CognitoIdentityProvider / Client / list_users

list_users#

CognitoIdentityProvider.Client.list_users(**kwargs)#

Lists users and their basic details in a user pool.

Note

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

See also: AWS API Documentation

Request Syntax

response = client.list_users(
    UserPoolId='string',
    AttributesToGet=[
        'string',
    ],
    Limit=123,
    PaginationToken='string',
    Filter='string'
)
Parameters:

  • UserPoolId (string) –

    [REQUIRED]

    The user pool ID for the user pool on which the search should be performed.

  • AttributesToGet (list) –

    A JSON array of user attribute names, for example given_name, that you want Amazon Cognito to include in the response for each user. When you don’t provide an AttributesToGet parameter, Amazon Cognito returns all attributes for each user.

    Use AttributesToGet with required attributes in your user pool, or in conjunction with Filter. Amazon Cognito returns an error if not all users in the results have set a value for the attribute you request. Attributes that you can’t filter on, including custom attributes, must have a value set in every user profile before an AttributesToGet parameter returns results.

    • (string) –

  • Limit (integer) – Maximum number of users to be returned.

  • PaginationToken (string) – This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.

  • Filter (string) –

    A filter string of the form “AttributeName Filter-TypeAttributeValue””. Quotation marks within the filter string must be escaped using the backslash ( \) character. For example, "family_name = \"Reddy\"".

    • AttributeName: The name of the attribute to search for. You can only search for one attribute at a time.

    • Filter-Type: For an exact match, use =, for example, “ given_name = \"Jon\"”. For a prefix (“starts with”) match, use ^=, for example, “ given_name ^= \"Jon\"”.

    • AttributeValue: The attribute value that must be matched for each user.

    If the filter string is empty, ListUsers returns all users in the user pool.

    You can only search for the following standard attributes:

    • username (case-sensitive)

    • email

    • phone_number

    • name

    • given_name

    • family_name

    • preferred_username

    • cognito:user_status (called Status in the Console) (case-insensitive)

    • status (called **Enabled** in the Console) (case-sensitive)

    • sub

    Custom attributes aren’t searchable.

    Note

    You can also list users with a client-side filter. The server-side filter matches no more than one attribute. For an advanced search, use a client-side filter with the --query parameter of the list-users action in the CLI. When you use a client-side filter, ListUsers returns a paginated list of zero or more users. You can receive multiple pages in a row with zero results. Repeat the query with each pagination token that is returned until you receive a null pagination token value, and then review the combined result.

    For more information about server-side and client-side filtering, see FilteringCLI output in the Command Line Interface User Guide.

    For more information, see Searching for Users Using the ListUsers API and Examples of Using the ListUsers API in the Amazon Cognito Developer Guide.

Return type:

dict

Returns:

Response Syntax

{
    'Users': [
        {
            'Username': 'string',
            'Attributes': [
                {
                    'Name': 'string',
                    'Value': 'string'
                },
            ],
            'UserCreateDate': datetime(2015, 1, 1),
            'UserLastModifiedDate': datetime(2015, 1, 1),
            'Enabled': True|False,
            'UserStatus': 'UNCONFIRMED'|'CONFIRMED'|'ARCHIVED'|'COMPROMISED'|'UNKNOWN'|'RESET_REQUIRED'|'FORCE_CHANGE_PASSWORD',
            'MFAOptions': [
                {
                    'DeliveryMedium': 'SMS'|'EMAIL',
                    'AttributeName': 'string'
                },
            ]
        },
    ],
    'PaginationToken': 'string'
}

Response Structure

  • (dict) –

    The response from the request to list users.

    • Users (list) –

      A list of the user pool users, and their attributes, that match your query.

      Note

      Amazon Cognito creates a profile in your user pool for each native user in your user pool, and each unique user ID from your third-party identity providers (IdPs). When you link users with the AdminLinkProviderForUser API operation, the output of ListUsers displays both the IdP user and the native user that you linked. You can identify IdP users in the Users object of this API response by the IdP prefix that Amazon Cognito appends to Username.

      • (dict) –

        A user profile in a Amazon Cognito user pool.

        • Username (string) –

          The user name of the user you want to describe.

        • Attributes (list) –

          A container with information about the user type attributes.

          • (dict) –

            Specifies whether the attribute is standard or custom.

            • Name (string) –

              The name of the attribute.

            • Value (string) –

              The value of the attribute.

        • UserCreateDate (datetime) –

          The creation date of the user.

        • UserLastModifiedDate (datetime) –

          The date and time, in ISO 8601 format, when the item was modified.

        • Enabled (boolean) –

          Specifies whether the user is enabled.

        • UserStatus (string) –

          The user status. This can be one of the following:

          • UNCONFIRMED - User has been created but not confirmed.

          • CONFIRMED - User has been confirmed.

          • EXTERNAL_PROVIDER - User signed in with a third-party IdP.

          • UNKNOWN - User status isn’t known.

          • RESET_REQUIRED - User is confirmed, but the user must request a code and reset their password before they can sign in.

          • FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a temporary password, but on first sign-in, the user must change their password to a new value before doing anything else.

        • MFAOptions (list) –

          The MFA options for the user.

          • (dict) –

            This data type is no longer supported. Applies only to SMS multi-factor authentication (MFA) configurations. Does not apply to time-based one-time password (TOTP) software token MFA configurations.

            • DeliveryMedium (string) –

              The delivery medium to send the MFA code. You can use this parameter to set only the SMS delivery medium value.

            • AttributeName (string) –

              The attribute name of the MFA option type. The only valid value is phone_number.

    • PaginationToken (string) –

      The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.

Exceptions

  • CognitoIdentityProvider.Client.exceptions.InvalidParameterException

  • CognitoIdentityProvider.Client.exceptions.ResourceNotFoundException

  • CognitoIdentityProvider.Client.exceptions.TooManyRequestsException

  • CognitoIdentityProvider.Client.exceptions.NotAuthorizedException

  • CognitoIdentityProvider.Client.exceptions.InternalErrorException