FlowRunner
Pricing
Theme

AWS Cognito

Identity & Security

Connect AI agents to Amazon Cognito User Pools. Agents provision and de-provision users, manage passwords and attributes, run role-based group membership, and inspect user pools and app clients.

22 actions available
A new-customer signup event starts an account-provisioning flow
Agent reads the customer's email, name, and initial attributes
Admin Create User in the target user pool with those attributes
Agent confirms the user was created and reads back the status
Agent verifies the correct groups exist before assigning membership
A personalized welcome is sent to the new user
Ops confirms an account deprovision before the agent disables and deletes it

What This Integration Enables

Agents provision and de-provision users in a user pool (create, confirm, enable, disable, delete), manage passwords administratively by setting a permanent or temporary password or triggering a reset, read and update user attributes as part of an automated onboarding or sync flow, search and paginate through a pool's members with attribute filters, manage groups and group membership for role-based access, and discover user pools and app clients to inspect their configuration. User attributes are supplied and returned as plain JSON keyed by attribute name, and the connector converts to and from Cognito's attribute-value format automatically. All admin operations authenticate with IAM credentials, so no end-user access token is involved. The connector covers the Cognito User Pools admin surface; the surrounding flow decides which provisioning steps run automatically and where a human confirms an account is safe to disable or delete.

Without FlowRunner

Manual account setup New users are created in the console one at a time, with attributes entered by hand
Inconsistent group roles Group membership is assigned ad hoc, so role-based access drifts over time
Risky cleanup Disabling or deleting stale accounts is done manually, with no record of the roles removed

With FlowRunner

Provisioning in flow Admin Create User sets attributes and status as a workflow step for every signup
Role-based membership Group operations keep membership consistent with a documented trail
Gated deprovision A user's groups are recorded, then the account is disabled and deleted on a human's confirmation

Use Case Scenarios

New-customer provisioning tied to billing

A new signup starts the flow. The agent sets up billing with [Stripe](/integrations/stripe), then calls Admin Create User to provision the Cognito account with the customer's email and attributes, and sends a personalized welcome. The account and the billing record are created together in one flow, so a paying customer never lands without a login or a login without a billing record.

Inactive-account cleanup

On a routine, the agent calls List Users with an attribute filter to find inactive or unconfirmed accounts. For each match it records the user's groups with Admin List Groups For User, then, on confirmation, calls Admin Disable User and reports the cleanup to the ops channel with [Slack](/integrations/slack). Disabling is reversible, so the pool stays clean without an irreversible delete happening on a filter match alone.

Offboarding with role capture

An offboarding trigger starts the flow. The agent calls Admin List Groups For User to record exactly which roles the departing user held, then Admin Remove User From Group for each one and Admin Delete User to fully de-provision the account. The captured roles give the team a record of what access existed, which matters when the offboarding is later reviewed.

Human-in-Loop Highlight

Deleting a user is irreversible, so the agent stops before it. During inactive-account cleanup or offboarding, the agent does the safe and reversible work on its own: it filters the pool, records the user's group memberships, and disables the account. Before it calls Admin Delete User, it pauses and asks the ops owner through Slack: "Found [count] inactive accounts. [user] last active [date], held groups [list], now disabled. Delete permanently, keep disabled, or reinstate?" The owner decides. The agent handles the filtering and the reversible disable; the person owns the permanent removal.

Agent processes routinely
Detects exception requiring judgment
Clear match Continues automatically
Ambiguous Routes to human via Slack
Human decides
Agent resumes with decision

Agent Capabilities

19 actions

User Management

10
  • Admin Create User Creates a user in a user pool, optionally suppressing or resending the invitation. The core provisioning action.
  • Admin Get User Reads a user's attributes and status.
  • List Users Searches and paginates through a pool's members with attribute filters. Powers cleanup and audit flows.
  • Admin Update User Attributes Updates a user's attributes during onboarding or a sync flow.
  • Admin Disable User Disables a user, blocking sign-in without deleting the account. Reversible, so agents can run it before a human confirms deletion.
  • Admin Enable User Re-enables a previously disabled user.
  • Admin Delete User Permanently removes a user. The typical human-gated step.
  • Admin Set User Password Sets a permanent or temporary password. A permanent password confirms the user immediately.
  • Admin Reset User Password Triggers a password reset for a user.
  • Admin Confirm Sign Up Confirms a user's sign-up administratively.

Group Management

4
  • Create Group Creates a group for role-based access.
  • Admin Add User To Group Adds a user to a group to grant its role.
  • Admin Remove User From Group Removes a user from a group.
  • Admin List Groups For User Lists the groups a user belongs to, used to record roles before offboarding.

User Pools and App Clients

5
  • List User Pools Discovers the user pools in the configured region.
  • Describe User Pool Inspects a user pool's configuration.
  • Create User Pool Creates a new user pool.
  • List User Pool Clients Lists the app clients registered to a user pool.
  • Describe User Pool Client Inspects an app client's configuration.

Start building with AWS Cognito

$100 in credits. No card required. Connect in minutes.