Move Cognito user pool to another account?

0

Problem: I created cognito user pools for staging and production under the same root AWS account. I need to move them to separate accounts for security purposes.

I know that AWS doesn't have great support for transferring resources between accounts, but I think a case can be made for Cognito user pools. I would happily create a new pool in the new account and write a script to create the user accounts in the new pool using the emails from the old pool, but there are two problems

  1. AWS doesn't allow exporting password hashes
  2. AWS doesn't export 2FA tokens

So there's no way for existing users to log in to the new pool.

If you google for people who faced this problem, they come up with hacky solutions like signing in users to the old pool, then triggering a signup on the new pool, and forcing a password reset. Obviously this solution is not acceptable since I don't want to force my users to reset their passwords + users with 2FA enabled now have to re-enable it!

Another problem: this "solution" depends on the user to come back to your site and log in. I don't want to have to wait months/years for this transition to happen. I want to be able to move my pools freely.

Please AWS give us a solution.

1 Answer
0

Unfortunately, looks like there is no solution to both issues you state here. If you can allow a long "lazy" migration, you have to use a custom UI, redirect customers to another pool using Lambda Trigger migration. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-using-lambda.html

If you want to save time and use a bulk migration you lose the passwords and 2FA tokens. https://aws.amazon.com/solutions/implementations/cognito-user-profiles-export-reference-architecture

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions