This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::AppStream::DirectoryConfig The `AWS::AppStream::DirectoryConfig` resource specifies the configuration information required to join Amazon WorkSpaces Applications fleets and image builders to Microsoft Active Directory domains. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::AppStream::DirectoryConfig", "Properties" : { "[CertificateBasedAuthProperties](#cfn-appstream-directoryconfig-certificatebasedauthproperties)" : CertificateBasedAuthProperties, "[DirectoryName](#cfn-appstream-directoryconfig-directoryname)" : String, "[OrganizationalUnitDistinguishedNames](#cfn-appstream-directoryconfig-organizationalunitdistinguishednames)" : [ String, ... ], "[ServiceAccountCredentials](#cfn-appstream-directoryconfig-serviceaccountcredentials)" : ServiceAccountCredentials } } ``` ### YAML ``` Type: AWS::AppStream::DirectoryConfig Properties: [CertificateBasedAuthProperties](#cfn-appstream-directoryconfig-certificatebasedauthproperties): CertificateBasedAuthProperties [DirectoryName](#cfn-appstream-directoryconfig-directoryname): String [OrganizationalUnitDistinguishedNames](#cfn-appstream-directoryconfig-organizationalunitdistinguishednames): - String [ServiceAccountCredentials](#cfn-appstream-directoryconfig-serviceaccountcredentials): ServiceAccountCredentials ``` ## Properties `CertificateBasedAuthProperties` The certificate-based authentication properties used to authenticate SAML 2.0 Identity Provider (IdP) user identities to Active Directory domain-joined streaming instances. *Required*: No *Type*: [CertificateBasedAuthProperties](aws-properties-appstream-directoryconfig-certificatebasedauthproperties.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DirectoryName` The fully qualified name of the directory (for example, corp.example.com). *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `OrganizationalUnitDistinguishedNames` The distinguished names of the organizational units for computer accounts. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ServiceAccountCredentials` The credentials for the service account used by the streaming instance to connect to the directory. Do not use this parameter directly. Use `ServiceAccountCredentials` as an input parameter with `noEcho` as shown in the [Parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html). For best practices information, see [Do Not Embed Credentials in Your Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html#creds). *Required*: Yes *Type*: [ServiceAccountCredentials](aws-properties-appstream-directoryconfig-serviceaccountcredentials.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + [CreateDirectoryConfig](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_CreateDirectoryConfig.html) in the *Amazon WorkSpaces Applications API Reference* # AWS::AppStream::DirectoryConfig CertificateBasedAuthProperties The certificate-based authentication properties used to authenticate SAML 2.0 Identity Provider (IdP) user identities to Active Directory domain-joined streaming instances. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CertificateAuthorityArn](#cfn-appstream-directoryconfig-certificatebasedauthproperties-certificateauthorityarn)" : String, "[Status](#cfn-appstream-directoryconfig-certificatebasedauthproperties-status)" : String } ``` ### YAML ``` [CertificateAuthorityArn](#cfn-appstream-directoryconfig-certificatebasedauthproperties-certificateauthorityarn): String [Status](#cfn-appstream-directoryconfig-certificatebasedauthproperties-status): String ``` ## Properties `CertificateAuthorityArn` The ARN of the AWS Certificate Manager Private CA resource. *Required*: No *Type*: String *Pattern*: `^arn:aws(?:\-cn|\-iso\-b|\-iso|\-us\-gov)?:[A-Za-z0-9][A-Za-z0-9_/.-]{0,62}:[A-Za-z0-9_/.-]{0,63}:[A-Za-z0-9_/.-]{0,63}:[A-Za-z0-9][A-Za-z0-9:_/+=,@.\\-]{0,1023}$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` The status of the certificate-based authentication properties. Fallback is turned on by default when certificate-based authentication is **Enabled**. Fallback allows users to log in using their AD domain password if certificate-based authentication is unsuccessful, or to unlock a desktop lock screen. **Enabled\$1no\$1directory\$1login\$1fallback** enables certificate-based authentication, but does not allow users to log in using their AD domain password. Users will be disconnected to re-authenticate using certificates. *Required*: No *Type*: String *Allowed values*: `DISABLED | ENABLED | ENABLED_NO_DIRECTORY_LOGIN_FALLBACK` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::AppStream::DirectoryConfig ServiceAccountCredentials The credentials for the service account used by the streaming instance to connect to the directory. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AccountName](#cfn-appstream-directoryconfig-serviceaccountcredentials-accountname)" : String, "[AccountPassword](#cfn-appstream-directoryconfig-serviceaccountcredentials-accountpassword)" : String } ``` ### YAML ``` [AccountName](#cfn-appstream-directoryconfig-serviceaccountcredentials-accountname): String [AccountPassword](#cfn-appstream-directoryconfig-serviceaccountcredentials-accountpassword): String ``` ## Properties `AccountName` The user name of the account. This account must have the following privileges: create computer objects, join computers to the domain, and change/reset the password on descendant computer objects for the organizational units specified. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AccountPassword` The password for the account. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `127` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)