After using Cognito for a few months, some users in a user pool have now lost the "email_verified" attribute. I can't understand how it is missing or how to recover.
Symptoms are:
Getting the user attributes for the user with the list-users CLI shows the attribute is missing
aws cognito-idp list-users --user-pool-id MYID-123 --query 'Users[?Username==`error@bla.com`].[*]'
[
[
[
"error@bla.com",
true,
"CONFIRMED",
1522127817.526,
1522127819.369,
[
{
"Name": "sub",
"Value": "123123123341241238"
},
{
"Name": "email",
"Value": "bla@bla.com"
}
]
]
]
]
vs. one with the attribute in place
aws cognito-idp list-users --user-pool-id MYID-123 --query 'Users[?Username==`bla@bla.com`].[*]'
[
[
[
"bla@bla.com",
true,
"CONFIRMED",
1524048734.588,
1524048737.777,
[
{
"Name": "sub",
"Value": "1231231231231235"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "email",
"Value": "bla@bla.com"
}
]
]
]
]
If I try deleting the attribute (with enough permissions), it fails - as one would expect - explaining it is not mutable.
aws cognito-idp admin-delete-user-attributes --user-pool-id MYID-123 --username test2@test.com --user-attribute-names email_verified
An error occurred (InvalidParameterException) when calling the AdminDeleteUserAttributes operation: Cannot modify the non-mutable attribute email_verified
I can not find the cause for this problem, other than blaming AWS Cognito.
A workaround/hack/patch is to add the attribute back, this time, the non-mutable check is not a problem
aws cognito-idp admin-update-user-attributes --user-pool-id MYID-123 --username error@bla.com --user-attributes Name=email_verified,Value=true
And now the user has the attribute again and I can reset the password.