1

The migration lambda works as expected and the user is created after I edit the response and call context.succeed(event) as follows:

        email: email,
        email_verified: 'true',
        'custom:mid': `${MID!}`,
      };
      event.response.finalUserStatus = 'CONFIRMED';
      event.response.messageAction = 'SUPPRESS';

      // Register user in cognito and login to return token
      context.succeed(event);

My question is: I need to add the user to dynamo with the userId being the cognito sub. Is there a way I can:

  1. Create the user in cognito.
  2. Add my user to dynamo with the cognito id.
  3. Return to the migration flow(the user is logged in as expected)

When I do it manually—meaning add the user to cognito from the API— it fails in the end(probably because it finds that the user exists already).

--- providing more context ---

I am migrating into AWS(cognito userpool and dynamodb users table), so I am utilizing the cognito migration trigger which handles the creation of the user that is trying to login, the issue is that the flow ends with the user's creation in cognito. Ideally, I would want to save the user's sub(cognito id) in dynamo along with his data.

--- update ---

I tried using cognito's PostConfirmation trigger, which is usually triggered on user's account confirmation, but that didn't work since the migration flow uses admin confirmation instead of actual user.

I ended up using cognito's PostAuthentication trigger; it's not ideal as this is triggered on every user login. I added a custom attribute flag to the userpool(something like db-migrated) which I check on within the PostAuth and add the user to dynamo accordingly before I update it.

Would appreciate a smoother solution.

Ali Fahmy
  • 15
  • 7
  • Can you post some more context? F.e. is there already an user in your dynamo db? Do you use the custom trigger lambda functionality of cognito our do you have a lambda which creates the user and with the response of cognito you want to create / update your db user entity? Do you have any Cloudwatch logs? etc. – droebi Apr 07 '22 at 06:04
  • Thank you for replying @droebi, I updated the question with more context and my current solution. I do have CloudWatch logs. The cognito triggers operate in a specific order and expect specific responses. The goal is to make the migration as seamless as possible to the user trying to login. – Ali Fahmy Apr 07 '22 at 11:09
  • 1
    It might be a better solution to not use the custom trigger lambdas from cognito and replace it with a "external" lambda using the AWS SDK and work with CognitoIdentityServiceProvider / AdminCreateUserEvent etc. Here you will definitely have more options to handle problems. – droebi Apr 12 '22 at 12:01

0 Answers0