Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CLI query to cognito returning only the Email address for all Enabled users

0

Hello. I have a CLI query like this:

aws cognito-idp list-users --user-pool-id **** --query 'Users[*].Attributes[?Name==`email`].Value' --output table

Which returns a nice table of all the email addresses of my users, but I want to filter this so only the active users are included.

If I run:

aws cognito-idp list-users --user-pool-id **** --query 'Users[?Enabled==`true`].Attributes' --output table

I get all my active users, so I thought I should be able to combine these two things like:

aws cognito-idp list-users --user-pool-id **** --query 'Users[?Enabled==`true`].Attributes[?Name==`email`].Value' --output table

But this returns nothing. Why?

I am just looking to output a list of the email addresses and perhaps the usernames of all my active users from one user pool.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
asked 2 months ago76 views
2 Answers
1

The issue you're encountering is related to how JMESPath query expressions handle nested filtering. When you chain filters like Users[?Enabled==true].Attributes[?Name==email].Value, the query engine struggles with the nested array filtering.

The problem is that after filtering for enabled users, you're trying to apply another filter on the Attributes array, and then extract the Value. This nested filtering syntax doesn't work as expected in JMESPath.

Here are a couple of approaches that should work:

Option 1: Use a projection with filtering

aws cognito-idp list-users --user-pool-id **** --query 'Users[?Enabled==`true`].[Username, Attributes[?Name==`email`].Value | [0]]' --output table

This second option will give you both the username and email address in a table format, which matches what you mentioned wanting to see.

The key difference is that you need to handle the nested array structure more explicitly. The | [0] at the end extracts the first (and only) value from the filtered email attribute array.

If you only want email addresses in a simple list, you could also try:

aws cognito-idp list-users --user-pool-id **** --query 'Users[?Enabled==`true`].Attributes[?Name==`email`].Value | []' --output text

The flatten operator | [] helps collapse the nested array structure into a simpler format that can be displayed properly.
Sources
Use ListUsers with an AWS SDK or CLI - Amazon Cognito
list-users — AWS CLI 2.27.41 Command Reference

answered 2 months ago
EXPERT
reviewed 2 months ago
EXPERT
revised 2 months ago
0
Accepted Answer

Option 2 provided here did succeed and return the results I am looking for.

Option 1 did not succeed, and returned a syntax error.

The final suggested query also did not succeed, it returned no results.

A solution that I have found effective combines a filter (server-side) and a query (client-side) and works for me:

aws cognito-idp list-users \                                                                                                                       
    --user-pool-id **** \
    --filter 'status="Enabled"' \
    --query "Users[].Attributes[?Name=='email'].Value" \
    --output table
answered 2 months ago
EXPERT
reviewed 2 months ago
EXPERT
reviewed 2 months ago
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content