ISO 8601 format, when the item was modified.

    */ LastModifiedDate?: Date; /** * @public - *

    The date the user pool description was created.

    + *

    The date and time, in ISO 8601 format, when the item was created.

    */ CreationDate?: Date; } @@ -8478,9 +8702,10 @@ export interface ListUsersRequest { /** * @public - *

    An array of strings, where each string is the name of a user attribute to be returned - * for each user in the search results. If the array is null, all attributes are - * returned.

    + *

    A JSON array of user attribute names, for example given_name, that you + * want Amazon Cognito to include in the response for each user. When you don't provide an + * AttributesToGet parameter, Amazon Cognito returns all attributes for each + * user.

    */ AttributesToGet?: string[]; @@ -8600,7 +8825,15 @@ export interface ListUsersRequest { export interface ListUsersResponse { /** * @public - *

    The users returned in the request to list users.

    + *

    A list of the user pool users, and their attributes, that match your query.

    + * + *

    Amazon Cognito creates a profile in your user pool for each native user in your user pool, + * and each unique user ID from your third-party identity providers (IdPs). When you + * link users with the AdminLinkProviderForUser API operation, the output of + * ListUsers displays both the IdP user and the native user that you + * linked. You can identify IdP users in the Users object of this API + * response by the IdP prefix that Amazon Cognito appends to Username.

    + *     */ Users?: UserType[]; @@ -8808,9 +9041,9 @@ export interface RespondToAuthChallengeRequest { *
  • *

    * NEW_PASSWORD_REQUIRED: NEW_PASSWORD, - * USERNAME, SECRET_HASH (if app client is configured + * USERNAME, SECRET_HASH (if app client is configured * with client secret). To set any required attributes that Amazon Cognito returned as - * requiredAttributes in the InitiateAuth response, + * requiredAttributes in the InitiateAuth response, * add a userAttributes.attributename * parameter. * This parameter can also set values for writable attributes that aren't required @@ -8845,6 +9078,8 @@ export interface RespondToAuthChallengeRequest { * Session parameter.

    *
    • * + *

    For more information about SECRET_HASH, see Computing secret hash values. For information about + * DEVICE_KEY, see Working with user devices in your user pool.

    */ ChallengeResponses?: Record; @@ -9032,233 +9267,71 @@ export class UnsupportedTokenTypeException extends __BaseException { /** * @public */ -export interface SetRiskConfigurationRequest { +export interface SetLogDeliveryConfigurationRequest { /** * @public - *

    The user pool ID.

    + *

    The ID of the user pool where you want to configure detailed activity logging .

    */ UserPoolId: string | undefined; /** * @public - *

    The app client ID. If ClientId is null, then the risk configuration is - * mapped to userPoolId. When the client ID is null, the same risk - * configuration is applied to all the clients in the userPool.

    - *

    Otherwise, ClientId is mapped to the client. When the client ID isn't - * null, the user pool configuration is overridden and the risk configuration for the - * client is used instead.

    - */ - ClientId?: string; - - /** - * @public - *

    The compromised credentials risk configuration.

    - */ - CompromisedCredentialsRiskConfiguration?: CompromisedCredentialsRiskConfigurationType; - - /** - * @public - *

    The account takeover risk configuration.

    - */ - AccountTakeoverRiskConfiguration?: AccountTakeoverRiskConfigurationType; - - /** - * @public - *

    The configuration to override the risk decision.

    + *

    A collection of all of the detailed activity logging configurations for a user pool.

    */ - RiskExceptionConfiguration?: RiskExceptionConfigurationType; + LogConfigurations: LogConfigurationType[] | undefined; } /** * @public */ -export interface SetRiskConfigurationResponse { +export interface SetLogDeliveryConfigurationResponse { /** * @public - *

    The risk configuration.

    + *

    The detailed activity logging configuration that you applied to the requested user pool.

    */ - RiskConfiguration: RiskConfigurationType | undefined; + LogDeliveryConfiguration?: LogDeliveryConfigurationType; } /** * @public */ -export interface SetUICustomizationRequest { +export interface SetRiskConfigurationRequest { /** * @public - *

    The user pool ID for the user pool.

    + *

    The user pool ID.

    */ UserPoolId: string | undefined; /** * @public - *

    The client ID for the client app.

    + *

    The app client ID. If ClientId is null, then the risk configuration is + * mapped to userPoolId. When the client ID is null, the same risk + * configuration is applied to all the clients in the userPool.

    + *

    Otherwise, ClientId is mapped to the client. When the client ID isn't + * null, the user pool configuration is overridden and the risk configuration for the + * client is used instead.

    */ ClientId?: string; /** * @public - *

    The CSS values in the UI customization.

    - */ - CSS?: string; - - /** - * @public - *

    The uploaded logo image for the UI customization.

    - */ - ImageFile?: Uint8Array; -} - -/** - * @public - */ -export interface SetUICustomizationResponse { - /** - * @public - *

    The UI customization information.

    - */ - UICustomization: UICustomizationType | undefined; -} - -/** - * @public - */ -export interface SetUserMFAPreferenceRequest { - /** - * @public - *

    The SMS text message multi-factor authentication (MFA) settings.

    - */ - SMSMfaSettings?: SMSMfaSettingsType; - - /** - * @public - *

    The time-based one-time password (TOTP) software token MFA settings.

    - */ - SoftwareTokenMfaSettings?: SoftwareTokenMfaSettingsType; - - /** - * @public - *

    A valid access token that Amazon Cognito issued to the user whose MFA preference you want to - * set.

    - */ - AccessToken: string | undefined; -} - -/** - * @public - */ -export interface SetUserMFAPreferenceResponse {} - -/** - * @public - */ -export interface SetUserPoolMfaConfigRequest { - /** - * @public - *

    The user pool ID.

    - */ - UserPoolId: string | undefined; - - /** - * @public - *

    The SMS text message MFA configuration.

    - */ - SmsMfaConfiguration?: SmsMfaConfigType; - - /** - * @public - *

    The software token MFA configuration.

    - */ - SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; - - /** - * @public - *

    The MFA configuration. If you set the MfaConfiguration value to ‘ON’, only users who - * have set up an MFA factor can sign in. To learn more, see Adding Multi-Factor - * Authentication (MFA) to a user pool. Valid values include:

    - *
      - *
    • - *

      - * OFF MFA won't be used for any users.

      - *
      • - *
    • - *

      - * ON MFA is required for all users to sign in.

      - *
      • - *
    • - *

      - * OPTIONAL MFA will be required only for individual users who have - * an MFA factor activated.

      - *
      • - *
    - */ - MfaConfiguration?: UserPoolMfaType | string; -} - -/** - * @public - */ -export interface SetUserPoolMfaConfigResponse { - /** - * @public - *

    The SMS text message MFA configuration.

    - */ - SmsMfaConfiguration?: SmsMfaConfigType; - - /** - * @public - *

    The software token MFA configuration.

    - */ - SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; - - /** - * @public - *

    The MFA configuration. Valid values include:

    - *
      - *
    • - *

      - * OFF MFA won't be used for any users.

      - *
      • - *
    • - *

      - * ON MFA is required for all users to sign in.

      - *
      • - *
    • - *

      - * OPTIONAL MFA will be required only for individual users who have - * an MFA factor enabled.

      - *
      • - *
    + *

    The compromised credentials risk configuration.

    */ - MfaConfiguration?: UserPoolMfaType | string; -} + CompromisedCredentialsRiskConfiguration?: CompromisedCredentialsRiskConfigurationType; -/** - * @public - *

    Represents the request to set user settings.

    - */ -export interface SetUserSettingsRequest { /** * @public - *

    A valid access token that Amazon Cognito issued to the user whose user settings you want to - * configure.

    + *

    The account takeover risk configuration.

    */ - AccessToken: string | undefined; + AccountTakeoverRiskConfiguration?: AccountTakeoverRiskConfigurationType; /** * @public - *

    You can use this parameter only to set an SMS configuration that uses SMS for - * delivery.

    + *

    The configuration to override the risk decision.

    */ - MFAOptions: MFAOptionType[] | undefined; + RiskExceptionConfiguration?: RiskExceptionConfigurationType; } -/** - * @public - *

    The response from the server for a set user settings request.

    - */ -export interface SetUserSettingsResponse {} - /** * @internal */ @@ -9424,7 +9497,6 @@ export const AuthenticationResultTypeFilterSensitiveLog = (obj: AuthenticationRe */ export const AdminInitiateAuthResponseFilterSensitiveLog = (obj: AdminInitiateAuthResponse): any => ({ ...obj, - ...(obj.Session && { Session: SENSITIVE_STRING }), ...(obj.AuthenticationResult && { AuthenticationResult: AuthenticationResultTypeFilterSensitiveLog(obj.AuthenticationResult), }), @@ -9483,8 +9555,6 @@ export const AdminResetUserPasswordRequestFilterSensitiveLog = (obj: AdminResetU export const AdminRespondToAuthChallengeRequestFilterSensitiveLog = (obj: AdminRespondToAuthChallengeRequest): any => ({ ...obj, ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), - ...(obj.ChallengeResponses && { ChallengeResponses: SENSITIVE_STRING }), - ...(obj.Session && { Session: SENSITIVE_STRING }), }); /** @@ -9494,7 +9564,6 @@ export const AdminRespondToAuthChallengeResponseFilterSensitiveLog = ( obj: AdminRespondToAuthChallengeResponse ): any => ({ ...obj, - ...(obj.Session && { Session: SENSITIVE_STRING }), ...(obj.AuthenticationResult && { AuthenticationResult: AuthenticationResultTypeFilterSensitiveLog(obj.AuthenticationResult), }), @@ -9568,7 +9637,6 @@ export const AdminUserGlobalSignOutRequestFilterSensitiveLog = (obj: AdminUserGl export const AssociateSoftwareTokenRequestFilterSensitiveLog = (obj: AssociateSoftwareTokenRequest): any => ({ ...obj, ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }), - ...(obj.Session && { Session: SENSITIVE_STRING }), }); /** @@ -9577,7 +9645,6 @@ export const AssociateSoftwareTokenRequestFilterSensitiveLog = (obj: AssociateSo export const AssociateSoftwareTokenResponseFilterSensitiveLog = (obj: AssociateSoftwareTokenResponse): any => ({ ...obj, ...(obj.SecretCode && { SecretCode: SENSITIVE_STRING }), - ...(obj.Session && { Session: SENSITIVE_STRING }), }); /** @@ -9598,13 +9665,6 @@ export const ConfirmDeviceRequestFilterSensitiveLog = (obj: ConfirmDeviceRequest ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }), }); -/** - * @internal - */ -export const UserContextDataTypeFilterSensitiveLog = (obj: UserContextDataType): any => ({ - ...obj, -}); - /** * @internal */ @@ -9614,7 +9674,6 @@ export const ConfirmForgotPasswordRequestFilterSensitiveLog = (obj: ConfirmForgo ...(obj.SecretHash && { SecretHash: SENSITIVE_STRING }), ...(obj.Username && { Username: SENSITIVE_STRING }), ...(obj.Password && { Password: SENSITIVE_STRING }), - ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }), }); /** @@ -9625,7 +9684,6 @@ export const ConfirmSignUpRequestFilterSensitiveLog = (obj: ConfirmSignUpRequest ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), ...(obj.SecretHash && { SecretHash: SENSITIVE_STRING }), ...(obj.Username && { Username: SENSITIVE_STRING }), - ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }), }); /** @@ -9724,7 +9782,6 @@ export const ForgotPasswordRequestFilterSensitiveLog = (obj: ForgotPasswordReque ...obj, ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), ...(obj.SecretHash && { SecretHash: SENSITIVE_STRING }), - ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }), ...(obj.Username && { Username: SENSITIVE_STRING }), }); @@ -9812,7 +9869,6 @@ export const InitiateAuthRequestFilterSensitiveLog = (obj: InitiateAuthRequest): ...obj, ...(obj.AuthParameters && { AuthParameters: SENSITIVE_STRING }), ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), - ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }), }); /** @@ -9820,7 +9876,6 @@ export const InitiateAuthRequestFilterSensitiveLog = (obj: InitiateAuthRequest): */ export const InitiateAuthResponseFilterSensitiveLog = (obj: InitiateAuthResponse): any => ({ ...obj, - ...(obj.Session && { Session: SENSITIVE_STRING }), ...(obj.AuthenticationResult && { AuthenticationResult: AuthenticationResultTypeFilterSensitiveLog(obj.AuthenticationResult), }), @@ -9882,7 +9937,6 @@ export const ResendConfirmationCodeRequestFilterSensitiveLog = (obj: ResendConfi ...obj, ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), ...(obj.SecretHash && { SecretHash: SENSITIVE_STRING }), - ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }), ...(obj.Username && { Username: SENSITIVE_STRING }), }); @@ -9892,9 +9946,6 @@ export const ResendConfirmationCodeRequestFilterSensitiveLog = (obj: ResendConfi export const RespondToAuthChallengeRequestFilterSensitiveLog = (obj: RespondToAuthChallengeRequest): any => ({ ...obj, ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), - ...(obj.Session && { Session: SENSITIVE_STRING }), - ...(obj.ChallengeResponses && { ChallengeResponses: SENSITIVE_STRING }), - ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }), }); /** @@ -9902,7 +9953,6 @@ export const RespondToAuthChallengeRequestFilterSensitiveLog = (obj: RespondToAu */ export const RespondToAuthChallengeResponseFilterSensitiveLog = (obj: RespondToAuthChallengeResponse): any => ({ ...obj, - ...(obj.Session && { Session: SENSITIVE_STRING }), ...(obj.AuthenticationResult && { AuthenticationResult: AuthenticationResultTypeFilterSensitiveLog(obj.AuthenticationResult), }), @@ -9925,43 +9975,3 @@ export const SetRiskConfigurationRequestFilterSensitiveLog = (obj: SetRiskConfig ...obj, ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), }); - -/** - * @internal - */ -export const SetRiskConfigurationResponseFilterSensitiveLog = (obj: SetRiskConfigurationResponse): any => ({ - ...obj, - ...(obj.RiskConfiguration && { RiskConfiguration: RiskConfigurationTypeFilterSensitiveLog(obj.RiskConfiguration) }), -}); - -/** - * @internal - */ -export const SetUICustomizationRequestFilterSensitiveLog = (obj: SetUICustomizationRequest): any => ({ - ...obj, - ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), -}); - -/** - * @internal - */ -export const SetUICustomizationResponseFilterSensitiveLog = (obj: SetUICustomizationResponse): any => ({ - ...obj, - ...(obj.UICustomization && { UICustomization: UICustomizationTypeFilterSensitiveLog(obj.UICustomization) }), -}); - -/** - * @internal - */ -export const SetUserMFAPreferenceRequestFilterSensitiveLog = (obj: SetUserMFAPreferenceRequest): any => ({ - ...obj, - ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }), -}); - -/** - * @internal - */ -export const SetUserSettingsRequestFilterSensitiveLog = (obj: SetUserSettingsRequest): any => ({ - ...obj, - ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }), -}); diff --git a/clients/client-cognito-identity-provider/src/models/models_1.ts b/clients/client-cognito-identity-provider/src/models/models_1.ts index 8f982e6d933f..7be13d573658 100644 --- a/clients/client-cognito-identity-provider/src/models/models_1.ts +++ b/clients/client-cognito-identity-provider/src/models/models_1.ts @@ -20,12 +20,21 @@ import { GroupType, IdentityProviderType, LambdaConfigType, + MFAOptionType, OAuthFlowType, PreventUserExistenceErrorTypes, ResourceServerScopeType, ResourceServerType, + RiskConfigurationType, + RiskConfigurationTypeFilterSensitiveLog, SmsConfigurationType, + SmsMfaConfigType, + SMSMfaSettingsType, + SoftwareTokenMfaConfigType, + SoftwareTokenMfaSettingsType, TokenValidityUnitsType, + UICustomizationType, + UICustomizationTypeFilterSensitiveLog, UserAttributeUpdateSettingsType, UserContextDataType, UserImportJobType, @@ -38,6 +47,196 @@ import { VerifiedAttributeType, } from "./models_0"; +/** + * @public + */ +export interface SetRiskConfigurationResponse { + /** + * @public + *

    The risk configuration.

    + */ + RiskConfiguration: RiskConfigurationType | undefined; +} + +/** + * @public + */ +export interface SetUICustomizationRequest { + /** + * @public + *

    The user pool ID for the user pool.

    + */ + UserPoolId: string | undefined; + + /** + * @public + *

    The client ID for the client app.

    + */ + ClientId?: string; + + /** + * @public + *

    The CSS values in the UI customization.

    + */ + CSS?: string; + + /** + * @public + *

    The uploaded logo image for the UI customization.

    + */ + ImageFile?: Uint8Array; +} + +/** + * @public + */ +export interface SetUICustomizationResponse { + /** + * @public + *

    The UI customization information.

    + */ + UICustomization: UICustomizationType | undefined; +} + +/** + * @public + */ +export interface SetUserMFAPreferenceRequest { + /** + * @public + *

    The SMS text message multi-factor authentication (MFA) settings.

    + */ + SMSMfaSettings?: SMSMfaSettingsType; + + /** + * @public + *

    The time-based one-time password (TOTP) software token MFA settings.

    + */ + SoftwareTokenMfaSettings?: SoftwareTokenMfaSettingsType; + + /** + * @public + *

    A valid access token that Amazon Cognito issued to the user whose MFA preference you want to + * set.

    + */ + AccessToken: string | undefined; +} + +/** + * @public + */ +export interface SetUserMFAPreferenceResponse {} + +/** + * @public + */ +export interface SetUserPoolMfaConfigRequest { + /** + * @public + *

    The user pool ID.

    + */ + UserPoolId: string | undefined; + + /** + * @public + *

    The SMS text message MFA configuration.

    + */ + SmsMfaConfiguration?: SmsMfaConfigType; + + /** + * @public + *

    The software token MFA configuration.

    + */ + SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; + + /** + * @public + *

    The MFA configuration. If you set the MfaConfiguration value to ‘ON’, only users who + * have set up an MFA factor can sign in. To learn more, see Adding Multi-Factor + * Authentication (MFA) to a user pool. Valid values include:

    + *
      + *
    • + *

      + * OFF MFA won't be used for any users.

      + *
      • + *
    • + *

      + * ON MFA is required for all users to sign in.

      + *
      • + *
    • + *

      + * OPTIONAL MFA will be required only for individual users who have + * an MFA factor activated.

