Creating user accounts as administrator - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating user accounts as administrator

User pools aren't only a customer identity and access management (CIAM) user directory, where anyone on the internet can sign up for a user profile in your application. You can disable self-service sign-up. You might already know your customers and want to only admit those who have been authorized in advance. You can put manual authentication guardrails around your application with a private SAML 2.0 or OIDC identity provider, by importing users, by screening users at sign-up—or by creating users with administrative API operations. Your workflow for administrative creation of users can be programmatic, provisioning users after they register in another system, or it can be on a case-by-case or testing basis in the Amazon Cognito console.

When you create users as an administrator, Amazon Cognito sets a temporary password for them and sends a welcome, or invitation, message. They can follow the link in their invitation message and sign in for the first time, setting a password and confirming their account. The page that follows describes how to create new users and configure the welcome message. For more information about user creation with the user pools API and an Amazon SDK or CDK, see AdminCreateUser.

After you create your user pool, you can create users using the Amazon Web Services Management Console, as well as the Amazon Command Line Interface or the Amazon Cognito API. You can create a profile for a new user in a user pool and send a welcome message with sign-up instructions to the user via SMS or email.

The following are some examples of how administrators can manage users in user pools.

  • Create a new user profile in the Amazon Cognito console or with the AdminCreateUser API operation.

  • Make username-and-password, passwordless, passkey, and custom authentication flows available to your user pool and app client.

  • Set user attribute values.

  • Create custom attributes.

  • Set the value of immutable custom attributes in AdminCreateUser API requests. This feature isn't available in the Amazon Cognito console.

  • Specify a temporary password, create a user without a password, or allow Amazon Cognito to automatically generate a password.

  • Create new users and automatically confirm their accounts, verify their email addresses, or verify their phone numbers.

  • Specify custom SMS and email invitation messages for new users via the Amazon Web Services Management Console or Lambda triggers like custom message, custom SMS sender, and custom email sender.

  • Specify whether invitation messages are sent via SMS, email, or both.

  • Resend the welcome message to an existing user by calling the AdminCreateUser API, specifying RESEND for the MessageAction parameter.

  • Suppress the sending of the invitation message when the user is created.

  • Specify an expiration time limit of up to 90 days for new user accounts.

  • Allow users to sign themselves up or require that new users only be added by the administrator.

Administrators can also sign users in with Amazon credentials in a server-side application. For more information, see Authorization models for API and SDK authentication.

User authentication flows and creating users

Administrative creation of users has options that differ based on the configuration of your user pool. The authentication flows, or methods available to users for sign-in and MFA, can change how you create users and the messages that you send to them. The following are some authentication flows that are available in user pools.

  • Username and password

  • Passkeys

  • Sign-in with third-party IdPs

  • Passwordless with email and SMS one-time passwords (OTPs)

  • Multi-factor authentication with email, SMS, and authenticator-app OTPs

  • Custom authentication with Lambda triggers

For more information about how to configure these sign-in factors, see Authentication with Amazon Cognito user pools.

Create users without passwords

If you have enabled passwordless sign-in for your user pool, you can create users without passwords. To create a user without a password, you must provide attribute values for an available passwordless sign-in factor. For example, if email OTP passwordless sign-in is available in your user pool, you can create a user with no password and an email address attribute. If the only authentication flows available to new users require a password, for example passkey or username-password, you must create or generate a temporary password for each new user.

To create a new user without a password
  • Choose Don't set a password in the Amazon Cognito console

  • Omit or leave blank the TemporaryPassword parameter of your AdminCreateUser API request

Users without passwords are automatically confirmed

Normally new users get a temporary password and go into a FORCE_CHANGE_PASSWORD status when you create them. When you create users without passwords, they immediately go into a CONFIRMED state. You can't resend confirmation codes to these users in the CONFIRMED state.

Invitation messages change for users without passwords.

By default, Amazon Cognito sends an invitation message to new users that says Your username is {userName} and your password is {####}. When you create users with no password, the message says Your username is {userName}. Customize your invitation message to reflect whether you will set passwords for users. Omit out the {####} password variable in passwordless authentication models.

You can't autogenerate passwords when passwordless factors are available

If you have configured your user pool to support email or phone OTP passwordless sign-in, you can't automatically generate a password. For each user who will have a password, you must set a temporary password when you create their profile.

Passwordless users must have values for all required attributes

When you create a user without a password, your request only succeeds if the user provides values for all attributes that you have marked as required in your user pool. This applies to any required attribute, not only the phone number and email attributes required for OTP delivery.

Creating a new user in the Amazon Web Services Management Console

You can set user password requirements, configure the invitation and verification messages sent to users, and add new users with the Amazon Cognito console.

