Mass Import of Users to Cognito User Pool

Question

A customer is planning to migrate their existing 5.4 million user base to Cognito(using doorkeeper gem for authentication currently) and would like their current users to be able to retain their existing passwords.
       
1. Is there a way to do a batch user import and retain all existing passwords?
       - I found the following blog post on this, would they need to follow the one-at-a-time user migration process or is there a better way? (https://aws.amazon.com/blogs/mobile/migrating-users-to-amazon-cognito-user-pools/)

2. How long would a migration like this take (reasonable timeline?)/ how long would it require both authentication systems to be up and running?

3. What happens to any duplicate user info during the migration over to Cognito?

4. The customer was also curious if at any point they needed to move their user pool out, is there a process to export their user pool?

Thank you so much!

Accepted Answer

1. In addition to what is described in the blog, Cognito added support for a [Migration Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-using-lambda.html) that allows an easier setup for a one-by-one migration, basically replacing the "migration microservice" described in the blog. 
This is the only way to retain passwords transparently for the user, as the user will not know the backing IdP has changed. This process will take some time to execute as it requires that each user logs in at least once, and it is important that the implementation follows the advices given in our documentation in regard to which auth flow to use.

2. This is up to the customer to decide, and depends on when the users log in the first time. The customer can decide on a given threshold (eg 70% of user migrated) before shutting down his existing auth. This would mean that the remaining users will have to use the forgotten password flow to set the password in the new system (explained in the doc above)

3. If the user already exists in Cognito, the migration lambda is not called and the user logs in directly into Cognito

4. The customer can export the content of the pool using the ListUser API. Cognito does not stores the user passwords in recoverable format hence they cannot be exported. A process similar to the one used to migrate into Cognito can be also used to migrate user out of Cognito

Mass Import of Users to Cognito User Pool

관련 콘텐츠