Page updated Mar 26, 2024

Grant access to auth resources

Under active development: The Authentication experience for Amplify Gen 2 is under active development. The experience may change between versions of @aws-amplify/backend. Try it out and provide feedback at https://github.com/aws-amplify/amplify-backend/issues/new/choose

Grant function access

You can grant your backend function access to authentication resources, which will enable the function to perform administrative operations such as creating users, handling user password recovery, or adding users to groups.

amplify/function/my-demo-function/resource.ts
1import { defineFunction } from '@aws-amplify/backend';
2
3export const demoFunction = defineFunction({});
amplify/auth/resource.ts
1import { defineAuth, defineFunction } from '@aws-amplify/backend';
2import { demoFunction } from '../function/my-demo-function/resource';
3
4export const auth = defineAuth({
5 name: 'myProjectFiles',
6 loginWith: { email: true },
7 access: (allow) => ([
8 allow.resource(demoFunction).to(['manageUsers']),
9 ])
10});

This will grant demoFunction the ability to perform CRUD operations on users in the Cognito UserPool created as part of defineAuth. See below for the detailed list of permissions.

When a backend function is granted access to authentication resources, it also receives an environment variable that contains the UserPool ID. This environment variable can be used in the function to make SDK calls to the UserPool. The environment variable is named amplifyAuth_USERPOOL_ID

amplify/functions/my-demo-function/handler.ts
1import { CognitoIdentityProviderClient, ListUsersCommand } from '@aws-sdk/client-cognito-identity-provider';
2import { env } from '@env/my-demo-function';
3
4const cognitoIdentityProviderClient = new CognitoIdentityProviderClient();
5
6export const handler = async(event) => {
7 await cognitoIdentityProviderClient.send(
8 new ListUsersCommand({
9 UserPoolId: env.amplifyAuth_USERPOOL_ID,
10 Limit: 100
11 })
12 )
13}

Learn more about function resource access environment variables

List of actions

Action NameDescriptionCognito IAM Actions
manageUsersGrants CRUD access to users in the UserPool
  • cognito-idp:AdminConfirmSignUp
  • cognito-idp:AdminCreateUser
  • cognito-idp:AdminDeleteUser
  • cognito-idp:AdminDeleteUserAttributes
  • cognito-idp:AdminDisableUser
  • cognito-idp:AdminEnableUser
  • cognito-idp:AdminGetUser
  • cognito-idp:AdminListGroupsForUser
  • cognito-idp:AdminRespondToAuthChallenge
  • cognito-idp:AdminSetUserMFAPreference
  • cognito-idp:AdminSetUserSettings
  • cognito-idp:AdminUpdateUserAttributes
  • cognito-idp:AdminUserGlobalSignOut
manageGroupMembershipGrants permission to add and remove users from groups
  • cognito-idp:AdminAddUserToGroup
  • cognito-idp:AdminRemoveUserFromGroup
manageUserDevicesManages devices registered to users
  • cognito-idp:AdminForgetDevice
  • cognito-idp:AdminGetDevice
  • cognito-idp:AdminListDevices
  • cognito-idp:AdminUpdateDeviceStatus
managePasswordRecoveryGrants permission to reset user passwords
  • cognito-idp:AdminResetUserPassword
  • cognito-idp:AdminSetUserPassword
addUserToGroupGrants permission to add any user to any group.
  • cognito-idp:AdminAddUserToGroup
createUserGrants permission to create new users and send welcome messages via email or SMS.
  • cognito-idp:AdminCreateUser
deleteUserGrants permission to delete any user
  • cognito-idp:AdminDeleteUser
deleteUserAttributesGrants permission to delete attributes from any user
  • cognito-idp:AdminDeleteUserAttributes
disableUserGrants permission to deactivate any user
  • cognito-idp:AdminDisableUser
enableUserGrants permission to activate any user
  • cognito-idp:AdminEnableUser
forgetDeviceGrants permission to deregister any user's devices
  • cognito-idp:AdminForgetDevice
getDeviceGrants permission to get information about any user's devices
  • cognito-idp:AdminGetDevice
getUserGrants permission to look up any user by user name
  • cognito-idp:AdminGetUser
listDevicesGrants permission to list any user's remembered devices
  • cognito-idp:AdminListDevices
listGroupsForUserGrants permission to list the groups that any user belongs to
  • cognito-idp:AdminListGroupsForUser
removeUserFromGroupGrants permission to remove any user from any group
  • cognito-idp:AdminRemoveUserFromGroup
resetUserPasswordGrants permission to reset any user's password
  • cognito-idp:AdminResetUserPassword
setUserMfaPreferenceGrants permission to set any user's preferred MFA method
  • cognito-idp:AdminSetUserMFAPreference
setUserPasswordGrants permission to set any user's password
  • cognito-idp:AdminSetUserPassword
setUserSettingsGrants permission to set user settings for any user
  • cognito-idp:AdminSetUserSettings
updateDeviceStatusGrants permission to update the status of any user's remembered devices
  • cognito-idp:AdminUpdateDeviceStatus
updateUserAttributesGrants permission to updates any user's standard or custom attributes
  • cognito-idp:AdminUpdateUserAttributes