AWS Cognito - Create user with External Identity using API

Question

Background: I have a webpage (internal tool) that uses API which is secured with cognito. Current way of creating user in the Pool looks like this:

1. User goes into webpage
2. Logins using Google
3. Cognito creates the user in the pool with External Provider - Google
4. IT assigns user to proper groups = user can use webpage, depending on the groups he is assigned to.

Now, problem are the first 2 steps. In order for user to appear in pool he must first enter the webpage(after this user is automatically kicked out as he is not assigned to any group) & needs to wait for somebody to assign him to a group. I want to automate these steps so that users can enter the tool & have it available straight away.

Is there a way to create (using API) a user in the pool (with external identity provider), so that I can automatically create entry in Cognito + assign him to groups?

Because of the fact that company has GSuite, I have possibility to retrieve all necessary data both from cognito & google to create it. Does somebody have idea how to do so? I think I read through the boto3 docs & cognito docs & couldn't find any answer.

Answer 1

I'm trying to solve the same problem. Users are created via Cognito external provider, but won't have access until someone manually adds this generated user into a user group with the necessary role assigned.

One potential option I am considering is to eliminate the user groups all together. In Cognito Identity Pool, there's an option to assign roles based on the claims included in the Cognito token. So instead of IT mapping the user to a group which has the role required, you could programmatically update the rules on the identity pool prior to the user's first sign in. Adding a rule to the identity pool which checks the userId claim and maps the appropriate role may solve the use case. See (https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-rules-to-assign-roles-to-users). Edit: I realized this will not work because there is a limitation of 25 rules on the identity pool, so adding a rule for each user is not feasible.

Another option might be to use a lambda trigger on the Cognito user pool, since this allows for more custom logic. The lambda could check a database with predetermined mappings upon login and assign the user to a user group programmatically. That feels like it will be a fair amount of work/components for what I assume is a very common use case. Hopefully there is another approach I am not aware of.

Neither option seems as clean/simple as I would expect it to be, so I am very curious if you have found a better solution.