Search code examples
amazon-web-servicesaws-lambdaamazon-cognito

Cognito User migration trigger not firing

In cognito user pool in eu-west-1. I'm trying to add a trigger for user migration. It doesn't trigger when I try to login as a none existent user. I've tested this by writing a simple python lambda:

def handler(event, context):
    print(event)
    return event

In the logs, I never see this run if the user does not exist. I then tried setting all the triggers to use this lambda I see (when logging in with an existing user):

  • PreAuthentication_Authentication
  • PostAuthentication_Authentication
  • TokenGeneration_Authentication

When logging in with a nonexistent user ie. migration candidate - I see no triggers fired.

Is this a region specific issue? Is there something we need to enable for the triggers to fire? Do we need to enable specific permissions for triggers to be fired by non-authed users or failed logins?

Solution

  • To invoke the User Migration Trigger you must auth using USER_PASSWORD_AUTH

    authenticationFlowType: 'USER_PASSWORD_AUTH'

    An example doing this would be this configuration in Amplify at the bottom below

    import Amplify from 'aws-amplify';

Amplify.configure({
    Auth: {

    // REQUIRED only for Federated Authentication - Amazon Cognito Identity Pool ID
    identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',

    // REQUIRED - Amazon Cognito Region
    region: 'XX-XXXX-X',

    // OPTIONAL - Amazon Cognito Federated Identity Pool Region 
    // Required only if it's different from Amazon Cognito Region
    identityPoolRegion: 'XX-XXXX-X',
    // OPTIONAL - Configuration for cookie storage
    // Note: if the secure flag is set to true, then the cookie transmission requires a secure protocol
    cookieStorage: {
    // REQUIRED - Cookie domain (only required if cookieStorage is provided)
        domain: '.yourdomain.com',
    // OPTIONAL - Cookie path
        path: '/',
    // OPTIONAL - Cookie expiration in days
        expires: 365,
    // OPTIONAL - Cookie secure flag
    // Either true or false, indicating if the cookie transmission requires a secure protocol (https).
        secure: true
    },

    // OPTIONAL - customized storage object
    storage: new MyStorage(),

    // OPTIONAL - Manually set the authentication flow type. Default is 'USER_SRP_AUTH'
    authenticationFlowType: 'USER_PASSWORD_AUTH'

    // OPTIONAL - Amazon Cognito User Pool ID
    userPoolId: 'XX-XXXX-X_abcd1234',

    // OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
    userPoolWebClientId: 'a1b2c3d4e5f6g7h8i9j0k1l2m3',

    // OPTIONAL - Enforce user authentication prior to accessing AWS resources or not
    mandatorySignIn: false,

}
});