      + *
      • + *
    + */ + MfaConfiguration?: UserPoolMfaType | string; +} + +/** + * @public + */ +export interface SetUserPoolMfaConfigResponse { + /** + * @public + *

    The SMS text message MFA configuration.

    + */ + SmsMfaConfiguration?: SmsMfaConfigType; + + /** + * @public + *

    The software token MFA configuration.

    + */ + SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; + + /** + * @public + *

    The MFA configuration. Valid values include:

    + *
      + *
    • + *

      + * OFF MFA won't be used for any users.

      + *
      • + *
    • + *

      + * ON MFA is required for all users to sign in.

      + *
      • + *
    • + *

      + * OPTIONAL MFA will be required only for individual users who have + * an MFA factor enabled.

      + *
      • + *
    + */ + MfaConfiguration?: UserPoolMfaType | string; +} + +/** + * @public + *

    Represents the request to set user settings.

    + */ +export interface SetUserSettingsRequest { + /** + * @public + *

    A valid access token that Amazon Cognito issued to the user whose user settings you want to + * configure.

    + */ + AccessToken: string | undefined; + + /** + * @public + *

    You can use this parameter only to set an SMS configuration that uses SMS for + * delivery.

    + */ + MFAOptions: MFAOptionType[] | undefined; +} + +/** + * @public + *

    The response from the server for a set user settings request.

    + */ +export interface SetUserSettingsResponse {} + /** * @public *

    Represents the request to register a user.

    @@ -298,7 +497,11 @@ export interface UpdateAuthEventFeedbackRequest { /** * @public - *

    The authentication event feedback value.

    + *

    The authentication event feedback value. When you provide a FeedbackValue + * value of valid, you tell Amazon Cognito that you trust a user session where Amazon Cognito + * has evaluated some level of risk. When you provide a FeedbackValue value of + * invalid, you tell Amazon Cognito that you don't trust a user session, or you + * don't believe that Amazon Cognito evaluated a high-enough risk level.

    */ FeedbackValue: FeedbackValueType | string | undefined; } @@ -659,9 +862,11 @@ export interface UpdateUserPoolRequest { /** * @public - *

    The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool.

    + *

    The device-remembering configuration for a user pool. A null value indicates that you + * have deactivated device remembering in your user pool.

    * - *

    When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature.

    + *

    When you provide a value for any DeviceConfiguration field, you + * activate the Amazon Cognito device-remembering feature.

    *     */ DeviceConfiguration?: DeviceConfigurationType; @@ -699,8 +904,11 @@ export interface UpdateUserPoolRequest { /** * @public - *

    Enables advanced security risk detection. Set the key - * AdvancedSecurityMode to the value "AUDIT".

    + *

    User pool add-ons. Contains settings for activation of advanced security features. To + * log user security information but take no action, set to AUDIT. To + * configure automatic security responses to risky traffic to your user pool, set to + * ENFORCED.

    + *

    For more information, see Adding advanced security to a user pool.

    */ UserPoolAddOns?: UserPoolAddOnsType; @@ -790,7 +998,7 @@ export interface UpdateUserPoolClientRequest { *

    For example, when you set IdTokenValidity as 10 and * TokenValidityUnits as hours, your user can authenticate their * session with their ID token for 10 hours.

    - *

    The default time unit for AccessTokenValidity in an API request is hours. + *

    The default time unit for IdTokenValidity in an API request is hours. * Valid range is displayed below in seconds.

    *

    If you don't specify otherwise in the configuration of your app client, your ID * tokens are valid for one hour.

    @@ -799,8 +1007,9 @@ export interface UpdateUserPoolClientRequest { /** * @public - *

    The units in which the validity times are represented. The default unit for - * RefreshToken is days, and the default for ID and access tokens is hours.

    + *

    The time units you use when you set the duration of ID, access, and refresh tokens. + * The default unit for RefreshToken is days, and the default for ID and access tokens is + * hours.

    */ TokenValidityUnits?: TokenValidityUnitsType; @@ -864,8 +1073,9 @@ export interface UpdateUserPoolClientRequest { /** * @public *

    A list of provider names for the IdPs that this client supports. The following are - * supported: COGNITO, Facebook, Google, SignInWithApple, - * LoginWithAmazon, and the names of your own SAML and OIDC providers.

    + * supported: COGNITO, Facebook, Google, + * SignInWithApple, LoginWithAmazon, and the names of your + * own SAML and OIDC providers.

    */ SupportedIdentityProviders?: string[]; @@ -957,8 +1167,33 @@ export interface UpdateUserPoolClientRequest { /** * @public - *

    Set to true if the client is allowed to follow the OAuth protocol when interacting - * with Amazon Cognito user pools.

    + *

    Set to true to use OAuth 2.0 features in your user pool app client.

    + *

    + * AllowedOAuthFlowsUserPoolClient must be true before you can configure + * the following features in your app client.

    + *
      + *
    • + *

      + * CallBackURLs: Callback URLs.

      + *
      • + *
    • + *

      + * LogoutURLs: Sign-out redirect URLs.

      + *
      • + *
    • + *

      + * AllowedOAuthScopes: OAuth 2.0 scopes.

      + *
      • + *
    • + *

      + * AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.

      + *
      • + *
    + *

    To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set + * AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or + * UpdateUserPoolClient API request. If you don't set a value for + * AllowedOAuthFlowsUserPoolClient in a request with the CLI or SDKs, it defaults + * to false.

    */ AllowedOAuthFlowsUserPoolClient?: boolean; @@ -1012,7 +1247,7 @@ export interface UpdateUserPoolClientRequest { * propagation of user context data, see Adding advanced security to a user pool. If you don’t include this * parameter, you can't send device fingerprint information, including source IP address, * to Amazon Cognito advanced security. You can only activate - * EnablePropagateAdditionalUserContextData in an app client that has a + * EnablePropagateAdditionalUserContextData in an app client that has a * client secret.

    */ EnablePropagateAdditionalUserContextData?: boolean; @@ -1199,6 +1434,46 @@ export interface VerifyUserAttributeRequest { */ export interface VerifyUserAttributeResponse {} +/** + * @internal + */ +export const SetRiskConfigurationResponseFilterSensitiveLog = (obj: SetRiskConfigurationResponse): any => ({ + ...obj, + ...(obj.RiskConfiguration && { RiskConfiguration: RiskConfigurationTypeFilterSensitiveLog(obj.RiskConfiguration) }), +}); + +/** + * @internal + */ +export const SetUICustomizationRequestFilterSensitiveLog = (obj: SetUICustomizationRequest): any => ({ + ...obj, + ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), +}); + +/** + * @internal + */ +export const SetUICustomizationResponseFilterSensitiveLog = (obj: SetUICustomizationResponse): any => ({ + ...obj, + ...(obj.UICustomization && { UICustomization: UICustomizationTypeFilterSensitiveLog(obj.UICustomization) }), +}); + +/** + * @internal + */ +export const SetUserMFAPreferenceRequestFilterSensitiveLog = (obj: SetUserMFAPreferenceRequest): any => ({ + ...obj, + ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }), +}); + +/** + * @internal + */ +export const SetUserSettingsRequestFilterSensitiveLog = (obj: SetUserSettingsRequest): any => ({ + ...obj, + ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }), +}); + /** * @internal */ @@ -1214,7 +1489,6 @@ export const SignUpRequestFilterSensitiveLog = (obj: SignUpRequest): any => ({ ...(obj.ValidationData && { ValidationData: obj.ValidationData.map((item) => AttributeTypeFilterSensitiveLog(item)), }), - ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }), }); /** @@ -1267,16 +1541,6 @@ export const UpdateUserPoolClientResponseFilterSensitiveLog = (obj: UpdateUserPo export const VerifySoftwareTokenRequestFilterSensitiveLog = (obj: VerifySoftwareTokenRequest): any => ({ ...obj, ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }), - ...(obj.Session && { Session: SENSITIVE_STRING }), - ...(obj.UserCode && { UserCode: SENSITIVE_STRING }), -}); - -/** - * @internal - */ -export const VerifySoftwareTokenResponseFilterSensitiveLog = (obj: VerifySoftwareTokenResponse): any => ({ - ...obj, - ...(obj.Session && { Session: SENSITIVE_STRING }), }); /** diff --git a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts index ded721fd4aa1..87f222c70db4 100644 --- a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts +++ b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts @@ -189,6 +189,10 @@ import { GetIdentityProviderByIdentifierCommandInput, GetIdentityProviderByIdentifierCommandOutput, } from "../commands/GetIdentityProviderByIdentifierCommand"; +import { + GetLogDeliveryConfigurationCommandInput, + GetLogDeliveryConfigurationCommandOutput, +} from "../commands/GetLogDeliveryConfigurationCommand"; import { GetSigningCertificateCommandInput, GetSigningCertificateCommandOutput, @@ -236,6 +240,10 @@ import { RespondToAuthChallengeCommandOutput, } from "../commands/RespondToAuthChallengeCommand"; import { RevokeTokenCommandInput, RevokeTokenCommandOutput } from "../commands/RevokeTokenCommand"; +import { + SetLogDeliveryConfigurationCommandInput, + SetLogDeliveryConfigurationCommandOutput, +} from "../commands/SetLogDeliveryConfigurationCommand"; import { SetRiskConfigurationCommandInput, SetRiskConfigurationCommandOutput, @@ -338,6 +346,7 @@ import { AttributeType, AuthEventType, ChangePasswordRequest, + CloudWatchLogsConfigurationType, CodeDeliveryFailureException, CodeMismatchException, CompromisedCredentialsActionsType, @@ -402,6 +411,7 @@ import { GetGroupResponse, GetIdentityProviderByIdentifierRequest, GetIdentityProviderByIdentifierResponse, + GetLogDeliveryConfigurationRequest, GetSigningCertificateRequest, GetUICustomizationRequest, GetUICustomizationResponse, @@ -442,6 +452,7 @@ import { ListUsersInGroupResponse, ListUsersRequest, ListUsersResponse, + LogConfigurationType, MessageTemplateType, MFAMethodNotFoundException, MFAOptionType, @@ -465,13 +476,8 @@ import { RiskExceptionConfigurationType, SchemaAttributeType, ScopeDoesNotExistException, + SetLogDeliveryConfigurationRequest, SetRiskConfigurationRequest, - SetRiskConfigurationResponse, - SetUICustomizationRequest, - SetUICustomizationResponse, - SetUserMFAPreferenceRequest, - SetUserPoolMfaConfigRequest, - SetUserSettingsRequest, SmsConfigurationType, SmsMfaConfigType, SMSMfaSettingsType, @@ -512,6 +518,12 @@ import { } from "../models/models_0"; import { EnableSoftwareTokenMFAException, + SetRiskConfigurationResponse, + SetUICustomizationRequest, + SetUICustomizationResponse, + SetUserMFAPreferenceRequest, + SetUserPoolMfaConfigRequest, + SetUserSettingsRequest, SignUpRequest, StartUserImportJobRequest, StartUserImportJobResponse, @@ -1315,6 +1327,19 @@ export const se_GetIdentityProviderByIdentifierCommand = async ( return buildHttpRpcRequest(context, headers, "/", undefined, body); }; +/** + * serializeAws_json1_1GetLogDeliveryConfigurationCommand + */ +export const se_GetLogDeliveryConfigurationCommand = async ( + input: GetLogDeliveryConfigurationCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const headers: __HeaderBag = sharedHeaders("GetLogDeliveryConfiguration"); + let body: any; + body = JSON.stringify(_json(input)); + return buildHttpRpcRequest(context, headers, "/", undefined, body); +}; + /** * serializeAws_json1_1GetSigningCertificateCommand */ @@ -1575,6 +1600,19 @@ export const se_RevokeTokenCommand = async ( return buildHttpRpcRequest(context, headers, "/", undefined, body); }; +/** + * serializeAws_json1_1SetLogDeliveryConfigurationCommand + */ +export const se_SetLogDeliveryConfigurationCommand = async ( + input: SetLogDeliveryConfigurationCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const headers: __HeaderBag = sharedHeaders("SetLogDeliveryConfiguration"); + let body: any; + body = JSON.stringify(_json(input)); + return buildHttpRpcRequest(context, headers, "/", undefined, body); +}; + /** * serializeAws_json1_1SetRiskConfigurationCommand */ @@ -5802,6 +5840,64 @@ const de_GetIdentityProviderByIdentifierCommandError = async ( } }; +/** + * deserializeAws_json1_1GetLogDeliveryConfigurationCommand + */ +export const de_GetLogDeliveryConfigurationCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode >= 300) { + return de_GetLogDeliveryConfigurationCommandError(output, context); + } + const data: any = await parseBody(output.body, context); + let contents: any = {}; + contents = _json(data); + const response: GetLogDeliveryConfigurationCommandOutput = { + $metadata: deserializeMetadata(output), + ...contents, + }; + return response; +}; + +/** + * deserializeAws_json1_1GetLogDeliveryConfigurationCommandError + */ +const de_GetLogDeliveryConfigurationCommandError = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + const parsedOutput: any = { + ...output, + body: await parseErrorBody(output.body, context), + }; + const errorCode = loadRestJsonErrorCode(output, parsedOutput.body); + switch (errorCode) { + case "InternalErrorException": + case "com.amazonaws.cognitoidentityprovider#InternalErrorException": + throw await de_InternalErrorExceptionRes(parsedOutput, context); + case "InvalidParameterException": + case "com.amazonaws.cognitoidentityprovider#InvalidParameterException": + throw await de_InvalidParameterExceptionRes(parsedOutput, context); + case "NotAuthorizedException": + case "com.amazonaws.cognitoidentityprovider#NotAuthorizedException": + throw await de_NotAuthorizedExceptionRes(parsedOutput, context); + case "ResourceNotFoundException": + case "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException": + throw await de_ResourceNotFoundExceptionRes(parsedOutput, context); + case "TooManyRequestsException": + case "com.amazonaws.cognitoidentityprovider#TooManyRequestsException": + throw await de_TooManyRequestsExceptionRes(parsedOutput, context); + default: + const parsedBody = parsedOutput.body; + return throwDefaultError({ + output, + parsedBody, + errorCode, + }); + } +}; + /** * deserializeAws_json1_1GetSigningCertificateCommand */ @@ -7139,6 +7235,64 @@ const de_RevokeTokenCommandError = async ( } }; +/** + * deserializeAws_json1_1SetLogDeliveryConfigurationCommand + */ +export const de_SetLogDeliveryConfigurationCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode >= 300) { + return de_SetLogDeliveryConfigurationCommandError(output, context); + } + const data: any = await parseBody(output.body, context); + let contents: any = {}; + contents = _json(data); + const response: SetLogDeliveryConfigurationCommandOutput = { + $metadata: deserializeMetadata(output), + ...contents, + }; + return response; +}; + +/** + * deserializeAws_json1_1SetLogDeliveryConfigurationCommandError + */ +const de_SetLogDeliveryConfigurationCommandError = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + const parsedOutput: any = { + ...output, + body: await parseErrorBody(output.body, context), + }; + const errorCode = loadRestJsonErrorCode(output, parsedOutput.body); + switch (errorCode) { + case "InternalErrorException": + case "com.amazonaws.cognitoidentityprovider#InternalErrorException": + throw await de_InternalErrorExceptionRes(parsedOutput, context); + case "InvalidParameterException": + case "com.amazonaws.cognitoidentityprovider#InvalidParameterException": + throw await de_InvalidParameterExceptionRes(parsedOutput, context); + case "NotAuthorizedException": + case "com.amazonaws.cognitoidentityprovider#NotAuthorizedException": + throw await de_NotAuthorizedExceptionRes(parsedOutput, context); + case "ResourceNotFoundException": + case "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException": + throw await de_ResourceNotFoundExceptionRes(parsedOutput, context); + case "TooManyRequestsException": + case "com.amazonaws.cognitoidentityprovider#TooManyRequestsException": + throw await de_TooManyRequestsExceptionRes(parsedOutput, context); + default: + const parsedBody = parsedOutput.body; + return throwDefaultError({ + output, + parsedBody, + errorCode, + }); + } +}; + /** * deserializeAws_json1_1SetRiskConfigurationCommand */ @@ -9316,6 +9470,8 @@ const de_UserPoolTaggingExceptionRes = async ( // se_ClientPermissionListType omitted. +// se_CloudWatchLogsConfigurationType omitted. + // se_CompromisedCredentialsActionsType omitted. // se_CompromisedCredentialsRiskConfigurationType omitted. @@ -9404,6 +9560,8 @@ const de_UserPoolTaggingExceptionRes = async ( // se_GetIdentityProviderByIdentifierRequest omitted. +// se_GetLogDeliveryConfigurationRequest omitted. + // se_GetSigningCertificateRequest omitted. // se_GetUICustomizationRequest omitted. @@ -9446,6 +9604,10 @@ const de_UserPoolTaggingExceptionRes = async ( // se_ListUsersRequest omitted. +// se_LogConfigurationListType omitted. + +// se_LogConfigurationType omitted. + // se_LogoutURLsListType omitted. // se_MessageTemplateType omitted. @@ -9492,6 +9654,8 @@ const de_UserPoolTaggingExceptionRes = async ( // se_SearchedAttributeNamesListType omitted. +// se_SetLogDeliveryConfigurationRequest omitted. + // se_SetRiskConfigurationRequest omitted. /** @@ -9751,6 +9915,8 @@ const de_AuthEventType = (output: any, context: __SerdeContext): AuthEventType = // de_ClientPermissionListType omitted. +// de_CloudWatchLogsConfigurationType omitted. + // de_CodeDeliveryDetailsListType omitted. // de_CodeDeliveryDetailsType omitted. @@ -9977,6 +10143,8 @@ const de_GetIdentityProviderByIdentifierResponse = ( }) as any; }; +// de_GetLogDeliveryConfigurationResponse omitted. + // de_GetSigningCertificateResponse omitted. /** @@ -10145,6 +10313,12 @@ const de_ListUsersResponse = (output: any, context: __SerdeContext): ListUsersRe }) as any; }; +// de_LogConfigurationListType omitted. + +// de_LogConfigurationType omitted. + +// de_LogDeliveryConfigurationType omitted. + // de_LogoutURLsListType omitted. // de_MessageTemplateType omitted. @@ -10243,6 +10417,8 @@ const de_RiskConfigurationType = (output: any, context: __SerdeContext): RiskCon // de_ScopeListType omitted. +// de_SetLogDeliveryConfigurationResponse omitted. + /** * deserializeAws_json1_1SetRiskConfigurationResponse */ diff --git a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json index cda58c0d262b..34c2bd8c30c2 100644 --- a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json +++ b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json @@ -30,7 +30,14 @@ }, "shapes": { "com.amazonaws.cognitoidentityprovider#AWSAccountIdType": { - "type": "string" + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 12 + }, + "smithy.api#pattern": "^[0-9]+$" + } }, "com.amazonaws.cognitoidentityprovider#AWSCognitoIdentityProviderService": { "type": "service", @@ -216,6 +223,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#GetIdentityProviderByIdentifier" }, + { + "target": "com.amazonaws.cognitoidentityprovider#GetLogDeliveryConfiguration" + }, { "target": "com.amazonaws.cognitoidentityprovider#GetSigningCertificate" }, @@ -276,6 +286,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#RevokeToken" }, + { + "target": "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfiguration" + }, { "target": "com.amazonaws.cognitoidentityprovider#SetRiskConfiguration" }, @@ -352,7 +365,7 @@ "name": "cognito-idp" }, "aws.protocols#awsJson1_1": {}, - "smithy.api#documentation": "

    Using the Amazon Cognito user pools API, you can create a user pool to manage directories and\n users. You can authenticate a user to obtain tokens related to user identity and access\n policies.

    \n

    This API reference provides information about user pools in Amazon Cognito user pools.

    \n

    For more information, see the Amazon Cognito\n Documentation.

    ", + "smithy.api#documentation": "

    With the Amazon Cognito user pools API, you can set up user pools and app clients, and\n authenticate users. To authenticate users from third-party identity providers (IdPs) in\n this API, you can link IdP users to native user profiles. Learn more\n about the authentication and authorization of federated users in the Using the Amazon Cognito user pools API and user pool endpoints.

    \n

    This API reference provides detailed information about API operations and object types\n in Amazon Cognito. At the bottom of the page for each API operation and object, under\n See Also, you can learn how to use it in an Amazon Web Services SDK in the\n language of your choice.

    \n

    Along with resource management operations, the Amazon Cognito user pools API includes classes\n of operations and authorization models for client-side and server-side user operations.\n For more information, see Using the Amazon Cognito native and OIDC APIs in the\n Amazon Cognito Developer Guide.

    \n

    You can also start reading about the CognitoIdentityProvider client in\n the following SDK guides.

    \n \n

    To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services\n SDKs.

    ", "smithy.api#title": "Amazon Cognito Identity Provider", "smithy.api#xmlNamespace": { "uri": "http://cognito-idp.amazonaws.com/doc/2016-04-18/" @@ -1453,7 +1466,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Adds additional user attributes to the user pool schema.

    " + "smithy.api#documentation": "

    Adds additional user attributes to the user pool schema.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AddCustomAttributesRequest": { @@ -1516,7 +1529,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Adds the specified user to the specified group.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Adds the specified user to the specified group.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminAddUserToGroupRequest": { @@ -1592,7 +1605,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Confirms user registration as an admin without using a confirmation code. Works on any\n user.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Confirms user registration as an admin without using a confirmation code. Works on any\n user.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminConfirmSignUpRequest": { @@ -1620,7 +1633,7 @@ } }, "traits": { - "smithy.api#documentation": "

    Represents the request to confirm user registration.

    ", + "smithy.api#documentation": "

    Confirm a user's registration as a user pool administrator.

    ", "smithy.api#input": {} } }, @@ -1691,7 +1704,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates a new user in the specified user pool.

    \n

    If MessageAction isn't set, the default is to send a welcome message via\n email or phone (SMS).

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    This message is based on a template that you configured in your call to create or\n update a user pool. This template includes your custom sign-up instructions and\n placeholders for user name and temporary password.

    \n

    Alternatively, you can call AdminCreateUser with SUPPRESS\n for the MessageAction parameter, and Amazon Cognito won't send any email.

    \n

    In either case, the user will be in the FORCE_CHANGE_PASSWORD state until\n they sign in and change their password.

    \n

    \n AdminCreateUser requires developer credentials.

    " + "smithy.api#documentation": "

    Creates a new user in the specified user pool.

    \n

    If MessageAction isn't set, the default is to send a welcome message via\n email or phone (SMS).

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    This message is based on a template that you configured in your call to create or\n update a user pool. This template includes your custom sign-up instructions and\n placeholders for user name and temporary password.

    \n

    Alternatively, you can call AdminCreateUser with SUPPRESS\n for the MessageAction parameter, and Amazon Cognito won't send any email.

    \n

    In either case, the user will be in the FORCE_CHANGE_PASSWORD state until\n they sign in and change their password.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminCreateUserConfigType": { @@ -1754,7 +1767,7 @@ "TemporaryPassword": { "target": "com.amazonaws.cognitoidentityprovider#PasswordType", "traits": { - "smithy.api#documentation": "

    The user's temporary password. This password must conform to the password policy that\n you specified when you created the user pool.

    \n

    The temporary password is valid only once. To complete the Admin Create User flow, the\n user must enter the temporary password in the sign-in page, along with a new password to\n be used in all future sign-ins.

    \n

    This parameter isn't required. If you don't specify a value, Amazon Cognito generates one for\n you.

    \n

    The temporary password can only be used until the user account expiration limit that\n you specified when you created the user pool. To reset the account after that time\n limit, you must call AdminCreateUser again, specifying\n \"RESEND\" for the MessageAction parameter.

    " + "smithy.api#documentation": "

    The user's temporary password. This password must conform to the password policy that\n you specified when you created the user pool.

    \n

    The temporary password is valid only once. To complete the Admin Create User flow, the\n user must enter the temporary password in the sign-in page, along with a new password to\n be used in all future sign-ins.

    \n

    This parameter isn't required. If you don't specify a value, Amazon Cognito generates one for\n you.

    \n

    The temporary password can only be used until the user account expiration limit that\n you set for your user pool. To reset the account after that time limit, you must call\n AdminCreateUser again and specify RESEND for the\n MessageAction parameter.

    " } }, "ForceAliasCreation": { @@ -1842,7 +1855,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Deletes a user as an administrator. Works on any user.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Deletes a user as an administrator. Works on any user.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminDeleteUserAttributes": { @@ -1874,7 +1887,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Deletes the user attributes in a user pool as an administrator. Works on any\n user.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Deletes the user attributes in a user pool as an administrator. Works on any\n user.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminDeleteUserAttributesRequest": { @@ -1970,7 +1983,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Prevents the user from signing in with the specified external (SAML or social)\n identity provider (IdP). If the user that you want to deactivate is a Amazon Cognito user pools\n native username + password user, they can't use their password to sign in. If the user\n to deactivate is a linked external IdP user, any link between that user and an existing\n user is removed. When the external user signs in again, and the user is no longer\n attached to the previously linked DestinationUser, the user must create a\n new user account. See AdminLinkProviderForUser.

    \n

    This action is enabled only for admin access and requires developer\n credentials.

    \n

    The ProviderName must match the value specified when creating an IdP for\n the pool.

    \n

    To deactivate a native username + password user, the ProviderName value\n must be Cognito and the ProviderAttributeName must be\n Cognito_Subject. The ProviderAttributeValue must be the\n name that is used in the user pool for the user.

    \n

    The ProviderAttributeName must always be Cognito_Subject for\n social IdPs. The ProviderAttributeValue must always be the exact subject\n that was used when the user was originally linked as a source user.

    \n

    For de-linking a SAML identity, there are two scenarios. If the linked identity has\n not yet been used to sign in, the ProviderAttributeName and\n ProviderAttributeValue must be the same values that were used for the\n SourceUser when the identities were originally linked using \n AdminLinkProviderForUser call. (If the linking was done with\n ProviderAttributeName set to Cognito_Subject, the same\n applies here). However, if the user has already signed in, the\n ProviderAttributeName must be Cognito_Subject and\n ProviderAttributeValue must be the subject of the SAML\n assertion.

    " + "smithy.api#documentation": "

    Prevents the user from signing in with the specified external (SAML or social)\n identity provider (IdP). If the user that you want to deactivate is a Amazon Cognito user pools\n native username + password user, they can't use their password to sign in. If the user\n to deactivate is a linked external IdP user, any link between that user and an existing\n user is removed. When the external user signs in again, and the user is no longer\n attached to the previously linked DestinationUser, the user must create a\n new user account. See AdminLinkProviderForUser.

    \n

    The ProviderName must match the value specified when creating an IdP for\n the pool.

    \n

    To deactivate a native username + password user, the ProviderName value\n must be Cognito and the ProviderAttributeName must be\n Cognito_Subject. The ProviderAttributeValue must be the\n name that is used in the user pool for the user.

    \n

    The ProviderAttributeName must always be Cognito_Subject for\n social IdPs. The ProviderAttributeValue must always be the exact subject\n that was used when the user was originally linked as a source user.

    \n

    For de-linking a SAML identity, there are two scenarios. If the linked identity has\n not yet been used to sign in, the ProviderAttributeName and\n ProviderAttributeValue must be the same values that were used for the\n SourceUser when the identities were originally linked using \n AdminLinkProviderForUser call. (If the linking was done with\n ProviderAttributeName set to Cognito_Subject, the same\n applies here). However, if the user has already signed in, the\n ProviderAttributeName must be Cognito_Subject and\n ProviderAttributeValue must be the subject of the SAML\n assertion.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminDisableProviderForUserRequest": { @@ -2031,7 +2044,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, \n but still appears in the responses to GetUser and ListUsers API requests.

    \n

    You must make this API request with Amazon Web Services credentials that have cognito-idp:AdminDisableUser permissions.

    " + "smithy.api#documentation": "

    Deactivates a user and revokes all access tokens for the user. A deactivated user\n can't sign in, but still appears in the responses to GetUser and\n ListUsers API requests.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminDisableUserRequest": { @@ -2094,7 +2107,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Enables the specified user as an administrator. Works on any user.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Enables the specified user as an administrator. Works on any user.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminEnableUserRequest": { @@ -2160,7 +2173,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Forgets the device, as an administrator.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Forgets the device, as an administrator.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminForgetDeviceRequest": { @@ -2222,7 +2235,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Gets the device, as an administrator.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Gets the device, as an administrator.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminGetDeviceRequest": { @@ -2300,7 +2313,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Gets the specified user by user name in a user pool as an administrator. Works on any\n user.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Gets the specified user by user name in a user pool as an administrator. Works on any\n user.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminGetUserRequest": { @@ -2332,7 +2345,7 @@ "Username": { "target": "com.amazonaws.cognitoidentityprovider#UsernameType", "traits": { - "smithy.api#documentation": "

    The user name of the user about whom you're receiving information.

    ", + "smithy.api#documentation": "

    The username of the user that you requested.

    ", "smithy.api#required": {} } }, @@ -2351,7 +2364,7 @@ "UserLastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the user was last modified.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "Enabled": { @@ -2364,7 +2377,7 @@ "UserStatus": { "target": "com.amazonaws.cognitoidentityprovider#UserStatusType", "traits": { - "smithy.api#documentation": "

    The user status. Can be one of the following:

    \n
      \n
    • \n

      UNCONFIRMED - User has been created but not confirmed.

      \n
      • \n
    • \n

      CONFIRMED - User has been confirmed.

      \n
      • \n
    • \n

      ARCHIVED - User is no longer active.

      \n
      • \n
    • \n

      UNKNOWN - User status isn't known.

      \n
      • \n
    • \n

      RESET_REQUIRED - User is confirmed, but the user must request a code and reset\n their password before they can sign in.

      \n
      • \n
    • \n

      FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a\n temporary password, but on first sign-in, the user must change their password to\n a new value before doing anything else.

      \n
      • \n
    " + "smithy.api#documentation": "

    The user status. Can be one of the following:

    \n
      \n
    • \n

      UNCONFIRMED - User has been created but not confirmed.

      \n
      • \n
    • \n

      CONFIRMED - User has been confirmed.

      \n
      • \n
    • \n

      UNKNOWN - User status isn't known.

      \n
      • \n
    • \n

      RESET_REQUIRED - User is confirmed, but the user must request a code and reset\n their password before they can sign in.

      \n
      • \n
    • \n

      FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a\n temporary password, but on first sign-in, the user must change their password to\n a new value before doing anything else.

      \n
      • \n
    " } }, "MFAOptions": { @@ -2447,7 +2460,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Initiates the authentication flow, as an administrator.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Initiates the authentication flow, as an administrator.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminInitiateAuthRequest": { @@ -2477,7 +2490,7 @@ "AuthParameters": { "target": "com.amazonaws.cognitoidentityprovider#AuthParametersType", "traits": { - "smithy.api#documentation": "

    The authentication parameters. These are inputs corresponding to the\n AuthFlow that you're invoking. The required values depend on the value\n of AuthFlow:

    \n
      \n
    • \n

      For USER_SRP_AUTH: USERNAME (required),\n SRP_A (required), SECRET_HASH (required if the app\n client is configured with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN\n (required), SECRET_HASH (required if the app client is configured\n with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For ADMIN_NO_SRP_AUTH: USERNAME (required),\n SECRET_HASH (if app client is configured with client secret),\n PASSWORD (required), DEVICE_KEY.

      \n
      • \n
    • \n

      For CUSTOM_AUTH: USERNAME (required),\n SECRET_HASH (if app client is configured with client secret),\n DEVICE_KEY. To start the authentication flow with password\n verification, include ChallengeName: SRP_A and SRP_A: (The\n SRP_A Value).

      \n
      • \n
    " + "smithy.api#documentation": "

    The authentication parameters. These are inputs corresponding to the\n AuthFlow that you're invoking. The required values depend on the value\n of AuthFlow:

    \n
      \n
    • \n

      For USER_SRP_AUTH: USERNAME (required),\n SRP_A (required), SECRET_HASH (required if the app\n client is configured with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For ADMIN_USER_PASSWORD_AUTH: USERNAME (required),\n PASSWORD (required), SECRET_HASH (required if the\n app client is configured with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN\n (required), SECRET_HASH (required if the app client is configured\n with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For CUSTOM_AUTH: USERNAME (required),\n SECRET_HASH (if app client is configured with client secret),\n DEVICE_KEY. To start the authentication flow with password\n verification, include ChallengeName: SRP_A and SRP_A: (The\n SRP_A Value).

      \n
      • \n
    \n

    For more information about SECRET_HASH, see Computing secret hash values. For information about\n DEVICE_KEY, see Working with user devices in your user pool.

    " } }, "ClientMetadata": { @@ -2572,7 +2585,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Links an existing user account in a user pool (DestinationUser) to an\n identity from an external IdP (SourceUser) based on a specified attribute\n name and value from the external IdP. This allows you to create a link from the existing\n user account to an external federated user identity that has not yet been used to sign\n in. You can then use the federated user identity to sign in as the existing user\n account.

    \n

    For example, if there is an existing user with a username and password, this API\n links that user to a federated user identity. When the user signs in with a federated\n user identity, they sign in as the existing user account.

    \n \n

    The maximum number of federated identities linked to a user is five.

    \n     \n \n

    Because this API allows a user with an external federated identity to sign in as\n an existing user in the user pool, it is critical that it only be used with external\n IdPs and provider attributes that have been trusted by the application owner.

    \n     \n

    This action is administrative and requires developer credentials.

    " + "smithy.api#documentation": "

    Links an existing user account in a user pool (DestinationUser) to an\n identity from an external IdP (SourceUser) based on a specified attribute\n name and value from the external IdP. This allows you to create a link from the existing\n user account to an external federated user identity that has not yet been used to sign\n in. You can then use the federated user identity to sign in as the existing user\n account.

    \n

    For example, if there is an existing user with a username and password, this API\n links that user to a federated user identity. When the user signs in with a federated\n user identity, they sign in as the existing user account.

    \n \n

    The maximum number of federated identities linked to a user is five.

    \n     \n \n

    Because this API allows a user with an external federated identity to sign in as\n an existing user in the user pool, it is critical that it only be used with external\n IdPs and provider attributes that have been trusted by the application owner.

    \n     \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminLinkProviderForUserRequest": { @@ -2588,14 +2601,14 @@ "DestinationUser": { "target": "com.amazonaws.cognitoidentityprovider#ProviderUserIdentifierType", "traits": { - "smithy.api#documentation": "

    The existing user in the user pool that you want to assign to the external IdP user\n account. This user can be a native (Username + Password) Amazon Cognito user pools user or a\n federated user (for example, a SAML or Facebook user). If the user doesn't exist, Amazon Cognito\n generates an exception. Amazon Cognito returns this user when the new user (with the linked IdP\n attribute) signs in.

    \n

    For a native username + password user, the ProviderAttributeValue for the\n DestinationUser should be the username in the user pool. For a\n federated user, it should be the provider-specific user_id.

    \n

    The ProviderAttributeName of the DestinationUser is\n ignored.

    \n

    The ProviderName should be set to Cognito for users in\n Cognito user pools.

    \n \n

    All attributes in the DestinationUser profile must be mutable. If you have\n assigned the user any immutable custom attributes, the operation won't\n succeed.

    \n     ", + "smithy.api#documentation": "

    The existing user in the user pool that you want to assign to the external IdP user\n account. This user can be a local (Username + Password) Amazon Cognito user pools user or a\n federated user (for example, a SAML or Facebook user). If the user doesn't exist, Amazon Cognito\n generates an exception. Amazon Cognito returns this user when the new user (with the linked IdP\n attribute) signs in.

    \n

    For a native username + password user, the ProviderAttributeValue for the\n DestinationUser should be the username in the user pool. For a\n federated user, it should be the provider-specific user_id.

    \n

    The ProviderAttributeName of the DestinationUser is\n ignored.

    \n

    The ProviderName should be set to Cognito for users in\n Cognito user pools.

    \n \n

    All attributes in the DestinationUser profile must be mutable. If you have\n assigned the user any immutable custom attributes, the operation won't\n succeed.

    \n     ", "smithy.api#required": {} } }, "SourceUser": { "target": "com.amazonaws.cognitoidentityprovider#ProviderUserIdentifierType", "traits": { - "smithy.api#documentation": "

    An external IdP account for a user who doesn't exist yet in the user pool. This user\n must be a federated user (for example, a SAML or Facebook user), not another native\n user.

    \n

    If the SourceUser is using a federated social IdP, such as Facebook,\n Google, or Login with Amazon, you must set the ProviderAttributeName to\n Cognito_Subject. For social IdPs, the ProviderName will be\n Facebook, Google, or LoginWithAmazon, and\n Amazon Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for\n id, sub, and user_id, respectively. The\n ProviderAttributeValue for the user must be the same value as the\n id, sub, or user_id value found in the social\n IdP token.

    \n

    \n

    For SAML, the ProviderAttributeName can be any value that matches a claim\n in the SAML assertion. If you want to link SAML users based on the subject of the SAML\n assertion, you should map the subject to a claim through the SAML IdP and submit that\n claim name as the ProviderAttributeName. If you set\n ProviderAttributeName to Cognito_Subject, Amazon Cognito will\n automatically parse the default unique identifier found in the subject from the SAML\n token.

    ", + "smithy.api#documentation": "

    An external IdP account for a user who doesn't exist yet in the user pool. This user\n must be a federated user (for example, a SAML or Facebook user), not another native\n user.

    \n

    If the SourceUser is using a federated social IdP, such as Facebook,\n Google, or Login with Amazon, you must set the ProviderAttributeName to\n Cognito_Subject. For social IdPs, the ProviderName will be\n Facebook, Google, or LoginWithAmazon, and\n Amazon Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for\n id, sub, and user_id, respectively. The\n ProviderAttributeValue for the user must be the same value as the\n id, sub, or user_id value found in the social\n IdP token.

    \n

    \n

    For OIDC, the ProviderAttributeName can be any value that matches a claim\n in the ID token, or that your app retrieves from the userInfo endpoint. You\n must map the claim to a user pool attribute in your IdP configuration, and set the user\n pool attribute name as the value of ProviderAttributeName in your\n AdminLinkProviderForUser request.

    \n

    For SAML, the ProviderAttributeName can be any value that matches a claim\n in the SAML assertion. To link SAML users based on the subject of the SAML assertion,\n map the subject to a claim through the SAML IdP and set that claim name as the value of\n ProviderAttributeName in your AdminLinkProviderForUser\n request.

    \n

    For both OIDC and SAML users, when you set ProviderAttributeName to\n Cognito_Subject, Amazon Cognito will automatically parse the default unique\n identifier found in the subject from the IdP token.

    ", "smithy.api#required": {} } } @@ -2640,7 +2653,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists devices, as an administrator.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Lists devices, as an administrator.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminListDevicesRequest": { @@ -2728,7 +2741,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the groups that the user belongs to.

    \n

    Calling this action requires developer credentials.

    ", + "smithy.api#documentation": "

    Lists the groups that the user belongs to.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -2823,7 +2836,7 @@ } ], "traits": { - "smithy.api#documentation": "

    A history of user activity and any risks detected as part of Amazon Cognito advanced\n security.

    ", + "smithy.api#documentation": "

    A history of user activity and any risks detected as part of Amazon Cognito advanced\n security.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -2915,7 +2928,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Removes the specified user from the specified group.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Removes the specified user from the specified group.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminRemoveUserFromGroupRequest": { @@ -2997,7 +3010,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Resets the specified user's password in a user pool as an administrator. Works on any\n user.

    \n

    When a developer calls this API, the current password is invalidated, so it must be\n changed. If a user tries to sign in after the API is called, the app will get a\n PasswordResetRequiredException exception back and should direct the user down the flow\n to reset the password, which is the same as the forgot password flow. In addition, if\n the user pool has phone verification selected and a verified phone number exists for the\n user, or if email verification is selected and a verified email exists for the user,\n calling this API will also result in sending a message to the end user with the code to\n change their password.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Resets the specified user's password in a user pool as an administrator. Works on any\n user.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    Deactivates a user's password, requiring them to change it. If a user tries to sign in\n after the API is called, Amazon Cognito responds with a\n PasswordResetRequiredException error. Your app must then perform the\n actions that reset your user's password: the forgot-password flow. In addition, if the\n user pool has phone verification selected and a verified phone number exists for the\n user, or if email verification is selected and a verified email exists for the user,\n calling this API will also result in sending a message to the end user with the code to\n change their password.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminResetUserPasswordRequest": { @@ -3108,7 +3121,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Responds to an authentication challenge, as an administrator.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Responds to an authentication challenge, as an administrator.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminRespondToAuthChallengeRequest": { @@ -3138,7 +3151,7 @@ "ChallengeResponses": { "target": "com.amazonaws.cognitoidentityprovider#ChallengeResponsesType", "traits": { - "smithy.api#documentation": "

    The challenge responses. These are inputs corresponding to the value of\n ChallengeName, for example:

    \n
      \n
    • \n

      \n SMS_MFA: SMS_MFA_CODE, USERNAME,\n SECRET_HASH (if app client is configured with client\n secret).

      \n
      • \n
    • \n

      \n PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE,\n PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP,\n USERNAME, SECRET_HASH (if app client is configured\n with client secret).

      \n \n

      \n PASSWORD_VERIFIER requires DEVICE_KEY when\n signing in with a remembered device.

      \n       \n
      • \n
    • \n

      \n ADMIN_NO_SRP_AUTH: PASSWORD, USERNAME,\n SECRET_HASH (if app client is configured with client secret).\n

      \n
      • \n
    • \n

      \n NEW_PASSWORD_REQUIRED: NEW_PASSWORD,\n USERNAME, SECRET_HASH (if app client is configured\n with client secret). To set any required attributes that Amazon Cognito returned as\n requiredAttributes in the AdminInitiateAuth\n response, add a userAttributes.attributename\n \n parameter. This parameter can also set values for writable attributes that\n aren't required by your user pool.

      \n \n

      In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn AdminRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the AdminUpdateUserAttributes API operation to modify the value of any additional attributes.

      \n       \n
      • \n
    • \n

      \n MFA_SETUP requires USERNAME, plus you must use the\n session value returned by VerifySoftwareToken in the\n Session parameter.

      \n
      • \n
    \n

    The value of the USERNAME attribute must be the user's actual username,\n not an alias (such as an email address or phone number). To make this simpler, the\n AdminInitiateAuth response includes the actual username value in the\n USERNAMEUSER_ID_FOR_SRP attribute. This happens even if you specified\n an alias in your call to AdminInitiateAuth.

    " + "smithy.api#documentation": "

    The challenge responses. These are inputs corresponding to the value of\n ChallengeName, for example:

    \n
      \n
    • \n

      \n SMS_MFA: SMS_MFA_CODE, USERNAME,\n SECRET_HASH (if app client is configured with client\n secret).

      \n
      • \n
    • \n

      \n PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE,\n PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP,\n USERNAME, SECRET_HASH (if app client is configured\n with client secret).

      \n \n

      \n PASSWORD_VERIFIER requires DEVICE_KEY when\n signing in with a remembered device.

      \n       \n
      • \n
    • \n

      \n ADMIN_NO_SRP_AUTH: PASSWORD, USERNAME,\n SECRET_HASH (if app client is configured with client secret).\n

      \n
      • \n
    • \n

      \n NEW_PASSWORD_REQUIRED: NEW_PASSWORD,\n USERNAME, SECRET_HASH (if app client is configured\n with client secret). To set any required attributes that Amazon Cognito returned as\n requiredAttributes in the AdminInitiateAuth\n response, add a userAttributes.attributename\n \n parameter. This parameter can also set values for writable attributes that\n aren't required by your user pool.

      \n \n

      In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn AdminRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the AdminUpdateUserAttributes API operation to modify the value of any additional attributes.

      \n       \n
      • \n
    • \n

      \n MFA_SETUP requires USERNAME, plus you must use the\n session value returned by VerifySoftwareToken in the\n Session parameter.

      \n
      • \n
    \n

    The value of the USERNAME attribute must be the user's actual username,\n not an alias (such as an email address or phone number). To make this simpler, the\n AdminInitiateAuth response includes the actual username value in the\n USERNAMEUSER_ID_FOR_SRP attribute. This happens even if you specified\n an alias in your call to AdminInitiateAuth.

    \n

    For more information about SECRET_HASH, see Computing secret hash values. For information about\n DEVICE_KEY, see Working with user devices in your user pool.

    " } }, "Session": { @@ -3236,7 +3249,7 @@ } ], "traits": { - "smithy.api#documentation": "

    The user's multi-factor authentication (MFA) preference, including which MFA options\n are activated, and if any are preferred. Only one factor can be set as preferred. The\n preferred MFA factor will be used to authenticate a user if multiple factors are\n activated. If multiple options are activated and no preference is set, a challenge to\n choose an MFA option will be returned during sign-in.

    " + "smithy.api#documentation": "

    The user's multi-factor authentication (MFA) preference, including which MFA options\n are activated, and if any are preferred. Only one factor can be set as preferred. The\n preferred MFA factor will be used to authenticate a user if multiple factors are\n activated. If multiple options are activated and no preference is set, a challenge to\n choose an MFA option will be returned during sign-in.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminSetUserMFAPreferenceRequest": { @@ -3312,7 +3325,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Sets the specified user's password in a user pool as an administrator. Works on any\n user.

    \n

    The password can be temporary or permanent. If it is temporary, the user status enters\n the FORCE_CHANGE_PASSWORD state. When the user next tries to sign in, the\n InitiateAuth/AdminInitiateAuth response will contain the\n NEW_PASSWORD_REQUIRED challenge. If the user doesn't sign in before it\n expires, the user won't be able to sign in, and an administrator must reset their\n password.

    \n

    Once the user has set a new password, or the password is permanent, the user status is\n set to Confirmed.

    " + "smithy.api#documentation": "

    Sets the specified user's password in a user pool as an administrator. Works on any\n user.

    \n

    The password can be temporary or permanent. If it is temporary, the user status enters\n the FORCE_CHANGE_PASSWORD state. When the user next tries to sign in, the\n InitiateAuth/AdminInitiateAuth response will contain the\n NEW_PASSWORD_REQUIRED challenge. If the user doesn't sign in before it\n expires, the user won't be able to sign in, and an administrator must reset their\n password.

    \n

    Once the user has set a new password, or the password is permanent, the user status is\n set to Confirmed.

    \n

    \n AdminSetUserPassword can set a password for the user profile that Amazon Cognito\n creates for third-party federated users. When you set a password, the federated user's\n status changes from EXTERNAL_PROVIDER to CONFIRMED. A user in\n this state can sign in as a federated user, and initiate authentication flows in the API\n like a linked native user. They can also modify their password and attributes in\n token-authenticated API requests like ChangePassword and\n UpdateUserAttributes. As a best security practice and to keep users in\n sync with your external IdP, don't set passwords on federated user profiles. To set up a\n federated user for native sign-in with a linked native user, refer to Linking federated users to an existing user\n profile.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminSetUserPasswordRequest": { @@ -3384,7 +3397,7 @@ } ], "traits": { - "smithy.api#documentation": "

    \n This action is no longer supported. You can use it to configure\n only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software\n token MFA. To configure either type of MFA, use AdminSetUserMFAPreference instead.

    " + "smithy.api#documentation": "

    \n This action is no longer supported. You can use it to configure\n only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software\n token MFA. To configure either type of MFA, use AdminSetUserMFAPreference instead.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminSetUserSettingsRequest": { @@ -3457,7 +3470,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Provides feedback for an authentication event indicating if it was from a valid user.\n This feedback is used for improving the risk evaluation decision for the user pool as\n part of Amazon Cognito advanced security.

    " + "smithy.api#documentation": "

    Provides feedback for an authentication event indicating if it was from a valid user.\n This feedback is used for improving the risk evaluation decision for the user pool as\n part of Amazon Cognito advanced security.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminUpdateAuthEventFeedbackRequest": { @@ -3487,7 +3500,7 @@ "FeedbackValue": { "target": "com.amazonaws.cognitoidentityprovider#FeedbackValueType", "traits": { - "smithy.api#documentation": "

    The authentication event feedback value.

    ", + "smithy.api#documentation": "

    The authentication event feedback value. When you provide a FeedbackValue\n value of valid, you tell Amazon Cognito that you trust a user session where Amazon Cognito\n has evaluated some level of risk. When you provide a FeedbackValue value of\n invalid, you tell Amazon Cognito that you don't trust a user session, or you \n don't believe that Amazon Cognito evaluated a high-enough risk level.

    ", "smithy.api#required": {} } } @@ -3535,7 +3548,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the device status as an administrator.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Updates the device status as an administrator.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminUpdateDeviceStatusRequest": { @@ -3632,7 +3645,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the specified user's attributes, including developer attributes, as an\n administrator. Works on any user.

    \n

    For custom attributes, you must prepend the custom: prefix to the\n attribute name.

    \n

    In addition to updating user attributes, this API can also be used to mark phone and\n email as verified.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "\n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    Updates the specified user's attributes, including developer attributes, as an\n administrator. Works on any user.

    \n

    For custom attributes, you must prepend the custom: prefix to the\n attribute name.

    \n

    In addition to updating user attributes, this API can also be used to mark phone and\n email as verified.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminUpdateUserAttributesRequest": { @@ -3708,7 +3721,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Signs out a user from all devices. You must sign AdminUserGlobalSignOut requests\n with Amazon Web Services credentials. It also invalidates all refresh tokens that Amazon Cognito has issued to\n a user. The user's current access and ID tokens remain valid until they expire. By\n default, access and ID tokens expire one hour after they're issued. A user can still use\n a hosted UI cookie to retrieve new tokens for the duration of the cookie validity period\n of 1 hour.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Signs out a user from all devices. AdminUserGlobalSignOut invalidates all\n identity, access and refresh tokens that Amazon Cognito has issued to a user. A user can still\n use a hosted UI cookie to retrieve new tokens for the duration of the 1-hour cookie\n validity period.

    \n

    Your app isn't aware that a user's access token is revoked unless it attempts to\n authorize a user pools API request with an access token that contains the scope\n aws.cognito.signin.user.admin. Your app might otherwise accept access\n tokens until they expire.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminUserGlobalSignOutRequest": { @@ -3800,12 +3813,12 @@ "message": { "target": "com.amazonaws.cognitoidentityprovider#MessageType", "traits": { - "smithy.api#documentation": "

    The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.

    " + "smithy.api#documentation": "

    The message that Amazon Cognito sends to the user when the value of an alias attribute is\n already linked to another user profile.

    " } } }, "traits": { - "smithy.api#documentation": "

    This exception is thrown when a user tries to confirm the account with an email\n address or phone number that has already been supplied as an alias for a different\n user profile. This exception indicates that an account with this email address or phone\n already exists in a user pool that you've configured to use email address or phone\n number as a sign-in alias.

    ", + "smithy.api#documentation": "

    This exception is thrown when a user tries to confirm the account with an email\n address or phone number that has already been supplied as an alias for a different user\n profile. This exception indicates that an account with this email address or phone\n already exists in a user pool that you've configured to use email address or phone\n number as a sign-in alias.

    ", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -3846,7 +3859,7 @@ } }, "traits": { - "smithy.api#documentation": "

    The Amazon Pinpoint analytics configuration necessary to collect metrics for a user\n pool.

    \n \n

    In Regions where Amazon Pinpointisn't available, user pools only support sending events to\n Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user pools\n support sending events to Amazon Pinpoint projects within that same Region.

    \n     " + "smithy.api#documentation": "

    The Amazon Pinpoint analytics configuration necessary to collect metrics for a user\n pool.

    \n \n

    In Regions where Amazon Pinpoint isn't available, user pools only support sending\n events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user\n pools support sending events to Amazon Pinpoint projects within that same Region.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#AnalyticsMetadataType": { @@ -3905,7 +3918,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA)\n for a user, with a unique private key that Amazon Cognito generates and returns in the API\n response. You can authorize an AssociateSoftwareToken request with either\n the user's access token, or a session string from a challenge response that you received\n from Amazon Cognito.

    \n \n

    Amazon Cognito disassociates an existing software token when you verify the new token in a\n VerifySoftwareToken API request. If you don't verify the software\n token and your user pool doesn't require MFA, the user can then authenticate with\n user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito\n generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge\n each time your user signs. Complete setup with AssociateSoftwareToken\n and VerifySoftwareToken.

    \n

    After you set up software token MFA for your user, Amazon Cognito generates a\n SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to\n this challenge with your user's TOTP.

    \n     " + "smithy.api#documentation": "

    Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA)\n for a user, with a unique private key that Amazon Cognito generates and returns in the API\n response. You can authorize an AssociateSoftwareToken request with either\n the user's access token, or a session string from a challenge response that you received\n from Amazon Cognito.

    \n \n

    Amazon Cognito disassociates an existing software token when you verify the new token in a\n VerifySoftwareToken API request. If you don't verify the software\n token and your user pool doesn't require MFA, the user can then authenticate with\n user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito\n generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge\n each time your user signs. Complete setup with AssociateSoftwareToken\n and VerifySoftwareToken.

    \n

    After you set up software token MFA for your user, Amazon Cognito generates a\n SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to\n this challenge with your user's TOTP.

    \n     \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#AssociateSoftwareTokenRequest": { @@ -3934,7 +3947,7 @@ "SecretCode": { "target": "com.amazonaws.cognitoidentityprovider#SecretCodeType", "traits": { - "smithy.api#documentation": "

    A unique generated shared secret code that is used in the\n TOTP algorithm to generate a one-time code.

    " + "smithy.api#documentation": "

    A unique generated shared secret code that is used in the TOTP algorithm to generate a\n one-time code.

    " } }, "Session": { @@ -4072,7 +4085,7 @@ "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The creation date

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } }, "EventResponse": { @@ -4248,7 +4261,13 @@ } }, "com.amazonaws.cognitoidentityprovider#CSSType": { - "type": "string" + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 131072 + } + } }, "com.amazonaws.cognitoidentityprovider#CSSVersionType": { "type": "string" @@ -4406,9 +4425,6 @@ }, "value": { "target": "com.amazonaws.cognitoidentityprovider#StringType" - }, - "traits": { - "smithy.api#sensitive": {} } }, "com.amazonaws.cognitoidentityprovider#ChangePassword": { @@ -4456,7 +4472,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Changes the password for a specified user in a user pool.

    ", + "smithy.api#documentation": "

    Changes the password for a specified user in a user pool.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -4554,6 +4570,20 @@ "smithy.api#sensitive": {} } }, + "com.amazonaws.cognitoidentityprovider#CloudWatchLogsConfigurationType": { + "type": "structure", + "members": { + "LogGroupArn": { + "target": "com.amazonaws.cognitoidentityprovider#ArnType", + "traits": { + "smithy.api#documentation": "

    The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs.\n The log group must not be encrypted with Key Management Service and must be in the same Amazon Web Services account\n as your user pool.

    " + } + } + }, + "traits": { + "smithy.api#documentation": "

    The CloudWatch logging destination of a user pool detailed activity logging configuration.

    " + } + }, "com.amazonaws.cognitoidentityprovider#CodeDeliveryDetailsListType": { "type": "list", "member": { @@ -4747,7 +4777,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Confirms tracking of the device. This API call is the call that begins device\n tracking.

