OpenMCF logoOpenMCF

Loading...

AWS Cognito User Pool

Deploys an AWS Cognito User Pool with bundled app clients and an optional hosted UI domain. Provides managed user directory services, password-based authentication with configurable MFA, email verification, custom user attributes, and Lambda trigger hooks -- enabling OAuth 2.0 / OIDC token-based authentication for web and mobile applications.

What Gets Created

When you deploy an AwsCognitoUserPool resource, OpenMCF provisions:

  • Cognito User Pool -- an aws_cognito_user_pool resource with the configured identity model, password policy, MFA settings, email delivery, and optional Lambda triggers
  • App Client(s) -- one aws_cognito_user_pool_client per entry in spec.clients, each with its own OAuth flows, scopes, token validity, and security settings
  • User Pool Domain -- created only when spec.domain is set, an aws_cognito_user_pool_domain that enables the hosted sign-in UI and OAuth2 endpoints (Authorization, Token, UserInfo)

Prerequisites

  • AWS credentials configured via environment variables or OpenMCF provider config
  • An ACM certificate in us-east-1 if configuring a custom domain (Cognito uses CloudFront for custom domains)
  • A verified SES identity if using emailConfiguration.emailSendingAccount: DEVELOPER for production email volumes
  • Lambda function(s) with cognito-idp.amazonaws.com invoke permission if configuring Lambda triggers

Quick Start

Create a file cognito.yaml:

apiVersion: aws.openmcf.org/v1
kind: AwsCognitoUserPool
metadata:
  name: my-auth
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.AwsCognitoUserPool.my-auth
spec:
  region: us-east-1
  usernameAttributes:
    - email
  autoVerifiedAttributes:
    - email
  clients:
    - name: web-app
      explicitAuthFlows:
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH

Deploy:

openmcf apply -f cognito.yaml

This creates a user pool where users sign in with their email address, email is auto-verified on sign-up, and a single app client supports SRP authentication with refresh tokens.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
regionstringThe AWS region where the Cognito User Pool will be created (e.g., us-east-1).Required
clientsAwsCognitoUserPoolClient[]App clients that authenticate against this pool. At least one required.Minimum 1 item
clients[].namestringClient name, used as key in client_ids and client_secrets output maps. Must be unique across all clients.1-128 characters

Optional Fields

FieldTypeDefaultDescription
usernameAttributesstring[][]Attributes used as username: "email", "phone_number". Mutually exclusive with aliasAttributes. ForceNew.
aliasAttributesstring[][]Alias identifiers: "email", "phone_number", "preferred_username". Mutually exclusive with usernameAttributes. ForceNew.
usernameCaseSensitiveboolfalseCase-sensitive usernames. ForceNew.
passwordPolicy.minimumLengthint8 (AWS default)Minimum password length. Range: 6-99.
passwordPolicy.requireLowercaseboolfalseRequire lowercase letter.
passwordPolicy.requireUppercaseboolfalseRequire uppercase letter.
passwordPolicy.requireNumbersboolfalseRequire digit.
passwordPolicy.requireSymbolsboolfalseRequire special character.
passwordPolicy.temporaryPasswordValidityDaysint7 (AWS default)Days until admin-created temporary passwords expire. Range: 0-365.
mfaConfigurationstring"OFF"MFA enforcement: "OFF", "OPTIONAL", "ON".
softwareTokenMfaEnabledboolfalseEnable TOTP authenticator app MFA. Requires mfaConfiguration not "OFF".
autoVerifiedAttributesstring[][]Auto-verify on sign-up: "email", "phone_number".
accountRecoveryMechanismsobject[][]Recovery methods with .name ("verified_email", "verified_phone_number", "admin_only") and .priority (1-2).
emailConfiguration.emailSendingAccountstring"COGNITO_DEFAULT"Email mode: "COGNITO_DEFAULT" (50/day sandbox) or "DEVELOPER" (SES).
emailConfiguration.sourceArnStringValueOrRef—SES identity ARN. Required for "DEVELOPER" mode.
emailConfiguration.fromEmailAddressstring—"From" address for DEVELOPER mode.
emailConfiguration.replyToEmailAddressstring—Reply-to address.
emailConfiguration.configurationSetstring—SES configuration set for delivery metrics.
allowAdminCreateUserOnlyboolfalseDisable self-registration.
deletionProtectionboolfalsePrevent accidental pool deletion.
customAttributesobject[][]Custom user attributes. See README for schema fields.
lambdaConfig.preSignUpStringValueOrRef—Lambda ARN for pre-sign-up hook. Can reference AwsLambda via valueFrom.
lambdaConfig.preAuthenticationStringValueOrRef—Lambda ARN for pre-authentication hook.
lambdaConfig.postAuthenticationStringValueOrRef—Lambda ARN for post-authentication hook.
lambdaConfig.postConfirmationStringValueOrRef—Lambda ARN for post-confirmation hook.
lambdaConfig.preTokenGenerationStringValueOrRef—Lambda ARN for pre-token-generation hook.
lambdaConfig.customMessageStringValueOrRef—Lambda ARN for custom message hook.
lambdaConfig.userMigrationStringValueOrRef—Lambda ARN for user migration hook.
lambdaConfig.defineAuthChallengeStringValueOrRef—Lambda ARN for define-auth-challenge hook.
lambdaConfig.createAuthChallengeStringValueOrRef—Lambda ARN for create-auth-challenge hook.
lambdaConfig.verifyAuthChallengeResponseStringValueOrRef—Lambda ARN for verify-auth-challenge-response hook.
clients[].generateSecretboolfalseGenerate client secret. ForceNew. True for server-side apps, false for SPAs/mobile.
clients[].allowedOauthFlowsUserPoolClientboolfalseEnable OAuth flows for this client.
clients[].allowedOauthFlowsstring[][]OAuth grant types: "code", "implicit", "client_credentials".
clients[].allowedOauthScopesstring[][]OAuth scopes: "openid", "email", "profile", custom scopes.
clients[].callbackUrlsstring[][]OAuth redirect URIs after authentication.
clients[].logoutUrlsstring[][]Redirect URIs after sign-out.
clients[].defaultRedirectUristring—Default callback URL (must be in callbackUrls).
clients[].supportedIdentityProvidersstring[]—Identity providers: "COGNITO", social provider names.
clients[].explicitAuthFlowsstring[][]Auth APIs: "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", etc.
clients[].accessTokenValidityMinutesint60Access token TTL in minutes. Range: 5-1440.
clients[].idTokenValidityMinutesint60ID token TTL in minutes. Range: 5-1440.
clients[].refreshTokenValidityDaysint30Refresh token TTL in days. Range: 1-3650.
clients[].enableTokenRevocationboolfalseRevoke tokens on sign-out.
clients[].preventUserExistenceErrorsstring—"ENABLED" prevents user enumeration attacks. "LEGACY" for backward compatibility.
domain.domainstring—Cognito prefix (e.g., "myapp-auth") or custom FQDN (e.g., "auth.example.com"). ForceNew.
domain.certificateArnStringValueOrRef—ACM cert ARN for custom domains. Required when domain contains a dot. Must be in us-east-1. Can reference AwsCertManagerCert via valueFrom.

Examples

Email Sign-In with OAuth Hosted UI

A web application using the Cognito-hosted sign-in page with Authorization Code flow:

apiVersion: aws.openmcf.org/v1
kind: AwsCognitoUserPool
metadata:
  name: webapp-auth
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme
    pulumi.openmcf.org/project: webapp
    pulumi.openmcf.org/stack.name: staging.AwsCognitoUserPool.webapp-auth
spec:
  region: us-east-1
  usernameAttributes:
    - email
  passwordPolicy:
    minimumLength: 10
    requireLowercase: true
    requireUppercase: true
    requireNumbers: true
  autoVerifiedAttributes:
    - email
  accountRecoveryMechanisms:
    - name: verified_email
      priority: 1
  clients:
    - name: web-app
      allowedOauthFlowsUserPoolClient: true
      allowedOauthFlows:
        - code
      allowedOauthScopes:
        - openid
        - email
        - profile
      callbackUrls:
        - https://staging.example.com/callback
      logoutUrls:
        - https://staging.example.com/logout
      explicitAuthFlows:
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
      enableTokenRevocation: true
      preventUserExistenceErrors: ENABLED
  domain:
    domain: acme-staging-auth

Production with MFA and Multiple Clients

A hardened production pool with optional MFA, SES email, a public SPA client and a confidential server client:

apiVersion: aws.openmcf.org/v1
kind: AwsCognitoUserPool
metadata:
  name: prod-auth
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme
    pulumi.openmcf.org/project: platform
    pulumi.openmcf.org/stack.name: prod.AwsCognitoUserPool.prod-auth
spec:
  region: us-east-1
  usernameAttributes:
    - email
  passwordPolicy:
    minimumLength: 12
    requireLowercase: true
    requireUppercase: true
    requireNumbers: true
    requireSymbols: true
    temporaryPasswordValidityDays: 3
  mfaConfiguration: OPTIONAL
  softwareTokenMfaEnabled: true
  autoVerifiedAttributes:
    - email
  accountRecoveryMechanisms:
    - name: verified_email
      priority: 1
  emailConfiguration:
    emailSendingAccount: DEVELOPER
    sourceArn: "arn:aws:ses:us-east-1:123456789012:identity/noreply@example.com"
    fromEmailAddress: "Acme <noreply@example.com>"
  deletionProtection: true
  clients:
    - name: web-spa
      allowedOauthFlowsUserPoolClient: true
      allowedOauthFlows:
        - code
      allowedOauthScopes:
        - openid
        - email
        - profile
      callbackUrls:
        - https://app.example.com/callback
      logoutUrls:
        - https://app.example.com/logout
      explicitAuthFlows:
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
      accessTokenValidityMinutes: 60
      idTokenValidityMinutes: 60
      refreshTokenValidityDays: 30
      enableTokenRevocation: true
      preventUserExistenceErrors: ENABLED
    - name: api-server
      generateSecret: true
      allowedOauthFlowsUserPoolClient: true
      allowedOauthFlows:
        - client_credentials
      allowedOauthScopes:
        - api/read
        - api/write
      accessTokenValidityMinutes: 30
      enableTokenRevocation: true
  domain:
    domain: acme-prod-auth

API Gateway JWT Integration (valueFrom Pattern)

Shows how an AwsHttpApiGateway references this pool's endpoint and client ID for JWT authorization:

apiVersion: aws.openmcf.org/v1
kind: AwsHttpApiGateway
metadata:
  name: my-api
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme
    pulumi.openmcf.org/project: platform
    pulumi.openmcf.org/stack.name: prod.AwsHttpApiGateway.my-api
spec:
  routes:
    - routeKey: "GET /users"
      integration:
        integrationType: AWS_PROXY
        integrationUri:
          valueFrom:
            kind: AwsLambda
            name: get-users
            fieldPath: status.outputs.function_arn
      authorizationType: JWT
      authorizerName: cognito
  authorizers:
    - name: cognito
      authorizerType: JWT
      jwtConfiguration:
        issuer:
          valueFrom:
            kind: AwsCognitoUserPool
            name: prod-auth
            fieldPath: status.outputs.user_pool_endpoint
        audiences:
          - valueFrom:
              kind: AwsCognitoUserPool
              name: prod-auth
              fieldPath: status.outputs.client_ids.web-spa

Stack Outputs

OutputTypeDescription
user_pool_idstringUser pool identifier (e.g., us-east-1_Ab1Cd2EfG). Used in SDK configurations and IAM policies.
user_pool_arnstringUser pool ARN. Used in IAM policies and cross-service permissions.
user_pool_endpointstringOIDC issuer endpoint URL. Used as the JWT issuer in API Gateway authorizers.
user_pool_domainstringFull hosted UI domain URL. Empty when no domain is configured.
cloudfront_distribution_arnstringCloudFront distribution ARN for custom domains. Used for Route53 alias records. Empty for prefix domains.
client_idsmap<string, string>Map of client name to client ID. Access specific clients via client_ids.{name}.
client_secretsmap<string, string>Map of client name to client secret. Only populated for clients with generateSecret: true. Sensitive.

Related Components

  • AWS Lambda -- Lambda functions for Cognito triggers (pre-sign-up, post-confirmation, pre-token-generation)
  • AWS HTTP API Gateway -- uses user_pool_endpoint as JWT issuer and client_ids as audiences for JWT authorization
  • AWS ACM Certificate -- ACM certificate for custom domains (must be in us-east-1)
  • AWS IAM Role -- execution roles for Lambda triggers

Next article

AWS DocumentDB

AWS DocumentDB Deploys an AWS DocumentDB cluster (MongoDB-compatible) with automatic subnet group creation, managed security group configuration, configurable cluster instances, and optional parameter group customization. The component provisions both the cluster and its instances in a single resource definition. What Gets Created When you deploy an AwsDocumentDb resource, OpenMCF provisions: DocumentDB Cluster — a docdb.Cluster with the docdb engine at the specified version, encryption...
Read next article
Presets
3 ready-to-deploy configurationsView presets →