Cognito AdminCreateUser set password and confirmed

Question

When using Cognito's AdminCreateUser how can I specify a permanent password at user creation time? Further, how can I set this user to "confirmed"?

Answer 1

From digging a lot into the docs it's at least a 2 step process - create the user with a temporary password and 'complete' their registration by setting a permanent one. Posting a NodeJS solution.

1. First you create the user with a temporary (not really used) password using the SDK:

import { CognitoIdentityServiceProvider } from 'aws-sdk';

const adminCreateUser = async (
  username: string,
  password: string
): Promise<void> => {
  return new Promise<void>((resolve, reject) => {
    new CognitoIdentityServiceProvider({
      region: '<Pool region>',
      accessKeyId: '<AWS user access key id>',
      secretAccessKey: '<AWS user access secret>',
    }).adminCreateUser(
      {
        Username: username,
        TemporaryPassword: password,
        UserPoolId: '<Cognito User Pool ID>',
      },
      (err, result) => {
        if (err) {
          return reject(err);
        }

        resolve();
      }
    );
  });
};

2. As per the docs we need to call authenticateUser to trigger a newPassowrdRequired callback in which case we call completeNewPasswordChallenge with the permanent password:

import {
  AuthenticationDetails,
  CognitoUser,
  CognitoUserPool,
} from 'amazon-cognito-identity-js';

export const cognitoPool: CognitoUserPool = new CognitoUserPool({
  UserPoolId: '<Cognito Pool ID>',
  ClientId: '<Cognito App Client ID>',
});

export const adminConfirmUser = async (
  username: string,
  password: string
): Promise<void> => {
  return new Promise<void>((resolve, reject) => {
    const cognitoUser = new CognitoUser({
      Username: username,
      Pool: cognitoPool,
    });

    cognitoUser.authenticateUser(
      new AuthenticationDetails({
        Username: username,
        Password: password,
      }),
      {
        onSuccess: (session, userConfirmationNecessary) => {
          // User is already confirmed
          resolve();
        },
        onFailure: err => {
          // An error
          reject(err);
        },
        newPasswordRequired: (userAttributes, requiredAttributes) => {
          cognitoUser.completeNewPasswordChallenge(password, null, {
            onSuccess: session => {
              // User confirmed
              resolve();
            },
            onFailure: err => {
              // Error confirming user
              reject(err);
            },
          });
        },
      }
    );
  });
};

Note that you may need to pass required attributes when confirming the user registration depending on how you've setup your Cognito pool.

Answer 2

Another option is to invoke AdminSetUserPassword command after user was created with Permanent: true parameter.

Ref: AdminSetUserPassword documentation