    " + "smithy.api#documentation": "

    Confirms tracking of the device. This API call is the call that begins device\n tracking.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#ConfirmDeviceRequest": { @@ -4861,7 +4891,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Allows a user to enter a confirmation code to reset a forgotten password.

    ", + "smithy.api#documentation": "

    Allows a user to enter a confirmation code to reset a forgotten password.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -4878,7 +4908,7 @@ "SecretHash": { "target": "com.amazonaws.cognitoidentityprovider#SecretHashType", "traits": { - "smithy.api#documentation": "

    A keyed-hash message authentication code (HMAC) calculated using the secret key of a\n user pool client and username plus the client ID in the message.

    " + "smithy.api#documentation": "

    A keyed-hash message authentication code (HMAC) calculated using the secret key of a\n user pool client and username plus the client ID in the message. For more information\n about SecretHash, see Computing secret hash values.

    " } }, "Username": { @@ -4891,7 +4921,7 @@ "ConfirmationCode": { "target": "com.amazonaws.cognitoidentityprovider#ConfirmationCodeType", "traits": { - "smithy.api#documentation": "

    The confirmation code from your user's request to reset their password. For\n more information, see ForgotPassword.

    ", + "smithy.api#documentation": "

    The confirmation code from your user's request to reset their password. For more\n information, see ForgotPassword.

    ", "smithy.api#required": {} } }, @@ -4991,7 +5021,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Confirms registration of a new user.

    ", + "smithy.api#documentation": "

    Confirms registration of a new user.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -5148,7 +5178,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates a new group in the specified user pool.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Creates a new group in the specified user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#CreateGroupRequest": { @@ -5237,7 +5267,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates an IdP for a user pool.

    " + "smithy.api#documentation": "

    Creates an IdP for a user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#CreateIdentityProviderRequest": { @@ -5332,7 +5362,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates a new OAuth2.0 resource server and defines custom scopes within it.

    " + "smithy.api#documentation": "

    Creates a new OAuth2.0 resource server and defines custom scopes within it.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#CreateResourceServerRequest": { @@ -5417,7 +5447,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates the user import job.

    " + "smithy.api#documentation": "

    Creates a user import job.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#CreateUserImportJobRequest": { @@ -5503,7 +5533,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates a new Amazon Cognito user pool and sets the password policy for the\n pool.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     " + "smithy.api#documentation": "\n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    Creates a new Amazon Cognito user pool and sets the password policy for the\n pool.

    \n \n

    If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

    \n     \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#CreateUserPoolClient": { @@ -5541,7 +5571,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates the user pool client.

    \n

    When you create a new user pool client, token revocation is automatically activated.\n For more information about revoking tokens, see RevokeToken.

    " + "smithy.api#documentation": "

    Creates the user pool client.

    \n

    When you create a new user pool client, token revocation is automatically activated.\n For more information about revoking tokens, see RevokeToken.

    \n \n

    If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

    \n     \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#CreateUserPoolClientRequest": { @@ -5584,7 +5614,7 @@ "IdTokenValidity": { "target": "com.amazonaws.cognitoidentityprovider#IdTokenValidityType", "traits": { - "smithy.api#documentation": "

    The ID token time limit. After this limit expires, your user can't use \n their ID token. To specify the time unit for IdTokenValidity as \n seconds, minutes, hours, or days, \n set a TokenValidityUnits value in your API request.

    \n

    For example, when you set IdTokenValidity as 10 and\n TokenValidityUnits as hours, your user can authenticate their \n session with their ID token for 10 hours.

    \n

    The default time unit for AccessTokenValidity in an API request is hours. \n Valid range is displayed below in seconds.

    \n

    If you don't specify otherwise in the configuration of your app client, your ID\n tokens are valid for one hour.

    " + "smithy.api#documentation": "

    The ID token time limit. After this limit expires, your user can't use \n their ID token. To specify the time unit for IdTokenValidity as \n seconds, minutes, hours, or days, \n set a TokenValidityUnits value in your API request.

    \n

    For example, when you set IdTokenValidity as 10 and\n TokenValidityUnits as hours, your user can authenticate their \n session with their ID token for 10 hours.

    \n

    The default time unit for IdTokenValidity in an API request is hours. \n Valid range is displayed below in seconds.

    \n

    If you don't specify otherwise in the configuration of your app client, your ID\n tokens are valid for one hour.

    " } }, "TokenValidityUnits": { @@ -5614,7 +5644,7 @@ "SupportedIdentityProviders": { "target": "com.amazonaws.cognitoidentityprovider#SupportedIdentityProvidersListType", "traits": { - "smithy.api#documentation": "

    A list of provider names for the identity providers (IdPs) that are supported on this\n client. The following are supported: COGNITO, Facebook,\n Google, SignInWithApple, and LoginWithAmazon. You can also specify the names\n that you configured for the SAML and OIDC IdPs in your user pool, for example\n MySAMLIdP or MyOIDCIdP.

    " + "smithy.api#documentation": "

    A list of provider names for the identity providers (IdPs) that are supported on this\n client. The following are supported: COGNITO, Facebook,\n Google, SignInWithApple, and LoginWithAmazon.\n You can also specify the names that you configured for the SAML and OIDC IdPs in your\n user pool, for example MySAMLIdP or MyOIDCIdP.

    " } }, "CallbackURLs": { @@ -5651,7 +5681,7 @@ "target": "com.amazonaws.cognitoidentityprovider#BooleanType", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

    Set to true if the client is allowed to follow the OAuth protocol when interacting\n with Amazon Cognito user pools.

    " + "smithy.api#documentation": "

    Set to true to use OAuth 2.0 features in your user pool app client.

    \n

    \n AllowedOAuthFlowsUserPoolClient must be true before you can configure \n the following features in your app client.

    \n
      \n
    • \n

      \n CallBackURLs: Callback URLs.

      \n
      • \n
    • \n

      \n LogoutURLs: Sign-out redirect URLs.

      \n
      • \n
    • \n

      \n AllowedOAuthScopes: OAuth 2.0 scopes.

      \n
      • \n
    • \n

      \n AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.

      \n
      • \n
    \n

    To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set \n AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or \n UpdateUserPoolClient API request. If you don't set a value for \n AllowedOAuthFlowsUserPoolClient in a request with the CLI or SDKs, it defaults \n to false.

    " } }, "AnalyticsConfiguration": { @@ -5675,7 +5705,7 @@ "EnablePropagateAdditionalUserContextData": { "target": "com.amazonaws.cognitoidentityprovider#WrappedBooleanType", "traits": { - "smithy.api#documentation": "

    Activates the propagation of additional user context data. For more information about\n propagation of user context data, see Adding advanced security to a user pool. If you don’t include this\n parameter, you can't send device fingerprint information, including source IP address,\n to Amazon Cognito advanced security. You can only activate\n EnablePropagateAdditionalUserContextData in an app client that has a\n client secret.

    " + "smithy.api#documentation": "

    Activates the propagation of additional user context data. For more information about\n propagation of user context data, see Adding advanced security to a user pool. If you don’t include this\n parameter, you can't send device fingerprint information, including source IP address,\n to Amazon Cognito advanced security. You can only activate\n EnablePropagateAdditionalUserContextData in an app client that has a\n client secret.

    " } }, "AuthSessionValidity": { @@ -5731,7 +5761,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates a new domain for a user pool.

    " + "smithy.api#documentation": "

    Creates a new domain for a user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#CreateUserPoolDomainRequest": { @@ -5867,7 +5897,7 @@ "DeviceConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#DeviceConfigurationType", "traits": { - "smithy.api#documentation": "

    The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool.

    \n \n

    When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature.

    \n     " + "smithy.api#documentation": "

    The device-remembering configuration for a user pool. A null value indicates that you\n have deactivated device remembering in your user pool.

    \n \n

    When you provide a value for any DeviceConfiguration field, you\n activate the Amazon Cognito device-remembering feature.

    \n     " } }, "EmailConfiguration": { @@ -5903,13 +5933,13 @@ "UserPoolAddOns": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolAddOnsType", "traits": { - "smithy.api#documentation": "

    Enables advanced security risk detection. Set the key\n AdvancedSecurityMode to the value \"AUDIT\".

    " + "smithy.api#documentation": "

    User pool add-ons. Contains settings for activation of advanced security features. To\n log user security information but take no action, set to AUDIT. To\n configure automatic security responses to risky traffic to your user pool, set to\n ENFORCED.

    \n

    For more information, see Adding advanced security to a user pool.

    " } }, "UsernameConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#UsernameConfigurationType", "traits": { - "smithy.api#documentation": "

    Case sensitivity on the username input for the selected sign-in option. For example,\n when case sensitivity is set to False, users can sign in using either\n \"username\" or \"Username\". This configuration is immutable once it has been set. For more\n information, see UsernameConfigurationType.

    " + "smithy.api#documentation": "

    Case sensitivity on the username input for the selected sign-in option. When case\n sensitivity is set to False (case insensitive), users can sign in with any\n combination of capital and lowercase letters. For example, username,\n USERNAME, or UserName, or for email,\n email@example.com or EMaiL@eXamplE.Com. For most use\n cases, set case sensitivity to False (case insensitive) as a best practice.\n When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in\n case as the same user, and prevents a case variation from being assigned to the same\n attribute for a different user.

    \n

    This configuration is immutable after you set it. For more information, see UsernameConfigurationType.

    " } }, "AccountRecoverySetting": { @@ -6260,7 +6290,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Allows a user to delete himself or herself.

    ", + "smithy.api#documentation": "

    Allows a user to delete their own user profile.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -6303,7 +6333,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Deletes the attributes for a user.

    ", + "smithy.api#documentation": "

    Deletes the attributes for a user.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -6848,7 +6878,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Returns the configuration information and metadata of the specified user pool.

    " + "smithy.api#documentation": "

    Returns the configuration information and metadata of the specified user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#DescribeUserPoolClient": { @@ -6877,7 +6907,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Client method for returning the configuration information and metadata of the\n specified user pool app client.

    " + "smithy.api#documentation": "

    Client method for returning the configuration information and metadata of the\n specified user pool app client.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#DescribeUserPoolClientRequest": { @@ -7020,14 +7050,14 @@ "target": "com.amazonaws.cognitoidentityprovider#BooleanType", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

    When true, a remembered device can sign in with device authentication instead of SMS\n and time-based one-time password (TOTP) factors for multi-factor authentication\n (MFA).

    \n \n

    Whether or not ChallengeRequiredOnNewDevice is true, users who sign in\n with devices that have not been confirmed or remembered must still provide a second\n factor in a user pool that requires MFA.

    \n     " + "smithy.api#documentation": "

    When true, a remembered device can sign in with device authentication instead of SMS\n and time-based one-time password (TOTP) factors for multi-factor authentication\n (MFA).

    \n \n

    Whether or not ChallengeRequiredOnNewDevice is true, users who sign\n in with devices that have not been confirmed or remembered must still provide a\n second factor in a user pool that requires MFA.

    \n     " } }, "DeviceOnlyRememberedOnUserPrompt": { "target": "com.amazonaws.cognitoidentityprovider#BooleanType", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

    When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a\n \n ConfirmDevice API request. In your app, create a prompt for\n your user to choose whether they want to remember their device. Return the user's choice\n in an \n UpdateDeviceStatus API request.

    \n

    When DeviceOnlyRememberedOnUserPrompt is false, Amazon\n Cognito immediately remembers devices that you register in a ConfirmDevice\n API request.

    " + "smithy.api#documentation": "

    When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a\n \n ConfirmDevice API request. In your app, create a prompt for your user to\n choose whether they want to remember their device. Return the user's choice in an \n UpdateDeviceStatus API request.

    \n

    When DeviceOnlyRememberedOnUserPrompt is false, Amazon\n Cognito immediately remembers devices that you register in a ConfirmDevice\n API request.

    " } } }, @@ -7121,7 +7151,7 @@ "DeviceLastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The last modified date of the device.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "DeviceLastAuthenticatedDate": { @@ -7165,7 +7195,7 @@ "CloudFrontDistribution": { "target": "com.amazonaws.cognitoidentityprovider#StringType", "traits": { - "smithy.api#documentation": "

    The Amazon Resource Name (ARN) of the Amazon CloudFront distribution.

    " + "smithy.api#documentation": "

    The Amazon CloudFront endpoint that you use as the target of the alias that you set up with\n your Domain Name Service (DNS) provider.

    " } }, "Version": { @@ -7270,7 +7300,7 @@ "SourceArn": { "target": "com.amazonaws.cognitoidentityprovider#ArnType", "traits": { - "smithy.api#documentation": "

    The ARN of a verified email address in Amazon SES. Amazon Cognito uses this email address in one of\n the following ways, depending on the value that you specify for the\n EmailSendingAccount parameter:

    \n
      \n
    • \n

      If you specify COGNITO_DEFAULT, Amazon Cognito uses this address as the\n custom FROM address when it emails your users using its built-in email\n account.

      \n
      • \n
    • \n

      If you specify DEVELOPER, Amazon Cognito emails your users with this\n address by calling Amazon SES on your behalf.

      \n
      • \n
    \n

    The Region value of the SourceArn parameter must indicate a supported\n Amazon Web Services Region of your user pool. Typically, the Region in the SourceArn and\n the user pool Region are the same. For more information, see Amazon SES email configuration regions in the Amazon Cognito Developer\n Guide.

    " + "smithy.api#documentation": "

    The ARN of a verified email address or an address from a verified domain in Amazon SES. You\n can set a SourceArn email from a verified domain only with an API request.\n You can set a verified email address, but not an address in a verified domain, in the\n Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following\n ways, depending on the value that you specify for the EmailSendingAccount\n parameter:

    \n
      \n
    • \n

      If you specify COGNITO_DEFAULT, Amazon Cognito uses this address as the\n custom FROM address when it emails your users using its built-in email\n account.

      \n
      • \n
    • \n

      If you specify DEVELOPER, Amazon Cognito emails your users with this\n address by calling Amazon SES on your behalf.

      \n
      • \n
    \n

    The Region value of the SourceArn parameter must indicate a supported\n Amazon Web Services Region of your user pool. Typically, the Region in the SourceArn and\n the user pool Region are the same. For more information, see Amazon SES email configuration regions in the Amazon Cognito Developer\n Guide.

    " } }, "ReplyToEmailAddress": { @@ -7282,7 +7312,7 @@ "EmailSendingAccount": { "target": "com.amazonaws.cognitoidentityprovider#EmailSendingAccountType", "traits": { - "smithy.api#documentation": "

    Specifies whether Amazon Cognito uses its built-in functionality to send your users email\n messages, or uses your Amazon Simple Email Service email configuration. Specify one of the following\n values:

    \n
    \n
    COGNITO_DEFAULT
    \n
    \n

    When Amazon Cognito emails your users, it uses its built-in email functionality.\n When you use the default option, Amazon Cognito allows only a limited number of\n emails each day for your user pool. For typical production environments, the\n default email limit is less than the required delivery volume. To achieve a\n higher delivery volume, specify DEVELOPER to use your Amazon SES email\n configuration.

    \n

    To look up the email delivery limit for the default option, see Limits in the Amazon Cognito Developer Guide.

    \n

    The default FROM address is no-reply@verificationemail.com.\n To customize the FROM address, provide the Amazon Resource Name (ARN) of an\n Amazon SES verified email address for the SourceArn\n parameter.

    \n
    \n
    DEVELOPER
    \n
    \n

    When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito\n calls Amazon SES on your behalf to send email from your verified email address.\n When you use this option, the email delivery limits are the same limits that\n apply to your Amazon SES verified email address in your Amazon Web Services account.

    \n

    If you use this option, provide the ARN of an Amazon SES verified email address\n for the SourceArn parameter.

    \n

    Before Amazon Cognito can email your users, it requires additional permissions to\n call Amazon SES on your behalf. When you update your user pool with this option,\n Amazon Cognito creates a service-linked role, which is a type of\n role in your Amazon Web Services account. This role contains the permissions\n that allow you to access Amazon SES and send email messages from your email address. For\n more information about the service-linked role that Amazon Cognito creates, see\n Using Service-Linked Roles for Amazon Cognito in the\n Amazon Cognito Developer Guide.

    \n
    \n
    " + "smithy.api#documentation": "

    Specifies whether Amazon Cognito uses its built-in functionality to send your users email\n messages, or uses your Amazon Simple Email Service email configuration. Specify one of the following\n values:

    \n
    \n
    COGNITO_DEFAULT
    \n
    \n

    When Amazon Cognito emails your users, it uses its built-in email functionality.\n When you use the default option, Amazon Cognito allows only a limited number of\n emails each day for your user pool. For typical production environments, the\n default email limit is less than the required delivery volume. To achieve a\n higher delivery volume, specify DEVELOPER to use your Amazon SES email\n configuration.

    \n

    To look up the email delivery limit for the default option, see Limits in the Amazon Cognito Developer\n Guide.

    \n

    The default FROM address is no-reply@verificationemail.com.\n To customize the FROM address, provide the Amazon Resource Name (ARN) of an\n Amazon SES verified email address for the SourceArn\n parameter.

    \n
    \n
    DEVELOPER
    \n
    \n

    When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito\n calls Amazon SES on your behalf to send email from your verified email address.\n When you use this option, the email delivery limits are the same limits that\n apply to your Amazon SES verified email address in your Amazon Web Services account.

    \n

    If you use this option, provide the ARN of an Amazon SES verified email address\n for the SourceArn parameter.

    \n

    Before Amazon Cognito can email your users, it requires additional permissions to\n call Amazon SES on your behalf. When you update your user pool with this option,\n Amazon Cognito creates a service-linked role, which is a type of\n role in your Amazon Web Services account. This role contains the permissions\n that allow you to access Amazon SES and send email messages from your email\n address. For more information about the service-linked role that Amazon Cognito\n creates, see Using Service-Linked Roles for Amazon Cognito in the\n Amazon Cognito Developer Guide.

    \n
    \n
    " } }, "From": { @@ -7436,7 +7466,7 @@ "FeedbackValue": { "target": "com.amazonaws.cognitoidentityprovider#FeedbackValueType", "traits": { - "smithy.api#documentation": "

    The event feedback value.

    ", + "smithy.api#documentation": "

    The authentication event feedback value. When you provide a FeedbackValue\n value of valid, you tell Amazon Cognito that you trust a user session where Amazon Cognito\n has evaluated some level of risk. When you provide a FeedbackValue value of\n invalid, you tell Amazon Cognito that you don't trust a user session, or you \n don't believe that Amazon Cognito evaluated a high-enough risk level.

