Add new user to user pool groups as Admin


Hi team,

I have a Cognito user pool with 3 Groups, I want to create users inside Groups as System Administrator:

  • the system Admin will fill out a form about client's: given name, surname, email address + some custom attributes
  • when sending the form (invitation), my lambda function should create the user inside my Cognito user pool Group with all the above attributes.
  • the client will receive a link via email to validate the invitation
  • when the client clicks the link (custom Domain link), he validates the invitation

In the SDK documentation, I found that a system Admin can add users to the Cognito group using the adminAddUserToGroup API call

var params = {
  GroupName: 'STRING_VALUE', /* required */
  UserPoolId: 'STRING_VALUE', /* required */
  Username: 'STRING_VALUE' /* required */
cognitoidentityserviceprovider.adminAddUserToGroup(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response

but the adminAddUserToGroup API call, only take as params the GroupName, UserPoolId and Username

   "GroupName": "string",
   "Username": "string",
   "UserPoolId": "string"
  • how can I get my user created (with the given name, surname, email, and custom attributes...) with this call: adminAddUserToGroup?
  • the username on the params above is it the sys admin username or the user name of the client to create?
  • how can I validate the invitation once the client clicks the verification link?
  • should I create a new lambda that sends the verification link or the API call adminAddUserToGroup send the email to the user on our behalf?

the critical part is how can the system admin create a new user (with all attributes: given name, email....), via the adminAddUserToGroup API call

and how can I validate the invitation when the user clicks the verification link?

Thank you team for your help!

2 Answers

Hi, Like you said the adminAddUserToGroup API call only accepts GroupName, Username, UserPoolId as parameters, which assumes that the group, the user, and user pool are already created, and of course this call is used to add a user to a specific group. This API call can be made by an AWS Lambda function that can be triggered when the user is created (post-confirmation trigger), and then user can be added to the specific group belonging to the specified user pool. In order to create a user, you can use this call: AdminCreateUser which is as follows:

cognitoidentityserviceprovider.adminCreateUser(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response

This call takes the following required parameters and other parameters:

  UserPoolId: 'STRING_VALUE', /* required */
  Username: 'STRING_VALUE', /* required */

You can find more information here. In terms of validation, cognito will manage that. The user will be in the FORCE_CHANGE_PASSWORD state until they sign in and change their password. Bear in mind that AdminCreateUser requires developer credentials.

profile pictureAWS
answered a year ago

You cannot do this in a single call as your post suggests. Assuming your User Pool is set up, adding a user to a group is a two-step process:

  1. Create the user (either via signUp API call or adminCreateUser call)
  2. Assign the user to a group via adminAddUserToGroup (this assumes the group is already created and you know the GroupName)

The Username is the same value that gets returned in the Username field of a call like listUsers. It is also a required input parameter to both signUp and adminCreateUser.

As far as validating the invitation with the verification link -- Cognito will take care of this for you when users sign up. It will immediately sign up/create the user but the user will not be able to log in until they confirm their account via the link emailed to them. You can view the documentation for Signing up and confirming user accounts for more information.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions