We're trying to migrate users from the old user pool into a new one, as part of switching AWS accounts after Well Architected review, using the "Migrate user" trigger on the new pool.
The problem is that despite trying multiple ways to migrate the users, the login screen keeps giving Exception migrating user in app client
error.
Acc. to CloudWatch, the lambda finishes normally, is not out of memory, it does receive all necessary information (using the ALLOW_USER_PASSWORD_AUTH
flow as described), and is based on AWS example on the docs page.
The flow of the migration lambda is as follows:
- attempt to authenticate the user on the old Cognito pool
- on success, fetch all user info from the old pool using the access token
- on success, fill in the
response
section of the event
and return
The data is filled in like this:
event['response']['userAttributes'] = {
'username': sub,
'email': email,
'email_verified': True,
'custom:prev_sub': sub
}
event['response']['finalUserStatus'] = 'CONFIRMED'
event['response']['messageAction'] = 'SUPPRESS'
return event
The custom:prev_sub
is a custom field on the new pool to preserve the old sub
of the user. I've left it in the snippet above, as we need this value, but most of the tests were done without sending this value at all.
The new pool has no required attributes, and through console it is possible to create a user with just an email.
Things we tried that did not help:
- sending
"true"
as a value of email_verified
as used in AWS Migrate User docs
- sending a different value for
username
, such as email
- not sending the
username
at all
Any help is very welcome!