    ", "smithy.api#required": {} } }, @@ -7546,6 +7576,17 @@ "smithy.api#documentation": "

    The event risk type.

    " } }, + "com.amazonaws.cognitoidentityprovider#EventSourceName": { + "type": "enum", + "members": { + "USER_NOTIFICATION": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "userNotification" + } + } + } + }, "com.amazonaws.cognitoidentityprovider#EventType": { "type": "enum", "members": { @@ -7679,12 +7720,12 @@ "message": { "target": "com.amazonaws.cognitoidentityprovider#MessageType", "traits": { - "smithy.api#documentation": "

    The message returned when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

    " + "smithy.api#documentation": "

    The message returned when WAF doesn't allow your request based on a web ACL\n that's associated with your user pool.

    " } } }, "traits": { - "smithy.api#documentation": "

    This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

    ", + "smithy.api#documentation": "

    This exception is thrown when WAF doesn't allow your request based on a web\n ACL that's associated with your user pool.

    ", "smithy.api#error": "client", "smithy.api#httpError": 403 } @@ -7736,7 +7777,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Forgets the specified device.

    " + "smithy.api#documentation": "

    Forgets the specified device.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#ForgetDeviceRequest": { @@ -7818,7 +7859,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Calling this API causes a message to be sent to the end user with a confirmation code\n that is required to change the user's password. For the Username parameter,\n you can use the username or user alias. The method used to send the confirmation code is\n sent according to the specified AccountRecoverySetting. For more information, see Recovering\n User Accounts in the Amazon Cognito Developer Guide. If\n neither a verified phone number nor a verified email exists, an\n InvalidParameterException is thrown. To use the confirmation code for\n resetting the password, call ConfirmForgotPassword.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", + "smithy.api#documentation": "

    Calling this API causes a message to be sent to the end user with a confirmation code\n that is required to change the user's password. For the Username parameter,\n you can use the username or user alias. The method used to send the confirmation code is\n sent according to the specified AccountRecoverySetting. For more information, see Recovering\n User Accounts in the Amazon Cognito Developer Guide. To\n use the confirmation code for resetting the password, call ConfirmForgotPassword.

    \n

    If neither a verified phone number nor a verified email exists, this API returns\n InvalidParameterException. If your app client has a client secret and\n you don't provide a SECRET_HASH parameter, this API returns\n NotAuthorizedException.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -7997,7 +8038,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Gets the device.

    " + "smithy.api#documentation": "

    Gets the device.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#GetDeviceRequest": { @@ -8169,6 +8210,64 @@ "smithy.api#output": {} } }, + "com.amazonaws.cognitoidentityprovider#GetLogDeliveryConfiguration": { + "type": "operation", + "input": { + "target": "com.amazonaws.cognitoidentityprovider#GetLogDeliveryConfigurationRequest" + }, + "output": { + "target": "com.amazonaws.cognitoidentityprovider#GetLogDeliveryConfigurationResponse" + }, + "errors": [ + { + "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException" + }, + { + "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException" + }, + { + "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException" + }, + { + "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException" + }, + { + "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException" + } + ], + "traits": { + "smithy.api#documentation": "

    Gets the detailed activity logging configuration for a user pool.

    " + } + }, + "com.amazonaws.cognitoidentityprovider#GetLogDeliveryConfigurationRequest": { + "type": "structure", + "members": { + "UserPoolId": { + "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", + "traits": { + "smithy.api#documentation": "

    The ID of the user pool where you want to view detailed activity logging configuration.

    ", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.cognitoidentityprovider#GetLogDeliveryConfigurationResponse": { + "type": "structure", + "members": { + "LogDeliveryConfiguration": { + "target": "com.amazonaws.cognitoidentityprovider#LogDeliveryConfigurationType", + "traits": { + "smithy.api#documentation": "

    The detailed activity logging configuration of the requested user pool.

    " + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, "com.amazonaws.cognitoidentityprovider#GetSigningCertificate": { "type": "operation", "input": { @@ -8189,7 +8288,7 @@ } ], "traits": { - "smithy.api#documentation": "

    This method takes a user pool ID, and returns the signing certificate. The issued certificate is valid for 10 years from the date of issue.

    \n

    Amazon Cognito issues and assigns a new signing certificate annually. This process returns a new value in the response to GetSigningCertificate, \n but doesn't invalidate the original certificate.

    " + "smithy.api#documentation": "

    This method takes a user pool ID, and returns the signing certificate. The issued\n certificate is valid for 10 years from the date of issue.

    \n

    Amazon Cognito issues and assigns a new signing certificate annually. This process returns a\n new value in the response to GetSigningCertificate, but doesn't invalidate\n the original certificate.

    " } }, "com.amazonaws.cognitoidentityprovider#GetSigningCertificateRequest": { @@ -8327,7 +8426,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Gets the user attributes and metadata for a user.

    ", + "smithy.api#documentation": "

    Gets the user attributes and metadata for a user.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -8394,7 +8493,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Generates a user attribute verification code for the specified attribute name. Sends a\n message to a user with a code that they must return in a VerifyUserAttribute\n request.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", + "smithy.api#documentation": "

    Generates a user attribute verification code for the specified attribute name. Sends a\n message to a user with a code that they must return in a VerifyUserAttribute\n request.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -8534,7 +8633,7 @@ "Username": { "target": "com.amazonaws.cognitoidentityprovider#UsernameType", "traits": { - "smithy.api#documentation": "

    The user name of the user you want to retrieve from the get user request.

    ", + "smithy.api#documentation": "

    The username of the user that you requested.

    ", "smithy.api#required": {} } }, @@ -8604,7 +8703,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Signs out users from all devices. It also invalidates all refresh tokens that Amazon Cognito\n has issued to a user. A user can still use a hosted UI cookie to retrieve new tokens \n for the duration of the 1-hour cookie validity period.

    " + "smithy.api#documentation": "

    Signs out a user from all devices. GlobalSignOut invalidates all\n identity, access and refresh tokens that Amazon Cognito has issued to a user. A user can still\n use a hosted UI cookie to retrieve new tokens for the duration of the 1-hour cookie\n validity period.

    \n

    Your app isn't aware that a user's access token is revoked unless it attempts to\n authorize a user pools API request with an access token that contains the scope\n aws.cognito.signin.user.admin. Your app might otherwise accept access\n tokens until they expire.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#GlobalSignOutRequest": { @@ -8696,13 +8795,13 @@ "LastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the group was last modified.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the group was created.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } } }, @@ -8793,13 +8892,13 @@ "LastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the IdP was last modified.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the IdP was created.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } } }, @@ -8871,7 +8970,13 @@ } }, "com.amazonaws.cognitoidentityprovider#ImageFileType": { - "type": "blob" + "type": "blob", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 131072 + } + } }, "com.amazonaws.cognitoidentityprovider#ImageUrlType": { "type": "string" @@ -8933,7 +9038,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user\n with a federated IdP with InitiateAuth. For more information, see Adding user pool sign-in through a third party.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", + "smithy.api#documentation": "

    Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user\n with a federated IdP with InitiateAuth. For more information, see Adding user pool sign-in through a third party.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -8950,7 +9055,7 @@ "AuthParameters": { "target": "com.amazonaws.cognitoidentityprovider#AuthParametersType", "traits": { - "smithy.api#documentation": "

    The authentication parameters. These are inputs corresponding to the\n AuthFlow that you're invoking. The required values depend on the value\n of AuthFlow:

    \n
      \n
    • \n

      For USER_SRP_AUTH: USERNAME (required),\n SRP_A (required), SECRET_HASH (required if the app\n client is configured with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN\n (required), SECRET_HASH (required if the app client is configured\n with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For CUSTOM_AUTH: USERNAME (required),\n SECRET_HASH (if app client is configured with client secret),\n DEVICE_KEY. To start the authentication flow with password\n verification, include ChallengeName: SRP_A and SRP_A: (The\n SRP_A Value).

      \n
      • \n
    " + "smithy.api#documentation": "

    The authentication parameters. These are inputs corresponding to the\n AuthFlow that you're invoking. The required values depend on the value\n of AuthFlow:

    \n
      \n
    • \n

      For USER_SRP_AUTH: USERNAME (required),\n SRP_A (required), SECRET_HASH (required if the app\n client is configured with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For USER_PASSWORD_AUTH: USERNAME (required),\n PASSWORD (required), SECRET_HASH (required if the\n app client is configured with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN\n (required), SECRET_HASH (required if the app client is configured\n with a client secret), DEVICE_KEY.

      \n
      • \n
    • \n

      For CUSTOM_AUTH: USERNAME (required),\n SECRET_HASH (if app client is configured with client secret),\n DEVICE_KEY. To start the authentication flow with password\n verification, include ChallengeName: SRP_A and SRP_A: (The\n SRP_A Value).

      \n
      • \n
    \n

    For more information about SECRET_HASH, see Computing secret hash values. For information about\n DEVICE_KEY, see Working with user devices in your user pool.

    " } }, "ClientMetadata": { @@ -9142,7 +9247,7 @@ } }, "traits": { - "smithy.api#documentation": "

    This exception is thrown when the trust relationship is not valid for the role\n provided for SMS configuration. This can happen if you don't trust\n cognito-idp.amazonaws.com or the external ID provided in the role does\n not match what is provided in the SMS configuration for the user pool.

    ", + "smithy.api#documentation": "

    This exception is thrown when the trust relationship is not valid for the role\n provided for SMS configuration. This can happen if you don't trust\n cognito-idp.amazonaws.com or the external ID provided in the role does\n not match what is provided in the SMS configuration for the user pool.

    ", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -9306,7 +9411,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the sign-in devices that Amazon Cognito has registered to the current user.

    " + "smithy.api#documentation": "

    Lists the sign-in devices that Amazon Cognito has registered to the current user.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#ListDevicesRequest": { @@ -9384,7 +9489,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the groups associated with a user pool.

    \n

    Calling this action requires developer credentials.

    ", + "smithy.api#documentation": "

    Lists the groups associated with a user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -9466,7 +9571,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists information about all IdPs for a user pool.

    ", + "smithy.api#documentation": "

    Lists information about all IdPs for a user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -9564,7 +9669,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the resource servers for a user pool.

    ", + "smithy.api#documentation": "

    Lists the resource servers for a user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -9716,7 +9821,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the user import jobs.

    " + "smithy.api#documentation": "

    Lists user import jobs for a user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#ListUserImportJobsRequest": { @@ -9796,7 +9901,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the clients that have been created for the specified user pool.

    ", + "smithy.api#documentation": "

    Lists the clients that have been created for the specified user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -9878,7 +9983,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the user pools associated with an Amazon Web Services account.

    ", + "smithy.api#documentation": "

    Lists the user pools associated with an Amazon Web Services account.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -9957,7 +10062,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the users in the Amazon Cognito user pool.

    ", + "smithy.api#documentation": "

    Lists users and their basic details in a user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "PaginationToken", "outputToken": "PaginationToken", @@ -9992,7 +10097,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lists the users in the specified group.

    \n

    Calling this action requires developer credentials.

    ", + "smithy.api#documentation": "

    Lists the users in the specified group.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     ", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -10068,7 +10173,7 @@ "AttributesToGet": { "target": "com.amazonaws.cognitoidentityprovider#SearchedAttributeNamesListType", "traits": { - "smithy.api#documentation": "

    An array of strings, where each string is the name of a user attribute to be returned\n for each user in the search results. If the array is null, all attributes are\n returned.

    " + "smithy.api#documentation": "

    A JSON array of user attribute names, for example given_name, that you\n want Amazon Cognito to include in the response for each user. When you don't provide an\n AttributesToGet parameter, Amazon Cognito returns all attributes for each\n user.

    " } }, "Limit": { @@ -10101,7 +10206,7 @@ "Users": { "target": "com.amazonaws.cognitoidentityprovider#UsersListType", "traits": { - "smithy.api#documentation": "

    The users returned in the request to list users.

    " + "smithy.api#documentation": "

    A list of the user pool users, and their attributes, that match your query.

    \n \n

    Amazon Cognito creates a profile in your user pool for each native user in your user pool,\n and each unique user ID from your third-party identity providers (IdPs). When you\n link users with the AdminLinkProviderForUser API operation, the output of\n ListUsers displays both the IdP user and the native user that you\n linked. You can identify IdP users in the Users object of this API\n response by the IdP prefix that Amazon Cognito appends to Username.

    \n     " } }, "PaginationToken": { @@ -10116,6 +10221,79 @@ "smithy.api#output": {} } }, + "com.amazonaws.cognitoidentityprovider#LogConfigurationListType": { + "type": "list", + "member": { + "target": "com.amazonaws.cognitoidentityprovider#LogConfigurationType" + }, + "traits": { + "smithy.api#length": { + "min": 0, + "max": 1 + } + } + }, + "com.amazonaws.cognitoidentityprovider#LogConfigurationType": { + "type": "structure", + "members": { + "LogLevel": { + "target": "com.amazonaws.cognitoidentityprovider#LogLevel", + "traits": { + "smithy.api#documentation": "

    The errorlevel selection of logs that a user pool sends for detailed activity logging.

    ", + "smithy.api#required": {} + } + }, + "EventSource": { + "target": "com.amazonaws.cognitoidentityprovider#EventSourceName", + "traits": { + "smithy.api#documentation": "

    The source of events that your user pool sends for detailed activity logging.

    ", + "smithy.api#required": {} + } + }, + "CloudWatchLogsConfiguration": { + "target": "com.amazonaws.cognitoidentityprovider#CloudWatchLogsConfigurationType", + "traits": { + "smithy.api#documentation": "

    The CloudWatch logging destination of a user pool.

    " + } + } + }, + "traits": { + "smithy.api#documentation": "

    The logging parameters of a user pool.

    " + } + }, + "com.amazonaws.cognitoidentityprovider#LogDeliveryConfigurationType": { + "type": "structure", + "members": { + "UserPoolId": { + "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", + "traits": { + "smithy.api#documentation": "

    The ID of the user pool where you configured detailed activity logging.

    ", + "smithy.api#required": {} + } + }, + "LogConfigurations": { + "target": "com.amazonaws.cognitoidentityprovider#LogConfigurationListType", + "traits": { + "smithy.api#documentation": "

    The detailed activity logging destination of a user pool.

    ", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

    The logging parameters of a user pool.

    " + } + }, + "com.amazonaws.cognitoidentityprovider#LogLevel": { + "type": "enum", + "members": { + "ERROR": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ERROR" + } + } + } + }, "com.amazonaws.cognitoidentityprovider#LogoutURLsListType": { "type": "list", "member": { @@ -10584,7 +10762,7 @@ "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the provider was added to the user pool.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } } }, @@ -10822,7 +11000,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Resends the confirmation (for confirmation of registration) to a specific user in the\n user pool.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", + "smithy.api#documentation": "

    Resends the confirmation (for confirmation of registration) to a specific user in the\n user pool.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -11090,7 +11268,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Responds to the authentication challenge.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", + "smithy.api#documentation": "

    Responds to the authentication challenge.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -11120,7 +11298,7 @@ "ChallengeResponses": { "target": "com.amazonaws.cognitoidentityprovider#ChallengeResponsesType", "traits": { - "smithy.api#documentation": "

    The challenge responses. These are inputs corresponding to the value of\n ChallengeName, for example:

    \n \n

    \n SECRET_HASH (if app client is configured with client secret) applies\n to all of the inputs that follow (including SOFTWARE_TOKEN_MFA).

    \n     \n
      \n
    • \n

      \n SMS_MFA: SMS_MFA_CODE, USERNAME.

      \n
      • \n
    • \n

      \n PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE,\n PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP,\n USERNAME.

      \n \n

      \n PASSWORD_VERIFIER requires DEVICE_KEY when you\n sign in with a remembered device.

      \n       \n
      • \n
    • \n

      \n NEW_PASSWORD_REQUIRED: NEW_PASSWORD,\n USERNAME, SECRET_HASH (if app client is configured\n with client secret). To set any required attributes that Amazon Cognito returned as\n requiredAttributes in the InitiateAuth response,\n add a userAttributes.attributename\n parameter.\n This parameter can also set values for writable attributes that aren't required\n by your user pool.

      \n \n

      In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the UpdateUserAttributes API operation to modify the value of any additional attributes.

      \n       \n
      • \n
    • \n

      \n SOFTWARE_TOKEN_MFA: USERNAME and\n SOFTWARE_TOKEN_MFA_CODE are required attributes.

      \n
      • \n
    • \n

      \n DEVICE_SRP_AUTH requires USERNAME,\n DEVICE_KEY, SRP_A (and\n SECRET_HASH).

      \n
      • \n
    • \n

      \n DEVICE_PASSWORD_VERIFIER requires everything that\n PASSWORD_VERIFIER requires, plus\n DEVICE_KEY.

      \n
      • \n
    • \n

      \n MFA_SETUP requires USERNAME, plus you must use the\n session value returned by VerifySoftwareToken in the\n Session parameter.

      \n
      • \n
    " + "smithy.api#documentation": "

    The challenge responses. These are inputs corresponding to the value of\n ChallengeName, for example:

    \n \n

    \n SECRET_HASH (if app client is configured with client secret) applies\n to all of the inputs that follow (including SOFTWARE_TOKEN_MFA).

    \n     \n
      \n
    • \n

      \n SMS_MFA: SMS_MFA_CODE, USERNAME.

      \n
      • \n
    • \n

      \n PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE,\n PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP,\n USERNAME.

      \n \n

      \n PASSWORD_VERIFIER requires DEVICE_KEY when you\n sign in with a remembered device.

      \n       \n
      • \n
    • \n

      \n NEW_PASSWORD_REQUIRED: NEW_PASSWORD,\n USERNAME, SECRET_HASH (if app client is configured\n with client secret). To set any required attributes that Amazon Cognito returned as\n requiredAttributes in the InitiateAuth response,\n add a userAttributes.attributename\n parameter.\n This parameter can also set values for writable attributes that aren't required\n by your user pool.

      \n \n

      In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the UpdateUserAttributes API operation to modify the value of any additional attributes.

      \n       \n
      • \n
    • \n

      \n SOFTWARE_TOKEN_MFA: USERNAME and\n SOFTWARE_TOKEN_MFA_CODE are required attributes.

      \n
      • \n
    • \n

      \n DEVICE_SRP_AUTH requires USERNAME,\n DEVICE_KEY, SRP_A (and\n SECRET_HASH).

      \n
      • \n
    • \n

      \n DEVICE_PASSWORD_VERIFIER requires everything that\n PASSWORD_VERIFIER requires, plus\n DEVICE_KEY.

      \n
      • \n
    • \n

      \n MFA_SETUP requires USERNAME, plus you must use the\n session value returned by VerifySoftwareToken in the\n Session parameter.

      \n
      • \n
    \n

    For more information about SECRET_HASH, see Computing secret hash values. For information about\n DEVICE_KEY, see Working with user devices in your user pool.

    " } }, "AnalyticsMetadata": { @@ -11212,7 +11390,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Revokes all of the access tokens generated by, and at the same time as, the specified \n refresh token. After a token is revoked, you can't use the revoked token to access \n Amazon Cognito user APIs, or to authorize access to your resource server.

    " + "smithy.api#documentation": "

    Revokes all of the access tokens generated by, and at the same time as, the specified\n refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito\n user APIs, or to authorize access to your resource server.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#RevokeTokenRequest": { @@ -11286,7 +11464,7 @@ "LastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The last modified date.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } } }, @@ -11408,13 +11586,13 @@ "Name": { "target": "com.amazonaws.cognitoidentityprovider#CustomAttributeNameType", "traits": { - "smithy.api#documentation": "

    A schema attribute of the name type.

    " + "smithy.api#documentation": "

    The name of your user pool attribute, for example username or\n custom:costcenter.

    " } }, "AttributeDataType": { "target": "com.amazonaws.cognitoidentityprovider#AttributeDataType", "traits": { - "smithy.api#documentation": "

    The attribute data type.

    " + "smithy.api#documentation": "

    The data format of the values for your attribute.

    " } }, "DeveloperOnlyAttribute": { @@ -11428,7 +11606,7 @@ "target": "com.amazonaws.cognitoidentityprovider#BooleanType", "traits": { "smithy.api#default": null, - "smithy.api#documentation": "

    Specifies whether the value of the attribute can be changed.

    \n

    For any user pool attribute that is mapped to an IdP attribute, you must set this\n parameter to true. Amazon Cognito updates mapped attributes when users sign in to\n your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error\n when it attempts to update the attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User\n Pool.

    " + "smithy.api#documentation": "

    Specifies whether the value of the attribute can be changed.

    \n

    Any user pool attribute whose value you map from an IdP attribute must be mutable,\n with a parameter value of true. Amazon Cognito updates mapped attributes when users\n sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws\n an error when it attempts to update the attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User\n Pool.

    " } }, "Required": { @@ -11452,7 +11630,7 @@ } }, "traits": { - "smithy.api#documentation": "

    Contains information about the schema attribute.

    " + "smithy.api#documentation": "

    A list of the user attributes and their properties in your user pool. The attribute\n schema contains standard attributes, custom attributes with a custom:\n prefix, and developer attributes with a dev: prefix. For more information,\n see User pool\n attributes.

    \n

    Developer-only attributes are a legacy feature of user pools, are read-only to all app\n clients. You can create and update developer-only attributes only with IAM-authenticated\n API operations. Use app client read/write permissions instead.

    " } }, "com.amazonaws.cognitoidentityprovider#SchemaAttributesListType": { @@ -11544,8 +11722,72 @@ "smithy.api#length": { "min": 20, "max": 2048 + } + } + }, + "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfiguration": { + "type": "operation", + "input": { + "target": "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfigurationRequest" + }, + "output": { + "target": "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfigurationResponse" + }, + "errors": [ + { + "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException" }, - "smithy.api#sensitive": {} + { + "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException" + }, + { + "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException" + }, + { + "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException" + }, + { + "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException" + } + ], + "traits": { + "smithy.api#documentation": "

    Sets up or modifies the detailed activity logging configuration of a user pool.

    " + } + }, + "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfigurationRequest": { + "type": "structure", + "members": { + "UserPoolId": { + "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", + "traits": { + "smithy.api#documentation": "

    The ID of the user pool where you want to configure detailed activity logging .

    ", + "smithy.api#required": {} + } + }, + "LogConfigurations": { + "target": "com.amazonaws.cognitoidentityprovider#LogConfigurationListType", + "traits": { + "smithy.api#documentation": "

    A collection of all of the detailed activity logging configurations for a user pool.

    ", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfigurationResponse": { + "type": "structure", + "members": { + "LogDeliveryConfiguration": { + "target": "com.amazonaws.cognitoidentityprovider#LogDeliveryConfigurationType", + "traits": { + "smithy.api#documentation": "

    The detailed activity logging configuration that you applied to the requested user pool.

    " + } + } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.cognitoidentityprovider#SetRiskConfiguration": { @@ -11752,7 +11994,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Set the user's multi-factor authentication (MFA) method preference, including which\n MFA factors are activated and if any are preferred. Only one factor can be set as\n preferred. The preferred MFA factor will be used to authenticate a user if multiple\n factors are activated. If multiple options are activated and no preference is set, a\n challenge to choose an MFA option will be returned during sign-in. If an MFA type is\n activated for a user, the user will be prompted for MFA during all sign-in attempts\n unless device tracking is turned on and the device has been trusted. If you want MFA to\n be applied selectively based on the assessed risk level of sign-in attempts, deactivate\n MFA for users and turn on Adaptive Authentication for the user pool.

    " + "smithy.api#documentation": "

    Set the user's multi-factor authentication (MFA) method preference, including which\n MFA factors are activated and if any are preferred. Only one factor can be set as\n preferred. The preferred MFA factor will be used to authenticate a user if multiple\n factors are activated. If multiple options are activated and no preference is set, a\n challenge to choose an MFA option will be returned during sign-in. If an MFA type is\n activated for a user, the user will be prompted for MFA during all sign-in attempts\n unless device tracking is turned on and the device has been trusted. If you want MFA to\n be applied selectively based on the assessed risk level of sign-in attempts, deactivate\n MFA for users and turn on Adaptive Authentication for the user pool.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#SetUserMFAPreferenceRequest": { @@ -11821,7 +12063,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Sets the user pool multi-factor authentication (MFA) configuration.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     " + "smithy.api#documentation": "

    Sets the user pool multi-factor authentication (MFA) configuration.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#SetUserPoolMfaConfigRequest": { @@ -11919,7 +12161,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    \n This action is no longer supported. You can use it to configure\n only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software\n token MFA. To configure either type of MFA, use SetUserMFAPreference instead.

    ", + "smithy.api#documentation": "

    \n This action is no longer supported. You can use it to configure\n only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software\n token MFA. To configure either type of MFA, use SetUserMFAPreference instead.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -12011,7 +12253,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Registers the user in the specified user pool and creates a user name, password, and\n user attributes.

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", + "smithy.api#documentation": "

    Registers the user in the specified user pool and creates a user name, password, and\n user attributes.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -12200,8 +12442,7 @@ "min": 6, "max": 6 }, - "smithy.api#pattern": "^[0-9]+$", - "smithy.api#sensitive": {} + "smithy.api#pattern": "^[0-9]+$" } }, "com.amazonaws.cognitoidentityprovider#SoftwareTokenMfaConfigType": { @@ -12419,7 +12660,13 @@ } }, "com.amazonaws.cognitoidentityprovider#StringType": { - "type": "string" + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 131072 + } + } }, "com.amazonaws.cognitoidentityprovider#SupportedIdentityProvidersListType": { "type": "list", @@ -12555,19 +12802,19 @@ "AccessToken": { "target": "com.amazonaws.cognitoidentityprovider#TimeUnitsType", "traits": { - "smithy.api#documentation": "

    A time unit of seconds, minutes, hours, or\n days for the value that you set in the AccessTokenValidity\n parameter. The default AccessTokenValidity time unit is hours.

    " + "smithy.api#documentation": "

    A time unit of seconds, minutes, hours, or\n days for the value that you set in the AccessTokenValidity\n parameter. The default AccessTokenValidity time unit is hours.\n AccessTokenValidity duration can range from five minutes to one\n day.

    " } }, "IdToken": { "target": "com.amazonaws.cognitoidentityprovider#TimeUnitsType", "traits": { - "smithy.api#documentation": "

    A time unit of seconds, minutes, hours, or\n days for the value that you set in the IdTokenValidity\n parameter. The default IdTokenValidity time unit is hours.

    " + "smithy.api#documentation": "

    A time unit of seconds, minutes, hours, or\n days for the value that you set in the IdTokenValidity\n parameter. The default IdTokenValidity time unit is hours.\n IdTokenValidity duration can range from five minutes to one day.

    " } }, "RefreshToken": { "target": "com.amazonaws.cognitoidentityprovider#TimeUnitsType", "traits": { - "smithy.api#documentation": "

    A time unit of seconds, minutes, hours, or\n days for the value that you set in the\n RefreshTokenValidity parameter. The default\n RefreshTokenValidity time unit is days.

    " + "smithy.api#documentation": "

    A time unit of seconds, minutes, hours, or\n days for the value that you set in the\n RefreshTokenValidity parameter. The default\n RefreshTokenValidity time unit is days.\n RefreshTokenValidity duration can range from 60 minutes to 10\n years.

    " } } }, @@ -12643,13 +12890,13 @@ "LastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The last-modified date for the UI customization.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The creation date for the UI customization.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } } }, @@ -12831,7 +13078,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Provides the feedback for an authentication event, whether it was from a valid user or\n not. This feedback is used for improving the risk evaluation decision for the user pool\n as part of Amazon Cognito advanced security.

    " + "smithy.api#documentation": "

    Provides the feedback for an authentication event, whether it was from a valid user or\n not. This feedback is used for improving the risk evaluation decision for the user pool\n as part of Amazon Cognito advanced security.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#UpdateAuthEventFeedbackRequest": { @@ -12868,7 +13115,7 @@ "FeedbackValue": { "target": "com.amazonaws.cognitoidentityprovider#FeedbackValueType", "traits": { - "smithy.api#documentation": "

    The authentication event feedback value.

    ", + "smithy.api#documentation": "

    The authentication event feedback value. When you provide a FeedbackValue\n value of valid, you tell Amazon Cognito that you trust a user session where Amazon Cognito\n has evaluated some level of risk. When you provide a FeedbackValue value of\n invalid, you tell Amazon Cognito that you don't trust a user session, or you \n don't believe that Amazon Cognito evaluated a high-enough risk level.

    ", "smithy.api#required": {} } } @@ -12925,7 +13172,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the device status.

    " + "smithy.api#documentation": "

    Updates the device status.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#UpdateDeviceStatusRequest": { @@ -12991,7 +13238,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the specified group with the specified attributes.

    \n

    Calling this action requires developer credentials.

    " + "smithy.api#documentation": "

    Updates the specified group with the specified attributes.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#UpdateGroupRequest": { @@ -13080,7 +13327,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates IdP information for a user pool.

    " + "smithy.api#documentation": "

    Updates IdP information for a user pool.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#UpdateIdentityProviderRequest": { @@ -13164,7 +13411,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the name and scopes of resource server. All other fields are read-only.

    \n \n

    If you don't provide a value for an attribute, it is set to the default\n value.

    \n     " + "smithy.api#documentation": "

    Updates the name and scopes of resource server. All other fields are read-only.

    \n \n

    If you don't provide a value for an attribute, it is set to the default\n value.

    \n     \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#UpdateResourceServerRequest": { @@ -13286,7 +13533,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Allows a user to update a specific attribute (one at a time).

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", + "smithy.api#documentation": "

    Allows a user to update a specific attribute (one at a time).

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -13296,7 +13543,7 @@ "UserAttributes": { "target": "com.amazonaws.cognitoidentityprovider#AttributeListType", "traits": { - "smithy.api#documentation": "

    An array of name-value pairs representing user attributes.

    \n

    For custom attributes, you must prepend the custom: prefix to the\n attribute name.

    \n

    If you have set an attribute to require verification before Amazon Cognito updates its value,\n this request doesn’t immediately update the value of that attribute. After your user\n receives and responds to a verification message to verify the new value, Amazon Cognito updates\n the attribute value. Your user can sign in and receive messages with the original \n attribute value until they verify the new value.

    ", + "smithy.api#documentation": "

    An array of name-value pairs representing user attributes.

    \n

    For custom attributes, you must prepend the custom: prefix to the\n attribute name.

    \n

    If you have set an attribute to require verification before Amazon Cognito updates its value,\n this request doesn’t immediately update the value of that attribute. After your user\n receives and responds to a verification message to verify the new value, Amazon Cognito updates\n the attribute value. Your user can sign in and receive messages with the original\n attribute value until they verify the new value.

    ", "smithy.api#required": {} } }, @@ -13378,7 +13625,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the specified user pool with the specified attributes. You can get a list of\n the current user pool settings using DescribeUserPool. If you don't provide a value for an attribute, it will be\n set to the default value.\n

    \n \n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     " + "smithy.api#documentation": "\n

    This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

    \n

    If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

    \n     \n

    Updates the specified user pool with the specified attributes. You can get a list of\n the current user pool settings using DescribeUserPool.

    \n \n

    If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

    \n     \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#UpdateUserPoolClient": { @@ -13416,7 +13663,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the specified user pool app client with the specified attributes. You can get\n a list of the current user pool app client settings using DescribeUserPoolClient.

    \n \n

    If you don't provide a value for an attribute, it will be set to the default\n value.

    \n     \n

    You can also use this operation to enable token revocation for user pool clients. For\n more information about revoking tokens, see RevokeToken.

    " + "smithy.api#documentation": "

    Updates the specified user pool app client with the specified attributes. You can get\n a list of the current user pool app client settings using DescribeUserPoolClient.

    \n \n

    If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

    \n     \n

    You can also use this operation to enable token revocation for user pool clients. For\n more information about revoking tokens, see RevokeToken.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#UpdateUserPoolClientRequest": { @@ -13458,13 +13705,13 @@ "IdTokenValidity": { "target": "com.amazonaws.cognitoidentityprovider#IdTokenValidityType", "traits": { - "smithy.api#documentation": "

    The ID token time limit. After this limit expires, your user can't use \n their ID token. To specify the time unit for IdTokenValidity as \n seconds, minutes, hours, or days, \n set a TokenValidityUnits value in your API request.

    \n

    For example, when you set IdTokenValidity as 10 and\n TokenValidityUnits as hours, your user can authenticate their \n session with their ID token for 10 hours.

    \n

    The default time unit for AccessTokenValidity in an API request is hours. \n Valid range is displayed below in seconds.

    \n

    If you don't specify otherwise in the configuration of your app client, your ID\n tokens are valid for one hour.

    " + "smithy.api#documentation": "

    The ID token time limit. After this limit expires, your user can't use \n their ID token. To specify the time unit for IdTokenValidity as \n seconds, minutes, hours, or days, \n set a TokenValidityUnits value in your API request.

    \n

    For example, when you set IdTokenValidity as 10 and\n TokenValidityUnits as hours, your user can authenticate their \n session with their ID token for 10 hours.

    \n

    The default time unit for IdTokenValidity in an API request is hours. \n Valid range is displayed below in seconds.

    \n

    If you don't specify otherwise in the configuration of your app client, your ID\n tokens are valid for one hour.

    " } }, "TokenValidityUnits": { "target": "com.amazonaws.cognitoidentityprovider#TokenValidityUnitsType", "traits": { - "smithy.api#documentation": "

    The units in which the validity times are represented. The default unit for\n RefreshToken is days, and the default for ID and access tokens is hours.

    " + "smithy.api#documentation": "

    The time units you use when you set the duration of ID, access, and refresh tokens.\n The default unit for RefreshToken is days, and the default for ID and access tokens is\n hours.

    " } }, "ReadAttributes": { @@ -13488,7 +13735,7 @@ "SupportedIdentityProviders": { "target": "com.amazonaws.cognitoidentityprovider#SupportedIdentityProvidersListType", "traits": { - "smithy.api#documentation": "

    A list of provider names for the IdPs that this client supports. The following are\n supported: COGNITO, Facebook, Google, SignInWithApple,\n LoginWithAmazon, and the names of your own SAML and OIDC providers.

    " + "smithy.api#documentation": "

    A list of provider names for the IdPs that this client supports. The following are\n supported: COGNITO, Facebook, Google,\n SignInWithApple, LoginWithAmazon, and the names of your\n own SAML and OIDC providers.

    " } }, "CallbackURLs": { @@ -13525,7 +13772,7 @@ "target": "com.amazonaws.cognitoidentityprovider#BooleanType", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

    Set to true if the client is allowed to follow the OAuth protocol when interacting\n with Amazon Cognito user pools.

    " + "smithy.api#documentation": "

    Set to true to use OAuth 2.0 features in your user pool app client.

    \n

    \n AllowedOAuthFlowsUserPoolClient must be true before you can configure \n the following features in your app client.

    \n
      \n
    • \n

      \n CallBackURLs: Callback URLs.

      \n
      • \n
    • \n

      \n LogoutURLs: Sign-out redirect URLs.

      \n
      • \n
    • \n

      \n AllowedOAuthScopes: OAuth 2.0 scopes.

      \n
      • \n
    • \n

      \n AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.

      \n
      • \n
    \n

    To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set \n AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or \n UpdateUserPoolClient API request. If you don't set a value for \n AllowedOAuthFlowsUserPoolClient in a request with the CLI or SDKs, it defaults \n to false.

    " } }, "AnalyticsConfiguration": { @@ -13549,7 +13796,7 @@ "EnablePropagateAdditionalUserContextData": { "target": "com.amazonaws.cognitoidentityprovider#WrappedBooleanType", "traits": { - "smithy.api#documentation": "

    Activates the propagation of additional user context data. For more information about\n propagation of user context data, see Adding advanced security to a user pool. If you don’t include this\n parameter, you can't send device fingerprint information, including source IP address,\n to Amazon Cognito advanced security. You can only activate\n EnablePropagateAdditionalUserContextData in an app client that has a\n client secret.

    " + "smithy.api#documentation": "

    Activates the propagation of additional user context data. For more information about\n propagation of user context data, see Adding advanced security to a user pool. If you don’t include this\n parameter, you can't send device fingerprint information, including source IP address,\n to Amazon Cognito advanced security. You can only activate\n EnablePropagateAdditionalUserContextData in an app client that has a\n client secret.

    " } }, "AuthSessionValidity": { @@ -13605,7 +13852,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user\n pool.

    \n

    You can use this operation to provide the Amazon Resource Name (ARN) of a new\n certificate to Amazon Cognito. You can't use it to change the domain for a user pool.

    \n

    A custom domain is used to host the Amazon Cognito hosted UI, which provides sign-up and\n sign-in pages for your application. When you set up a custom domain, you provide a\n certificate that you manage with Certificate Manager (ACM). When necessary, you can use this\n operation to change the certificate that you applied to your custom domain.

