Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Fullstack TypeScript

Write your app's data model, auth, storage, and functions in TypeScript; Amplify will do the rest.

Built with the AWS CDK

Use any cloud resource your app needs. Never worry about scale.

Back to Gen 1 DocsLearn more

Choose your framework/language

Edit on GitHub

Page updated May 1, 2024

Grant access to auth resources

Amplify Auth can be defined with an access property, which allows other resources to interact with auth by specifying actions.

amplify/auth/resource.ts
1import { defineAuth } from "@aws-amplify/backend"
2import { addUserToGroup } from "../functions/add-user-to-group/resource"
3

4/**
5 * Define and configure your auth resource
6 * @see https://docs.amplify.aws/gen2/build-a-backend/auth
7 */
8export const auth = defineAuth({
9  loginWith: {
10    email: true,
11  },
12  access: (allow) => [
13    allow.resource(addUserToGroup).to(["addUserToGroup"])
14  ],
15})

When you grant a function access to another resource in your Amplify backend it will configure environment variables for that function to make SDK calls to the AWS services it has access to. Those environment variables are typed and available as part of the env object.

List of actions

Action NameDescriptionCognito IAM Actions
manageUsersGrants CRUD access to users in the UserPool
  • cognito-idp:AdminConfirmSignUp
  • cognito-idp:AdminCreateUser
  • cognito-idp:AdminDeleteUser
  • cognito-idp:AdminDeleteUserAttributes
  • cognito-idp:AdminDisableUser
  • cognito-idp:AdminEnableUser
  • cognito-idp:AdminGetUser
  • cognito-idp:AdminListGroupsForUser
  • cognito-idp:AdminRespondToAuthChallenge
  • cognito-idp:AdminSetUserMFAPreference
  • cognito-idp:AdminSetUserSettings
  • cognito-idp:AdminUpdateUserAttributes
  • cognito-idp:AdminUserGlobalSignOut
manageGroupMembershipGrants permission to add and remove users from groups
  • cognito-idp:AdminAddUserToGroup
  • cognito-idp:AdminRemoveUserFromGroup
manageUserDevicesManages devices registered to users
  • cognito-idp:AdminForgetDevice
  • cognito-idp:AdminGetDevice
  • cognito-idp:AdminListDevices
  • cognito-idp:AdminUpdateDeviceStatus
managePasswordRecoveryGrants permission to reset user passwords
  • cognito-idp:AdminResetUserPassword
  • cognito-idp:AdminSetUserPassword
addUserToGroupGrants permission to add any user to any group.
  • cognito-idp:AdminAddUserToGroup
createUserGrants permission to create new users and send welcome messages via email or SMS.
  • cognito-idp:AdminCreateUser
deleteUserGrants permission to delete any user
  • cognito-idp:AdminDeleteUser
deleteUserAttributesGrants permission to delete attributes from any user
  • cognito-idp:AdminDeleteUserAttributes
disableUserGrants permission to deactivate any user
  • cognito-idp:AdminDisableUser
enableUserGrants permission to activate any user
  • cognito-idp:AdminEnableUser
forgetDeviceGrants permission to deregister any user's devices
  • cognito-idp:AdminForgetDevice
getDeviceGrants permission to get information about any user's devices
  • cognito-idp:AdminGetDevice
getUserGrants permission to look up any user by user name
  • cognito-idp:AdminGetUser
listDevicesGrants permission to list any user's remembered devices
  • cognito-idp:AdminListDevices
listGroupsForUserGrants permission to list the groups that any user belongs to
  • cognito-idp:AdminListGroupsForUser
removeUserFromGroupGrants permission to remove any user from any group
  • cognito-idp:AdminRemoveUserFromGroup
resetUserPasswordGrants permission to reset any user's password
  • cognito-idp:AdminResetUserPassword
setUserMfaPreferenceGrants permission to set any user's preferred MFA method
  • cognito-idp:AdminSetUserMFAPreference
setUserPasswordGrants permission to set any user's password
  • cognito-idp:AdminSetUserPassword
setUserSettingsGrants permission to set user settings for any user
  • cognito-idp:AdminSetUserSettings
updateDeviceStatusGrants permission to update the status of any user's remembered devices
  • cognito-idp:AdminUpdateDeviceStatus
updateUserAttributesGrants permission to updates any user's standard or custom attributes
  • cognito-idp:AdminUpdateUserAttributes
PREVIOUS
Customize auth lifecycle
NEXT
Modify Amplify-generated Cognito resources with CDK
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2024, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.