Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito User Pool migration with Migrate User Lambda Trigger failing without cause.

0

I created a new Cognito user pool and set up a Migrate user Lambda trigger that has an execution role with the necessary IAM permissions (cognito-idp:AdminCreateUser, cognito-idp:AdminSetUserPassword, etc) and successfully runs without timing out. It returns the following example JSON Response Structured event upon running (as logged via CloudWatch):

{
  version: '1',
  triggerSource: 'UserMigration_Authentication',
  region: 'us-east-1',
  userPoolId: 'us-east-1_[redacted]',
  userName: 'migrate',
  callerContext: {
    awsSdkVersion: 'aws-sdk-unknown-unknown',
    clientId: [redacted]
  },
  request: { password: [redacted], validationData: null, userAttributes: null },
  response: {
    userAttributes: { email: [redacted]@gmail.com', email_verified: 'true' },
    finalUserStatus: 'CONFIRMED',
    messageAction: 'SUPPRESS'
  }

The only required field for signup is an email. This dummy user doesn’t exist in my new user pool and I’ve tried a range of response modifications (like setting forceAliasCreation to be true, adding username as an attribute to the response and response.userAttributes, etc.).

Both source and new Cognito User Pool's app clients have the USER_PASSWORD_AUTH flow enabled for authentication. I’ve checked that my Cognito User Pool allows admin user creation and successfully created a test user in the AWS CLI.

As far as I can tell, my migration Lambda is working correctly but Cognito isn't creating the user, I can’t find any way to troubleshoot from the Cognito-side of things and don’t understand what could be happening.

If anyone had any suggestions for next steps or any ideas for what else I could do to troubleshoot this, it would be greatly appreciated!

Topics
ServerlessManagement & GovernanceComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudWatchAmazon CloudWatch LogsAmazon CognitoAmazon Cognito User PoolsAWS Lambda
Language
English
asked 9 months ago293 views
2 Answers
6

It may related to missing Required Attributes, even the pool only requires email, Cognito may still expect certain attributes to be present in the response.userAttributes object.

Try including:

userAttributes: {
  email: "user@example.com",
  email_verified: "true",
  username: "migrate"
}

Also consider adding preferred_username or given_name if your original pool used them.

  1. Incorrect Attribute Format Ensure all attributes are strings and match Cognito's expected format:
  • email_verified must be "true" (string), not true (boolean).
  • Avoid trailing commas or malformed JSON.
EXPERT
answered 9 months ago
  • Sandra
    9 months ago

    I've tested all combinations of response.userAttributes I could think of that are assigned to old users in the old user pool:

    • {email, email_verified}
    • {username, email, email_verified}
    • {username, email, email_verified, preferred_username}
    • {email, email_verified, preferred_username}
    • {email, email_verified, phone_number, phone_number_verified}
    • {username, email, email_verified, phone_number, phone_number_verified}
    • {username, email, email_verified, preferred_username, phone_number, phone_number_verified}

    I've double checked by logs to see that email_verified is always a string, not a boolean, and that the response has no trailing commas or malformed JSON syntax. I've also tried to include a response.username variable with many of the combinations listed above since I saw a suggestion that username shouldn't be included in user attributes directly but rather as its own variable in response (although I don't think that's correct and it didn't solve my issue).

0

Hey,

Hope you're keeping well.

In a Cognito UserMigration_Authentication trigger, Cognito only creates the user if the Lambda returns userAttributes and sets finalUserStatus and messageAction correctly, but it also requires that the authentication succeeds. You must set response.forceAliasCreation only if migrating aliases, and ensure response.userAttributes includes all attributes required by your pool (matching the exact attribute names, e.g. email instead of username). If your Lambda does not call context.succeed(event) with those populated fields before returning, Cognito will silently skip creation.

Thanks and regards,
Taz

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content