AWS Cognito
Identity & SecurityConnect AI agents to Amazon Cognito User Pools. Agents provision and de-provision users, manage passwords and attributes, run role-based group membership, and inspect user pools and app clients.
What This Integration Enables
Agents provision and de-provision users in a user pool (create, confirm, enable, disable, delete), manage passwords administratively by setting a permanent or temporary password or triggering a reset, read and update user attributes as part of an automated onboarding or sync flow, search and paginate through a pool's members with attribute filters, manage groups and group membership for role-based access, and discover user pools and app clients to inspect their configuration. User attributes are supplied and returned as plain JSON keyed by attribute name, and the connector converts to and from Cognito's attribute-value format automatically. All admin operations authenticate with IAM credentials, so no end-user access token is involved. The connector covers the Cognito User Pools admin surface; the surrounding flow decides which provisioning steps run automatically and where a human confirms an account is safe to disable or delete.
Without FlowRunner
With FlowRunner
Use Case Scenarios
New-customer provisioning tied to billing
A new signup starts the flow. The agent sets up billing with [Stripe](/integrations/stripe), then calls Admin Create User to provision the Cognito account with the customer's email and attributes, and sends a personalized welcome. The account and the billing record are created together in one flow, so a paying customer never lands without a login or a login without a billing record.
Inactive-account cleanup
On a routine, the agent calls List Users with an attribute filter to find inactive or unconfirmed accounts. For each match it records the user's groups with Admin List Groups For User, then, on confirmation, calls Admin Disable User and reports the cleanup to the ops channel with [Slack](/integrations/slack). Disabling is reversible, so the pool stays clean without an irreversible delete happening on a filter match alone.
Offboarding with role capture
An offboarding trigger starts the flow. The agent calls Admin List Groups For User to record exactly which roles the departing user held, then Admin Remove User From Group for each one and Admin Delete User to fully de-provision the account. The captured roles give the team a record of what access existed, which matters when the offboarding is later reviewed.
Human-in-Loop Highlight
Deleting a user is irreversible, so the agent stops before it. During inactive-account cleanup or offboarding, the agent does the safe and reversible work on its own: it filters the pool, records the user's group memberships, and disables the account. Before it calls Admin Delete User, it pauses and asks the ops owner through Slack: "Found [count] inactive accounts. [user] last active [date], held groups [list], now disabled. Delete permanently, keep disabled, or reinstate?" The owner decides. The agent handles the filtering and the reversible disable; the person owns the permanent removal.
Agent Capabilities
19 actionsUser Management
10- Admin Create User Creates a user in a user pool, optionally suppressing or resending the invitation. The core provisioning action.
- Admin Get User Reads a user's attributes and status.
- List Users Searches and paginates through a pool's members with attribute filters. Powers cleanup and audit flows.
- Admin Update User Attributes Updates a user's attributes during onboarding or a sync flow.
- Admin Disable User Disables a user, blocking sign-in without deleting the account. Reversible, so agents can run it before a human confirms deletion.
- Admin Enable User Re-enables a previously disabled user.
- Admin Delete User Permanently removes a user. The typical human-gated step.
- Admin Set User Password Sets a permanent or temporary password. A permanent password confirms the user immediately.
- Admin Reset User Password Triggers a password reset for a user.
- Admin Confirm Sign Up Confirms a user's sign-up administratively.
Group Management
4- Create Group Creates a group for role-based access.
- Admin Add User To Group Adds a user to a group to grant its role.
- Admin Remove User From Group Removes a user from a group.
- Admin List Groups For User Lists the groups a user belongs to, used to record roles before offboarding.
User Pools and App Clients
5- List User Pools Discovers the user pools in the configured region.
- Describe User Pool Inspects a user pool's configuration.
- Create User Pool Creates a new user pool.
- List User Pool Clients Lists the app clients registered to a user pool.
- Describe User Pool Client Inspects an app client's configuration.
Start building with AWS Cognito
$100 in credits. No card required. Connect in minutes.