    \n

    Usually, this is unnecessary following routine certificate renewal with ACM. When\n you renew your existing certificate in ACM, the ARN for your certificate remains the\n same, and your custom domain uses the new certificate automatically.

    \n

    However, if you replace your existing certificate with a new one, ACM gives the new\n certificate a new ARN. To apply the new certificate to your custom domain, you must\n provide this ARN to Amazon Cognito.

    \n

    When you add your new certificate in ACM, you must choose US East (N. Virginia) as\n the Amazon Web Services Region.

    \n

    After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new\n certificate to your custom domain.

    \n

    For more information about adding a custom domain to your user pool, see Using Your Own Domain for the Hosted UI.

    " + "smithy.api#documentation": "

    Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user\n pool.

    \n

    You can use this operation to provide the Amazon Resource Name (ARN) of a new\n certificate to Amazon Cognito. You can't use it to change the domain for a user pool.

    \n

    A custom domain is used to host the Amazon Cognito hosted UI, which provides sign-up and\n sign-in pages for your application. When you set up a custom domain, you provide a\n certificate that you manage with Certificate Manager (ACM). When necessary, you can use this\n operation to change the certificate that you applied to your custom domain.

    \n

    Usually, this is unnecessary following routine certificate renewal with ACM. When\n you renew your existing certificate in ACM, the ARN for your certificate remains the\n same, and your custom domain uses the new certificate automatically.

    \n

    However, if you replace your existing certificate with a new one, ACM gives the new\n certificate a new ARN. To apply the new certificate to your custom domain, you must\n provide this ARN to Amazon Cognito.

    \n

    When you add your new certificate in ACM, you must choose US East (N. Virginia) as\n the Amazon Web Services Region.

    \n

    After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new\n certificate to your custom domain.

    \n

    For more information about adding a custom domain to your user pool, see Using Your Own Domain for the Hosted UI.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#UpdateUserPoolDomainRequest": { @@ -13732,7 +13979,7 @@ "DeviceConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#DeviceConfigurationType", "traits": { - "smithy.api#documentation": "

    The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool.

    \n \n

    When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature.

    \n     " + "smithy.api#documentation": "

    The device-remembering configuration for a user pool. A null value indicates that you\n have deactivated device remembering in your user pool.

    \n \n

    When you provide a value for any DeviceConfiguration field, you\n activate the Amazon Cognito device-remembering feature.

    \n     " } }, "EmailConfiguration": { @@ -13762,7 +14009,7 @@ "UserPoolAddOns": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolAddOnsType", "traits": { - "smithy.api#documentation": "

    Enables advanced security risk detection. Set the key\n AdvancedSecurityMode to the value \"AUDIT\".

    " + "smithy.api#documentation": "

    User pool add-ons. Contains settings for activation of advanced security features. To\n log user security information but take no action, set to AUDIT. To\n configure automatic security responses to risky traffic to your user pool, set to\n ENFORCED.

    \n

    For more information, see Adding advanced security to a user pool.

    " } }, "AccountRecoverySetting": { @@ -13791,7 +14038,7 @@ "AttributesRequireVerificationBeforeUpdate": { "target": "com.amazonaws.cognitoidentityprovider#AttributesRequireVerificationBeforeUpdateType", "traits": { - "smithy.api#documentation": "

    Requires that your user verifies their email address, phone number, or both before \n Amazon Cognito updates the value of that attribute. When you update a user attribute that has \n this option activated, Amazon Cognito sends a verification message to the new phone number or \n email address. Amazon Cognito doesn’t change the value of the attribute until your user responds \n to the verification message and confirms the new value.

    \n

    You can verify an updated email address or phone number with a VerifyUserAttribute API request. You can also call the UpdateUserAttributes or AdminUpdateUserAttributes API and set email_verified or\n phone_number_verified to true.

    \n

    When AttributesRequireVerificationBeforeUpdate is false, your user pool\n doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a\n user pool where AttributesRequireVerificationBeforeUpdate is false, API\n operations that change attribute values can immediately update a user’s\n email or phone_number attribute.

    " + "smithy.api#documentation": "

    Requires that your user verifies their email address, phone number, or both before\n Amazon Cognito updates the value of that attribute. When you update a user attribute that has\n this option activated, Amazon Cognito sends a verification message to the new phone number or\n email address. Amazon Cognito doesn’t change the value of the attribute until your user responds\n to the verification message and confirms the new value.

    \n

    You can verify an updated email address or phone number with a VerifyUserAttribute API request. You can also call the AdminUpdateUserAttributes API and set email_verified or\n phone_number_verified to true.

    \n

    When AttributesRequireVerificationBeforeUpdate is false, your user pool\n doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a\n user pool where AttributesRequireVerificationBeforeUpdate is false, API\n operations that change attribute values can immediately update a user’s\n email or phone_number attribute.

    " } } }, @@ -13816,8 +14063,7 @@ } }, "traits": { - "smithy.api#documentation": "

    Contextual data, such as the user's device fingerprint, IP address, or location, used\n for evaluating the risk of an unexpected event by Amazon Cognito advanced\n security.

    ", - "smithy.api#sensitive": {} + "smithy.api#documentation": "

    Contextual data, such as the user's device fingerprint, IP address, or location, used\n for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

    " } }, "com.amazonaws.cognitoidentityprovider#UserFilterType": { @@ -13948,7 +14194,7 @@ "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the user import job was created.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } }, "StartDate": { @@ -14092,13 +14338,13 @@ "AdvancedSecurityMode": { "target": "com.amazonaws.cognitoidentityprovider#AdvancedSecurityModeType", "traits": { - "smithy.api#documentation": "

    The advanced security mode.

    ", + "smithy.api#documentation": "

    The operating mode of advanced security features in your user pool.

    ", "smithy.api#required": {} } } }, "traits": { - "smithy.api#documentation": "

    The user pool add-ons type.

    " + "smithy.api#documentation": "

    User pool add-ons. Contains settings for activation of advanced security features. To\n log user security information but take no action, set to AUDIT. To\n configure automatic security responses to risky traffic to your user pool, set to\n ENFORCED.

    \n

    For more information, see Adding advanced security to a user pool.

    " } }, "com.amazonaws.cognitoidentityprovider#UserPoolClientDescription": { @@ -14163,13 +14409,13 @@ "LastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the user pool client was last modified.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the user pool client was created.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } }, "RefreshTokenValidity": { @@ -14188,7 +14434,7 @@ "IdTokenValidity": { "target": "com.amazonaws.cognitoidentityprovider#IdTokenValidityType", "traits": { - "smithy.api#documentation": "

    The ID token time limit. After this limit expires, your user can't use \n their ID token. To specify the time unit for IdTokenValidity as \n seconds, minutes, hours, or days, \n set a TokenValidityUnits value in your API request.

    \n

    For example, when you set IdTokenValidity as 10 and\n TokenValidityUnits as hours, your user can authenticate their \n session with their ID token for 10 hours.

    \n

    The default time unit for AccessTokenValidity in an API request is hours. \n Valid range is displayed below in seconds.

    \n

    If you don't specify otherwise in the configuration of your app client, your ID\n tokens are valid for one hour.

    " + "smithy.api#documentation": "

    The ID token time limit. After this limit expires, your user can't use \n their ID token. To specify the time unit for IdTokenValidity as \n seconds, minutes, hours, or days, \n set a TokenValidityUnits value in your API request.

    \n

    For example, when you set IdTokenValidity as 10 and\n TokenValidityUnits as hours, your user can authenticate their \n session with their ID token for 10 hours.

    \n

    The default time unit for IdTokenValidity in an API request is hours. \n Valid range is displayed below in seconds.

    \n

    If you don't specify otherwise in the configuration of your app client, your ID\n tokens are valid for one hour.

    " } }, "TokenValidityUnits": { @@ -14218,7 +14464,7 @@ "SupportedIdentityProviders": { "target": "com.amazonaws.cognitoidentityprovider#SupportedIdentityProvidersListType", "traits": { - "smithy.api#documentation": "

    A list of provider names for the IdPs that this client supports. The following are\n supported: COGNITO, Facebook, Google, SignInWithApple,\n LoginWithAmazon, and the names of your own SAML and OIDC providers.

    " + "smithy.api#documentation": "

    A list of provider names for the IdPs that this client supports. The following are\n supported: COGNITO, Facebook, Google,\n SignInWithApple, LoginWithAmazon, and the names of your\n own SAML and OIDC providers.

    " } }, "CallbackURLs": { @@ -14255,7 +14501,7 @@ "target": "com.amazonaws.cognitoidentityprovider#BooleanType", "traits": { "smithy.api#default": null, - "smithy.api#documentation": "

    Set to true if the client is allowed to follow the OAuth protocol when interacting\n with Amazon Cognito user pools.

    " + "smithy.api#documentation": "

    Set to true to use OAuth 2.0 features in your user pool app client.

    \n

    \n AllowedOAuthFlowsUserPoolClient must be true before you can configure \n the following features in your app client.

    \n
      \n
    • \n

      \n CallBackURLs: Callback URLs.

      \n
      • \n
    • \n

      \n LogoutURLs: Sign-out redirect URLs.

      \n
      • \n
    • \n

      \n AllowedOAuthScopes: OAuth 2.0 scopes.

      \n
      • \n
    • \n

      \n AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.

      \n
      • \n
    \n

    To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set \n AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or \n UpdateUserPoolClient API request. If you don't set a value for \n AllowedOAuthFlowsUserPoolClient in a request with the CLI or SDKs, it defaults \n to false.

    " } }, "AnalyticsConfiguration": { @@ -14323,13 +14569,13 @@ "LastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the user pool description was last modified.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the user pool description was created.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } } }, @@ -14470,19 +14716,19 @@ "LastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the user pool was last modified.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "CreationDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The date the user pool was created.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was created.

    " } }, "SchemaAttributes": { "target": "com.amazonaws.cognitoidentityprovider#SchemaAttributesListType", "traits": { - "smithy.api#documentation": "

    A container with the schema attributes of a user pool.

    " + "smithy.api#documentation": "

    A list of the user attributes and their properties in your user pool. The attribute\n schema contains standard attributes, custom attributes with a custom:\n prefix, and developer attributes with a dev: prefix. For more information,\n see User pool\n attributes.

    \n

    Developer-only attributes are a legacy feature of user pools, are read-only to all app\n clients. You can create and update developer-only attributes only with IAM-authenticated\n API operations. Use app client read/write permissions instead.

    " } }, "AutoVerifiedAttributes": { @@ -14548,7 +14794,7 @@ "DeviceConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#DeviceConfigurationType", "traits": { - "smithy.api#documentation": "

    The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool.

    \n \n

    When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature.

    \n     " + "smithy.api#documentation": "

    The device-remembering configuration for a user pool. A null value indicates that you\n have deactivated device remembering in your user pool.

    \n \n

    When you provide a value for any DeviceConfiguration field, you\n activate the Amazon Cognito device-remembering feature.

    \n     " } }, "EstimatedNumberOfUsers": { @@ -14561,7 +14807,7 @@ "EmailConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#EmailConfigurationType", "traits": { - "smithy.api#documentation": "

    The email configuration of your user pool. The email configuration type sets your\n preferred sending method, Amazon Web Services Region, and sender for messages tfrom your user\n pool.

    " + "smithy.api#documentation": "

    The email configuration of your user pool. The email configuration type sets your\n preferred sending method, Amazon Web Services Region, and sender for messages from your user\n pool.

    " } }, "SmsConfiguration": { @@ -14579,7 +14825,7 @@ "SmsConfigurationFailure": { "target": "com.amazonaws.cognitoidentityprovider#StringType", "traits": { - "smithy.api#documentation": "

    The reason why the SMS configuration can't send the messages to your users.

    \n

    This message might include comma-separated values to describe why your SMS\n configuration can't send messages to user pool end users.

    \n
    \n
    InvalidSmsRoleAccessPolicyException
    \n
    \n

    The Identity and Access Management role that Amazon Cognito uses to send SMS messages isn't properly\n configured. For more information, see SmsConfigurationType.

    \n
    \n
    SNSSandbox
    \n
    \n

    The Amazon Web Services account is in the SNS SMS Sandbox and messages will\n only reach verified end users. This parameter won’t get populated with\n SNSSandbox if the IAM user creating the user pool doesn’t have SNS\n permissions. To learn how to move your Amazon Web Services account out of the\n sandbox, see Moving out\n of the SMS sandbox.

    \n
    \n
    " + "smithy.api#documentation": "

    The reason why the SMS configuration can't send the messages to your users.

    \n

    This message might include comma-separated values to describe why your SMS\n configuration can't send messages to user pool end users.

    \n
    \n
    InvalidSmsRoleAccessPolicyException
    \n
    \n

    The Identity and Access Management role that Amazon Cognito uses to send SMS messages isn't properly\n configured. For more information, see SmsConfigurationType.

    \n
    \n
    SNSSandbox
    \n
    \n

    The Amazon Web Services account is in the SNS SMS Sandbox and messages will\n only reach verified end users. This parameter won’t get populated with\n SNSSandbox if the user creating the user pool doesn’t have SNS permissions.\n To learn how to move your Amazon Web Services account out of the sandbox, see\n Moving out\n of the SMS sandbox.

    \n
    \n
    " } }, "EmailConfigurationFailure": { @@ -14609,7 +14855,7 @@ "UserPoolAddOns": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolAddOnsType", "traits": { - "smithy.api#documentation": "

    The user pool add-ons.

    " + "smithy.api#documentation": "

    User pool add-ons. Contains settings for activation of advanced security features. To\n log user security information but take no action, set to AUDIT. To\n configure automatic security responses to risky traffic to your user pool, set to\n ENFORCED.

    \n

    For more information, see Adding advanced security to a user pool.

    " } }, "UsernameConfiguration": { @@ -14706,7 +14952,7 @@ "UserLastModifiedDate": { "target": "com.amazonaws.cognitoidentityprovider#DateType", "traits": { - "smithy.api#documentation": "

    The last modified date of the user.

    " + "smithy.api#documentation": "

    The date and time, in ISO 8601 format, when the item was modified.

    " } }, "Enabled": { @@ -14719,7 +14965,7 @@ "UserStatus": { "target": "com.amazonaws.cognitoidentityprovider#UserStatusType", "traits": { - "smithy.api#documentation": "

    The user status. This can be one of the following:

    \n
      \n
    • \n

      UNCONFIRMED - User has been created but not confirmed.

      \n
      • \n
    • \n

      CONFIRMED - User has been confirmed.

      \n
      • \n
    • \n

      EXTERNAL_PROVIDER - User signed in with a third-party IdP.

      \n
      • \n
    • \n

      ARCHIVED - User is no longer active.

      \n
      • \n
    • \n

      UNKNOWN - User status isn't known.

      \n
      • \n
    • \n

      RESET_REQUIRED - User is confirmed, but the user must request a code and reset\n their password before they can sign in.

      \n
      • \n
    • \n

      FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a\n temporary password, but on first sign-in, the user must change their password to\n a new value before doing anything else.

      \n
      • \n
    " + "smithy.api#documentation": "

    The user status. This can be one of the following:

    \n
      \n
    • \n

      UNCONFIRMED - User has been created but not confirmed.

      \n
      • \n
    • \n

      CONFIRMED - User has been confirmed.

      \n
      • \n
    • \n

      EXTERNAL_PROVIDER - User signed in with a third-party IdP.

      \n
      • \n
    • \n

      UNKNOWN - User status isn't known.

      \n
      • \n
    • \n

      RESET_REQUIRED - User is confirmed, but the user must request a code and reset\n their password before they can sign in.

      \n
      • \n
    • \n

      FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a\n temporary password, but on first sign-in, the user must change their password to\n a new value before doing anything else.

      \n
      • \n
    " } }, "MFAOptions": { @@ -14762,7 +15008,7 @@ "CaseSensitive": { "target": "com.amazonaws.cognitoidentityprovider#WrappedBooleanType", "traits": { - "smithy.api#documentation": "

    Specifies whether user name case sensitivity will be applied for all users in the user\n pool through Amazon Cognito APIs.

    \n

    Valid values include:

    \n
    \n
    True
    \n
    \n

    Enables case sensitivity for all username input. When this option is set\n to True, users must sign in using the exact capitalization of\n their given username, such as “UserName”. This is the default value.

    \n
    \n
    False
    \n
    \n

    Enables case insensitivity for all username input. For example, when this\n option is set to False, users can sign in using either\n \"username\" or \"Username\". This option also enables both\n preferred_username and email alias to be case\n insensitive, in addition to the username attribute.

    \n
    \n
    ", + "smithy.api#documentation": "

    Specifies whether user name case sensitivity will be applied for all users in the user\n pool through Amazon Cognito APIs. For most use cases, set case sensitivity to False\n (case insensitive) as a best practice. When usernames and email addresses are case\n insensitive, users can sign in as the same user when they enter a different\n capitalization of their user name.

    \n

    Valid values include:

    \n
    \n
    True
    \n
    \n

    Enables case sensitivity for all username input. When this option is set\n to True, users must sign in using the exact capitalization of\n their given username, such as “UserName”. This is the default value.

    \n
    \n
    False
    \n
    \n

    Enables case insensitivity for all username input. For example, when this\n option is set to False, users can sign in using\n username, USERNAME, or UserName.\n This option also enables both preferred_username and\n email alias to be case insensitive, in addition to the\n username attribute.

    \n
    \n
    ", "smithy.api#required": {} } } @@ -14921,7 +15167,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Use this API to register a user's entered time-based one-time password (TOTP) code and\n mark the user's software token MFA status as \"verified\" if successful. The request takes\n an access token or a session string, but not both.

    " + "smithy.api#documentation": "

    Use this API to register a user's entered time-based one-time password (TOTP) code and\n mark the user's software token MFA status as \"verified\" if successful. The request takes\n an access token or a session string, but not both.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     " } }, "com.amazonaws.cognitoidentityprovider#VerifySoftwareTokenRequest": { @@ -15045,7 +15291,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Verifies the specified user attributes in the user pool.

    \n

    \n If your user pool requires verification before Amazon Cognito updates the attribute value, \n VerifyUserAttribute updates the affected attribute to its pending value. For more information, \n see \n UserAttributeUpdateSettingsType.\n

    ", + "smithy.api#documentation": "

    Verifies the specified user attributes in the user pool.

    \n

    If your user pool requires verification before Amazon Cognito updates the attribute value,\n VerifyUserAttribute updates the affected attribute to its pending value. For more\n information, see UserAttributeUpdateSettingsType.

    \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.

    \n     ", "smithy.api#optionalAuth": {} } },