By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito Migration Trigger errors when Lambda execution time too high

2

I am currently in the process of validating the migration of a set of users to a cognito user pool via the migration trigger, the essence of the lambda function for the trigger can be boiled down to:

def lambda_handler(event, context):
   response = requests.post(external_auth_api_url, json_with_user_and_pass)
   if response.status_code = 200:
      event["response"] = {
            "userAttributes": {
                "username": event["userName"],
                "email": event["userName"],
                "email_verified": "true"
            },
            "finalUserStatus": "CONFIRMED",
            "messageAction": "SUPPRESS"
        }
      return event

This is doing an external rest call to the old system the user was signing in through as per the documentation and returning a success response.

The issue I noticed is that if the lambda function time is too long, for example, the average execution time of this lambda for me right now via ngrok is about 5 seconds total, cognito is failing when I call initiateAuth with USERNAME_PASSWORD flow and returning the following:

botocore.errorfactory.UserNotFoundException: An error occurred (UserNotFoundException) when calling the InitiateAuth operation: Exception migrating user in app client xxxxxxxxxxxx

I managed to validate that this issue was occurring by simply returning a success response without doing an external REST call and essentially bringing the lambda function runtime down to milliseconds, in which case I got the tokens as expected and the user was successfully migrated.

I also tested this by simply having a lambda function like:

def lambda_handler(event, context):
    time.sleep(5)
    event["response"] = {
            "userAttributes": {
                "username": event["userName"],
                "email": event["userName"],
                "email_verified": "true"
            },
            "finalUserStatus": "CONFIRMED",
            "messageAction": "SUPPRESS"
        }

    return event

This fails with the same error response as above.

If anyone can advise, I am not sure if there is a maximum time the migration trigger will wait that is not documented, I wouldn't expected the trigger to have such a thing if the migration trigger's intention is to do external REST calls which may or may not be slow.

Thanks in advance!

Topics
ServerlessComputeSecurity, Identity, & ComplianceMicroservices
Tags
AWS LambdaAmazon CognitoMicroservices
Language
English
Diogo
asked 2 years ago981 views
1 Answer
0
Accepted Answer

There is a 5 second execution limit on the trigger.

Unfortunately, the official Cognito documentation says that this timeout is not configurable:

Except for Custom Sender Lambda triggers, Amazon Cognito invokes Lambda functions synchronously. When Amazon Cognito calls your Lambda function, it must respond within 5 seconds. If it does not, Amazon Cognito retries the call. After three unsuccessful attempts, the function times out. You can't change this five-second timeout value. For more information, see the Lambda programming model.

profile picture
rowanu
answered 2 years ago
  • Diogo
    2 years ago

    Thank you! It would be good if the cognito team updated the docs to highlight this execution time limit in the migration trigger page, as that's where it's most critical

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content