Can you export/migrate users out of AWS cognito, does it cause vendor lock-in?

Question

This is a question about vendor lock in and AWS cognito. Can user data and encrypted/hashed passwords be exported out of cognito if we ever move off of AWS?

Can/does cognito use standard hashing or configurable hashing of the user passwords or allow export of things like tokens?

score 25 · Accepted Answer · edited Oct 19 '16 at 16:00

25

At this point in time, Cognito does not allow a way to export users from a user pool. We have heard this request from other customers, though, and have prioritized it for future releases.

As far as passwords go, Cognito uses secure remote password protocol to do the actual authentications, so the metadata that could come out may not be particularly useful, if it was included at all.

edited Oct 19 '16 at 16:00

jzonthemtn

3,344
1
21
30

answered Oct 17 '16 at 22:48

Jeff Bailey

5,655
1
22
30

1

What about transferring the pool to another AWS account? – Tony Gutierrez Apr 19 '17 at 17:43
5

Same answer, not currently supported but it's a request we've heard multiple times. – Jeff Bailey Apr 19 '17 at 17:50
5

really important feature missing – B M Sep 09 '17 at 17:02
4

@JeffBailey - Is this still true? Your answer is approaching 2 years old. – arcseldon Mar 15 '18 at 22:24
1

https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-cognito-simplifies-user-migration/ – arcseldon Mar 15 '18 at 22:26
I'm no longer on the Cognito team so I might be wrong, but I believe that link is more directed towards importing. I believe the answer is no, unless you call list users a lot. – Jeff Bailey Mar 15 '18 at 22:34
@JeffBailey still no ability to migrate users to a different AWS account? – Kevin Jan 11 '19 at 17:50
relevant discussion on AWS forum: https://forums.aws.amazon.com/thread.jspa?messageID=886307 – Neil Jan 22 '19 at 03:09
2

It is more like - the answer will always be no, as they do not want you to expert out of Cognito, so that you hopefully stay stuck in it. Development wise it will take a day to develop the feature. – ShaunOReilly May 11 '22 at 20:03

score 15 · Answer 2 · answered Jan 27 '19 at 02:06

15

Considering Amazon still haven't updated their answer, here's a workaround (to augment the accepted answer):

Try npmjs.com/package/cognito-backup-restore.

nb. I haven't tested this package.

Then:

Build your replacement auth system
At login, test authenticating with your new system
Try to authenticate with Cognito
If Cognito succeed, import user's details to your new system
Require a password update with your new system

source: forums.aws.amazon.com/thread.jspa?threadID=240242

answered Jan 27 '19 at 02:06

tgrrr

706
6
16

As you mention, this method requires a password reset for every user because as the comment in the NPM library says "Please Note: There is no way of getting passwords of the users in cognito, so you may need to ask them to make use of ForgotPassword to recover their account.". So not a very seamless user experience that might end of losing a bunch of your users. – John Sibly Nov 01 '21 at 16:43

score 3 · Answer 3 · answered Sep 22 '20 at 03:08

This reference architecture might be of some use: https://aws.amazon.com/solutions/implementations/cognito-user-profiles-export-reference-architecture/

It uses the ListUsers API to export user profiles to a DynamoDB table. It is designed to run on a schedule (daily/weekly/etc.) to keep the DynamoDB table up to date with the profiles in the user pool. The source is on GitHub so it be possible to modify the solution to export to a CSV.

If the profiles are imported to a new user pool, user will still need to reset passwords. Other limitations listed in the deployment guide.

Thanks for sharing this -- seems like a lot of resources say you can't get users out of Cognito, but seems like you can. — rpivovar, Dec 18 '21 at 15:31

score 2 · Answer 4 · answered Aug 23 '17 at 09:19

2

Cognito actually has the capability to import users using CSV files, however no export functionality is available ( unless you List Users and write to a CSV )

answered Aug 23 '17 at 09:19

Avindu Hewa

1,608
1
15
23

5

Even listing users and building a CSV would still require all users to reset passwords – B M Sep 09 '17 at 17:02
The csv import was extremely buggy for us so we ended up opening an EC2 and using CLI to do the import. This allowed setting arbitrary passwords. – Warren Wang Aug 24 '21 at 05:06

Can you export/migrate users out of AWS cognito, does it cause vendor lock-in?

4 Answers4

Linked