Set a password policy and enable self-registration

You can configure settings for minimum password complexity and whether users can sign up using public APIs in your user pool.

Configure a password policy
  1. Navigate to the Amazon Cognito console, and choose User Pools.

  2. Choose an existing user pool from the list, or create a user pool.

  3. Choose the Authentication methods menu and locate Password policy. Choose Edit.

  4. Choose a Password policy mode of Custom.

  5. Choose a Password minimum length. For limits to the password length requirement, see User pools resource quotas.

  6. Choose a Password complexity requirement.

  7. Choose how long password set by administrators should be valid for.

  8. Choose Save changes.

Allow self-service sign-up
  1. Navigate to the Amazon Cognito console, and choose User Pools.

  2. Choose an existing user pool from the list, or create a user pool.

  3. Choose the Sign-up menu and locate Self-service sign-up. Select Edit.

  4. Choose whether to Enable self-registration. Self-registration is typically used with public app clients that need to register new users in your user pool without distributing a client secret or Amazon Identity and Access Management (IAM) API credentials.

    Disabling self-registration

    If you do not enable self-registration, new users must be created by administrative API actions using IAM API credentials or by sign-in with federated providers.

  5. Choose Save changes.

Customize email and SMS messages

Customize user messages

You can customize the messages that Amazon Cognito sends to your users when you invite them to sign in, they sign up for a user account, or they sign in and are prompted for multi-factor authentication (MFA).

Note

An Invitation message is sent when you create a user in your user pool and invite them to sign in. Amazon Cognito sends initial sign-in information to the user's email address or phone number.

A Verification message is sent when a user signs up for a user account in your user pool. Amazon Cognito sends a code to the user. When the user provides the code to Amazon Cognito, they verify their contact information and confirm their account for sign-in. Verification codes are valid for 24 hours.

An MFA message is sent when you enable SMS MFA in your user pool, and a user that has configured SMS MFA signs in and is prompted for MFA.

  1. Navigate to the Amazon Cognito console, and choose User Pools.

  2. Choose an existing user pool from the list, or create a user pool.

  3. Choose the Message templates menu and select Verification message, Invitation message, or MFA message and choose Edit.

  4. Customize the messages for the chosen message type.

    Note

    All variables in message templates must be included when you customize the message. If the variable, for example {####}, is not included, your user will have insufficient information to complete the message action.

    For more information, see Message templates.

    1. Verification messages

      1. Choose a Verification type for Email messages. A Code verification sends a numeric code that the user must enter. A Link verification sends a link the user can click to verify their contact information. The text in the variable for a Link message is displayed as hyperlink text. For example, a message template using the variable {##Click here##} is displayed as Click here in the email message.

      2. Enter an Email subject for Email messages.

      3. Enter a custom Email message template for Email messages. You can customize this template with HTML.

      4. Enter a custom SMS message template for SMS messages.

      5. Choose Save changes.

    2. Invitation messages

      1. Enter an Email subject for Email messages.

      2. Enter a custom Email message template for Email messages. You can customize this template with HTML.

      3. Enter a custom SMS message template for SMS messages.

      4. Choose Save changes.

    3. MFA messages

      1. Enter a custom SMS message template for SMS messages.

      2. Choose Save changes.

Create a user

Create a user

You can create new users for your user pool from the Amazon Cognito console. Typically, users can sign in after they set a password. To sign in with an email address, a user must verify the email attribute. To sign in with a phone number, the user must verify the phone_number attribute. To confirm accounts as an administrator, you can also use the Amazon CLI or API, or create user profiles with a federated identity provider. For more information, see the Amazon Cognito API Reference.

  1. Navigate to the Amazon Cognito console, and choose User Pools.

  2. Choose an existing user pool from the list, or create a user pool.

  3. Choose the Users menu, and choose Create a user.

  4. Review the User pool sign-in and security requirements for guidance on password requirements, available account recovery methods, and alias attributes for your user pool.

  5. Choose how you want to send an Invitation message. Choose SMS message, email message, or both. To suppress the invitation message, choose Don't send an invitation.

    Note

    Before you can send invitation messages, configure a sender and an Amazon Web Services Region with Amazon Simple Notification Service and Amazon Simple Email Service in the Authentication methods menu of your user pool . Recipient message and data rates apply. Amazon SES bills you for email messages separately, and Amazon SNS bills you for SMS messages separately.

  6. Choose a Username for the new user.

  7. Choose if you want to Create a password or have Amazon Cognito Generate a password for the user. The option to generate a password isn't available if passwordless sign-in is available in the user pool. Any temporary password must adhere to the user pool password policy.

  8. Choose Create.

  9. Choose the Users menu and choose the User name entry for the user. Add and edit User attributes and Group memberships. Review User event history.