Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set Cognito Groups in Migration trigger

I am currently building a migration solution from an AWS Userpool to another using the CognitoTrigger "User Migration".

I have a Group I want to set during migration but I cannot do it because the user isn't created before the whole context finishes.

How can I solve this? I don't want to create a PostAuth - lambda because I only need/want/can run this once per migration and I also want to do this the instant (or up to a few minutes later) the migration happens. (or is it possible to make this PostAuth check if it is the first time it triggers?)

I tried PostConfirm in the hopes of this triggering when the user was created but that did not trigger.

like image 710
Zanndorin Avatar asked Sep 30 '20 13:09

Zanndorin


1 Answers

If someone else runs into this - I solved this using a combination of a User Migration trigger and a Pre Token Generation trigger.

In the User Migration trigger (mostly copied from https://github.com/Collaborne/migrate-cognito-user-pool-lambda) look up and create the user if auth fails/user doesn't exist in the new pool.

In the Pre Token Generation trigger if the user hasn't been added to groups yet look up group membership in the old user pool (adminListGroupsForUser), add them to the new pool (adminAddUserToGroup). The crucial part is to override the group membership claims in the response so that they will be added to the token on the client side (groupsToOverride is just an array of the group names the use is part of):

event.response = {
    "claimsOverrideDetails": {
        "claimsToAddOrOverride": {
            
        },
        "groupOverrideDetails": {
            "groupsToOverride": groupsToOverride,
        }
    }
};
like image 68
BrokenGlass Avatar answered Dec 27 '22 01:12

BrokenGlass