Override Amplify-generated Cognito resources
1amplify override auth
Run the command above to override Amplify-generated auth resources including Amazon Cognito user pool, identity pool, user pool groups, and more.
The command creates a new overrides.ts
file under amplify/backend/auth/<resource-name>/
which provides you the Amplify-generated resources as CDK constructs.
Customize Amplify-generated Cognito auth resources
Apply all the overrides in the override(...)
function. For example, to update the temporary password validity days for your Cognito user pool:
1import { AmplifyAuthCognitoStackTemplate } from '@aws-amplify/cli-extensibility-helper';2
3export function override(resources: AmplifyAuthCognitoStackTemplate) {4 resources.userPool.policies = { // Set the user pool policies5 passwordPolicy: {6 ...resources.userPool.policies["passwordPolicy"], // Carry over existing settings7 temporaryPasswordValidityDays: 3 // Add new setting not provided Amplify's default8 }9 }10}
Or add a custom attribute to your Cognito user pool:
1import { AmplifyAuthCognitoStackTemplate } from '@aws-amplify/cli-extensibility-helper'2
3export function override(resources: AmplifyAuthCognitoStackTemplate) {4 const myCustomAttribute = {5 attributeDataType: 'String',6 developerOnlyAttribute: false,7 mutable: true,8 name: 'my_custom_attribute',9 required: false,10 }11 resources.userPool.schema = [12 ...(resources.userPool.schema as any[]), // Carry over existing attributes (example: email)13 myCustomAttribute,14 ]15}
You can override the following auth resources that Amplify generates:
Amplify-generated resource | Description |
---|---|
customMessageConfirmationBucket | S3 bucket used for custom message triggers |
snsRole | SNS role for sending authentication-related messages |
userPool | The Cognito user pool that enables user sign-up and sign-in |
userPoolClientWeb | A Cognito user pool client for web apps |
userPoolClient | A Cognito user pool client for mobile apps |
identityPool | A Cognito identity pool to federate identities |
identityPoolRoleMap | Role mapping for authenticated and unauthenticated user roles |
lambdaConfigPermissions | Permissions for Lambda function to access Cognito user pool and identity pool |
lambdaTriggerPermissions | IAM policy attached to Cognito Lambda triggers |
userPoolClientLambda | Lambda function to fetch app client secret from user pool client |
userPoolClientRole | IAM Role for Lambda function to fetch app client secret from user pool client |
userPoolClientLambdaPolicy | IAM Policy for Lambda function to fetch app client secret from user pool client |
userPoolClientLogPolicy | IAM Policy to enable CloudWatch logging for Lambda function to fetch app client secret from user pool client |
userPoolClientInputs | Custom CloudFormation resource to fetch app client secret from user pool client |
hostedUICustomResource | Lambda function to enable Cognito user pool Hosted UI login |
hostedUICustomResourcePolicy | IAM Policy for Lambda function to enable Cognito user pool Hosted UI login |
hostedUICustomResourceLogPolicy | IAM Policy to enable CloudWatch logging for Lambda function to enable Cognito user pool Hosted UI login |
hostedUICustomResourceInputs | Custom CloudFormation resource to enable Cognito user pool Hosted UI login |
hostedUIProvidersCustomResource | Lambda function to configure Hosted UI with 3rd party identity providers |
hostedUIProvidersCustomResourcePolicy | IAM Policy for Lambda function to configure Hosted UI with 3rd party identity provider |
hostedUIProvidersCustomResourceLogPolicy | IAM Policy to enable CloudWatch logging for Lambda function to configure Hosted UI with 3rd party identity provider |
hostedUIProvidersCustomResourceInputs | Custom CloudFormation resource to configure Hosted UI with 3rd party identity provider |
oAuthCustomResource | Lambda function to enable OAuth |
oAuthCustomResourcePolicy | IAM Policy for OAuth custom CloudFormation resource |
oAuthCustomResourceLogPolicy | IAM Policy to enable CloudWatch logging for OAuth Lambda function |
oAuthCustomResourceInputs | Custom CloudFormation resource to enable OAuth |
mfaLambda | Lambda function to enable multi-factor authentication function |
mfaLogPolicy | IAM Policy to enable CloudWatch logging for multi-factor authentication Lambda function |
mfaLambdaPolicy | IAM Policy for multi-factor authentication Lambda function |
mfaLambdaInputs | Custom CloudFormation resource to enable multi-factor authentication |
mfaLambdaRole | IAM Execution Role for multi-factor authentication Lambda function |
openIdLambda | Lambda function to enable OpenID Connect |
openIdLogPolicy | IAM Policy to enable CloudWatch logging for OpenID Connect Lambda function |
openIdLambdaIAMPolicy | IAM Policy to enable OpenID Connect Lambda function |
openIdLambdaInputs | Custom CloudFormation resource to enable OpenID Connect |
openIdLambdaRole | Lambda Execution Role for OpenID Connect Lambda function |
Customize Amplify-generated Cognito user group resources
Apply all the overrides in the override(...)
function. For example to add a path to the lambda execution role that facilitates the user pool group to role mapping:
1import { AmplifyUserPoolGroupStackTemplate } from '@aws-amplify/cli-extensibility-helper';2
3export function override(resources: AmplifyUserPoolGroupStackTemplate) {4 resources.lambdaExecutionRole.path = "/<my-path>/" // Note: CFN does not allow you to modify the path after creation5}
You can override the following user pool group resources that Amplify generates:
Amplify-generated resource | Description |
---|---|
userPoolGroup | The map of user pool groups |
userPoolGroupRole | The map of user pool group roles |
roleMapCustomResource | A custom CloudFormation resource to map user pool groups to their roles |
lambdaExecutionRole | Lambda execution role for the "user pool group"-to-role mapping function |
roleMapLambdaFunction | The Lambda function that facilitates the user pool group to role mapping |
Customize Amplify-generated Cognito auth resources with social providers
Apply all the overrides in the override(...)
function. For example to add social providers to your Cognito user pool:
1import { AmplifyAuthCognitoStackTemplate } from "@aws-amplify/cli-extensibility-helper";2
3export function override(resources: AmplifyAuthCognitoStackTemplate) {4 resources.addCfnResource(5 {6 type: "AWS::Cognito::UserPoolIdentityProvider",7 properties: {8 AttributeMapping: {9 preferred_username: "email",10 email: "email"11 },12 ProviderDetails: {13 client_id: "test",14 client_secret: "test",15 authorize_scopes: "test",16 },17 ProviderName: "LoginWithAmazon",18 ProviderType: "LoginWithAmazon",19 UserPoolId: {20 Ref: "UserPool",21 },22 },23 },24 "amazon-social-provider"25 );26}