Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

GOTO Serverless Bengaluru - 8 Aug, 2025 Register now

Amazon Cognito User Pool

Created with SnapCognito

Create a Cognito User Pool with User, App Client, Domain and Resource Server

This pattern deploys an Amazon Cognito User Pool with its associated User, App Client, Domain and Resource Server.
You can use the tokens provided upon successful authentication with your User Pool to, for example, access a REST API protected with a Cognito User Pool authorizer.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Serverless patterns - Cognito User Pool (uksb-1tthgi812) (tag:cognito-user-pool)

Parameters:
  Email:
    Type: String
  CallbackUrl:
    Type: String

Resources:
  
  CognitoAuthorizerUserPool:
    Type: AWS::Cognito::UserPool
    Properties: 
      UserPoolName: cognito-user-pool-userpool

  CognitoAuthorizerUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties: 
      AllowedOAuthFlows: 
        - implicit
      AllowedOAuthFlowsUserPoolClient: True
      AllowedOAuthScopes: 
        - email
        - openid
        - profile
      CallbackURLs: 
        - !Ref CallbackUrl
      ClientName: cognito-user-pool-client
      SupportedIdentityProviders: 
        - COGNITO
      UserPoolId: !Ref CognitoAuthorizerUserPool

  CognitoAuthorizerUserPoolUser:
    Type: AWS::Cognito::UserPoolUser
    Properties: 
      UserAttributes: 
        - Name: email
          Value: !Ref Email
      Username: !Ref Email
      UserPoolId: !Ref CognitoAuthorizerUserPool

  CognitoAuthorizerUserPoolResourceServer:
    Type: AWS::Cognito::UserPoolResourceServer
    Properties: 
      Identifier: com.apigw
      Name: com.apigw
      Scopes: 
        - ScopeDescription: scope_description
          ScopeName: scope_name
      UserPoolId: !Ref CognitoAuthorizerUserPool
      
  CognitoAuthorizerUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties: 
      Domain: !Sub user-pool-domain-${AWS::AccountId}
      UserPoolId: !Ref CognitoAuthorizerUserPool

Outputs:

  HostedUi:
    Description: Hosted UI
    Value: !Sub "https://${CognitoAuthorizerUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com/login?client_id=${CognitoAuthorizerUserPoolClient}&response_type=token&scope=email+openid+profile&redirect_uri=${CallbackUrl}"

< Back to all patterns


GitHub icon Visit the GitHub repo for this pattern.

Launch Stack

Download

git clone https://github.com/aws-samples/serverless-patterns/ cd serverless-patterns/cognito-user-pool

Deploy

sam deploy --guided

Testing

See the GitHub repo for detailed testing instructions.

Cleanup

Delete the stack: sam delete.

Additional resources

Albert Blaya

Presented by Albert Blaya

Albert is a Solutions Architect at Amazon Web Services based in Australia.

Follow on LinkedIn