Cognito User Pool not creating user in new pool after Migration Trigger runs succesfully


My migration trigger is written in python. The method checks and authenticates against an old user pool, then fills in the userAttributes with all required attributes and finalUserStatus + messageAction with their proper values, and finally returns the entire event object. Here's an example response from the trigger:

    "version": "1",
    "triggerSource": "UserMigration_Authentication",
    "region": "us-east-2",
    "userPoolId": "***",
    "userName": "",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-unknown-unknown",
        "clientId": "***"
    "request": {
        "password": "TestUserTemp1",
        "validationData": null,
        "userAttributes": null
    "response": {
        "userAttributes": {
            "email": "",
            "email_verified": "true",
        "forceAliasCreation": null,
        "enableSMSMFA": null,
        "finalUserStatus": "CONFIRMED",
        "messageAction": "SUPPRESS",
        "desiredDeliveryMediums": null

The user is never created in the new user pool after the trigger successfully runs. I have other lambda triggers for post auth, pre-sign in, and post-confirmation and all work as expected. Due to the lack of transparency w.r.t. Cognito logs, I have no idea where the failure is coming from. The error the client receives is the following: AdminInitiateAuth operation: Incorrect username or password.

Please let me know what I'm missing. It'd be great to get access to Cognito logs.

asked 2 years ago666 views
1 Answer


This error may occur due to following reasons stated below :

(a) Check if username and password are correct : ————————————————————————————

Keep a track whether the AuthParameters in the code is configured correctly with correct username and password. [1]

         'USERNAME': event['userName'],
         'PASSWORD': event['request']['password']

Also in password only use the following special characters [2] :

^ $ * . [ ] { } ( ) ? " ! @ # % & / \ , > < ' : ; | _ ~ ` = + -

The space character is also treated as a special character.

(b) Is the customer authenticating against the old user pool and old client ID ? ————————————————————————————————————

Confirm if the code present inside the lambda trigger is authenticating the user against the old userpoolID and ClientID (where the user belongs).

UserPoolId='<user pool id of the user pool where the user already exists>',
ClientId='<app client id of the user pool where the user already exists>',

Please review the logic of your code, so as to achieve the expected results with the code mentioned under section ”Create a Lambda function” of documentation [1] and check if there are any errors.

You can check Lambda execution log for troubleshooting the Lambda code by using following steps [3] :

(i) Open the Functions page of the Lambda console.

(ii) Choose a function.

(iii) Choose Monitor.

(iv) Choose View logs in CloudWatch.



[2] Password Policy-

[3] Accessing Amazon CloudWatch logs for AWS Lambda

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions