Skip to main content

Documentation Index

Fetch the complete documentation index at: https://conductorone-ian-account-to-user-pipeline.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Capabilities

The AWS Cognito connector syncs the following resources:
ResourceSyncProvision
Cognito Users
Cognito Groups

Gather AWS Cognito credentials

To configure the AWS Cognito connector, your IAM identity must have permission to call the following Cognito API actions on the target User Pool(s). For read-only sync, the first five permissions are sufficient. For full provisioning, all permissions are required.Sync permissions (required for all deployments):
  • cognito-idp:ListUsers
  • cognito-idp:AdminGetUser
  • cognito-idp:ListGroups
  • cognito-idp:ListUsersInGroup
  • cognito-idp:AdminListGroupsForUser
Provisioning permissions (required for group membership and account management):
  • cognito-idp:DescribeUserPool
  • cognito-idp:AdminAddUserToGroup
  • cognito-idp:AdminRemoveUserFromGroup
  • cognito-idp:AdminCreateUser
  • cognito-idp:AdminDeleteUser
  • cognito-idp:AdminEnableUser
  • cognito-idp:AdminDisableUser
1
Sign in to the AWS Console and navigate to Cognito > User pools.
2
Locate the User Pool you want to connect. Copy the User pool ID from the pool’s overview page (for example, us-east-1_T5HyXiR7I). Note the AWS region as well.
3
Create or identify an IAM user with the required permissions listed above. ConductorOne recommends scoping the policy to the specific User Pool ARN(s):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cognito-idp:ListUsers",
        "cognito-idp:AdminGetUser",
        "cognito-idp:ListGroups",
        "cognito-idp:ListUsersInGroup",
        "cognito-idp:AdminListGroupsForUser",
        "cognito-idp:DescribeUserPool",
        "cognito-idp:AdminAddUserToGroup",
        "cognito-idp:AdminRemoveUserFromGroup",
        "cognito-idp:AdminCreateUser",
        "cognito-idp:AdminDeleteUser",
        "cognito-idp:AdminEnableUser",
        "cognito-idp:AdminDisableUser"
      ],
      "Resource": "arn:aws:cognito-idp:<region>:<account-id>:userpool/<user-pool-id>"
    }
  ]
}
4
In IAM > Users > Security credentials > Create access key, generate an access key for the IAM user. Save the Access key ID and Secret access key — you will need both to configure the connector.

Known limitations

  • Last login date not available on Essentials tier. The Cognito UserLastAuthenticationDate field is only populated on User Pools using the Plus feature plan. If your pool is on the Essentials plan, last login data will not appear in ConductorOne.
  • Cognito is rate-limited. The ListUsers API is rate-limited to approximately 5 requests per second. For large User Pools (tens of thousands of users), syncs will be slow. This is expected behavior and not a connector defect.
  • One connector per User Pool. Each connector instance syncs exactly one Cognito User Pool. To manage multiple pools, deploy one connector per pool.
  • Group names are immutable. Cognito does not allow renaming groups after creation. Group names are used as stable resource IDs. If a group is deleted and re-created with the same name, ConductorOne will treat it as the same group.
  • Invite email is optional and defaults to off. When provisioning a new user, you can choose whether Cognito sends a temporary password to the user’s email via the Send Invite Email field. The default is false (no email sent). To send the invite, add an explicit mapping for sendInviteEmail set to true in the provisioning flow. ConductorOne never handles the credential directly.
  • Additional required attributes must use exact Cognito attribute names. If your User Pool requires attributes beyond given_name and family_name (for example nickname, preferred_username, or a custom attribute like custom:department), add them as optional mappings in the provisioning flow using the exact Cognito attribute name as the destination key. The connector forwards any unrecognized profile fields directly to Cognito.

Actions

The AWS Cognito connector supports the following account lifecycle actions, which can be triggered manually or via ConductorOne automations:
ActionDescription
Enable UserRe-enables a disabled Cognito user account (AdminEnableUser). The user can sign in again immediately.
Disable UserDisables an active Cognito user account (AdminDisableUser). The user cannot sign in but their account and group memberships are preserved.

Using actions in automations

To trigger an enable or disable action automatically:
  1. In ConductorOne, navigate to Automations and create or edit an automation.
  2. Add an action step and select Enable User or Disable User from the AWS Cognito connector.
  3. ConductorOne will pass the user’s resource ID automatically — no manual input required.
You can also trigger actions manually from a user’s profile page under Actions.

Configure the AWS Cognito connector

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.
1
In ConductorOne, navigate to Integrations > Connectors and click Add connector.
2
Search for AWS Cognito and click Add.
3
Choose how to set up the new AWS Cognito connector:
  • Add the connector to a currently unmanaged app
  • Add the connector to a managed app
  • Create a new managed app
4
Set the owner for this connector.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Enter the required configuration:
  • User Pool ID (user-pool-id): The Cognito User Pool ID (e.g. us-east-1_T5HyXiR7I)
  • Region (region): The AWS region where the User Pool is hosted, e.g. us-east-1
  • AWS Access Key ID (aws-access-key-id): IAM access key ID
  • AWS Secret Access Key (aws-secret-access-key): IAM secret access key
8
Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Done. Your AWS Cognito connector is now pulling access data into ConductorOne.
All versions of this connector are available at dist.conductorone.com.