CognitoIdentityProvider / Client / create_group

create_group

CognitoIdentityProvider.Client.create_group(**kwargs)

Creates a new group in the specified user pool. For more information about user pool groups, see Adding groups to a user pool.

Note

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

See also: AWS API Documentation

Request Syntax

response = client.create_group(
    GroupName='string',
    UserPoolId='string',
    Description='string',
    RoleArn='string',
    Precedence=123
)

Parameters:

• GroupName (string) –

  [REQUIRED]

  A name for the group. This name must be unique in your user pool.

• UserPoolId (string) –

  [REQUIRED]

  The ID of the user pool where you want to create a user group.

• Description (string) – A description of the group that you’re creating.

• RoleArn (string) – The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group. A group role primarily declares a preferred role for the credentials that you get from an identity pool. Amazon Cognito ID tokens have a cognito:preferred_role claim that presents the highest-precedence group that a user belongs to. Both ID and access tokens also contain a cognito:groups claim that list all the groups that a user is a member of.

• Precedence (integer) –

  A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user’s tokens for the cognito:roles and cognito:preferred_role claims.

  Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn’t set in users’ tokens.

  The default Precedence value is null. The maximum Precedence value is 2^31-1.

Return type:

dict

Returns:

Response Syntax

{
    'Group': {
        'GroupName': 'string',
        'UserPoolId': 'string',
        'Description': 'string',
        'RoleArn': 'string',
        'Precedence': 123,
        'LastModifiedDate': datetime(2015, 1, 1),
        'CreationDate': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) –

  • Group (dict) –

    The response object for a created group.

    • GroupName (string) –

      The name of the group.

    • UserPoolId (string) –

      The ID of the user pool that contains the group.

    • Description (string) –

      A friendly description of the group.

    • RoleArn (string) –

      The ARN of the IAM role associated with the group. If a group has the highest priority of a user’s groups, users who authenticate with an identity pool get credentials for the RoleArn that’s associated with the group.

    • Precedence (integer) –

      A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher ornull Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user’s tokens for the cognito:roles and cognito:preferred_role claims.

      Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn’t set in users’ tokens.

      The default Precedence value is null.

    • LastModifiedDate (datetime) –

      The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java Date object.

    • CreationDate (datetime) –

      The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java Date object.

Exceptions

• CognitoIdentityProvider.Client.exceptions.InvalidParameterException

• CognitoIdentityProvider.Client.exceptions.GroupExistsException

• CognitoIdentityProvider.Client.exceptions.ResourceNotFoundException

• CognitoIdentityProvider.Client.exceptions.TooManyRequestsException

• CognitoIdentityProvider.Client.exceptions.LimitExceededException

• CognitoIdentityProvider.Client.exceptions.NotAuthorizedException

• CognitoIdentityProvider.Client.exceptions.InternalErrorException