Cognito User Pool not creating user in new pool after Migration Trigger runs succesfully

0

My migration trigger is written in python. The method checks and authenticates against an old user pool, then fills in the userAttributes with all required attributes and finalUserStatus + messageAction with their proper values, and finally returns the entire event object. Here's an example response from the trigger:

{
    "version": "1",
    "triggerSource": "UserMigration_Authentication",
    "region": "us-east-2",
    "userPoolId": "***",
    "userName": "migrated2-integ@x.com",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-unknown-unknown",
        "clientId": "***"
    },
    "request": {
        "password": "TestUserTemp1",
        "validationData": null,
        "userAttributes": null
    },
    "response": {
        "userAttributes": {
            "email": "migrated2-integ@x.com",
            "email_verified": "true",
        },
        "forceAliasCreation": null,
        "enableSMSMFA": null,
        "finalUserStatus": "CONFIRMED",
        "messageAction": "SUPPRESS",
        "desiredDeliveryMediums": null
    }
}

The user is never created in the new user pool after the trigger successfully runs. I have other lambda triggers for post auth, pre-sign in, and post-confirmation and all work as expected. Due to the lack of transparency w.r.t. Cognito logs, I have no idea where the failure is coming from. The error the client receives is the following: AdminInitiateAuth operation: Incorrect username or password.

Please let me know what I'm missing. It'd be great to get access to Cognito logs.

asked a year ago457 views
1 Answer
0

Hello!

This error may occur due to following reasons stated below :

(a) Check if username and password are correct : ————————————————————————————

Keep a track whether the AuthParameters in the code is configured correctly with correct username and password. [1]

AuthParameters={
         'USERNAME': event['userName'],
         'PASSWORD': event['request']['password']
       }

Also in password only use the following special characters [2] :

^ $ * . [ ] { } ( ) ? " ! @ # % & / \ , > < ' : ; | _ ~ ` = + -

The space character is also treated as a special character.

(b) Is the customer authenticating against the old user pool and old client ID ? ————————————————————————————————————

Confirm if the code present inside the lambda trigger is authenticating the user against the old userpoolID and ClientID (where the user belongs).

UserPoolId='<user pool id of the user pool where the user already exists>',
ClientId='<app client id of the user pool where the user already exists>',

Please review the logic of your code, so as to achieve the expected results with the code mentioned under section ”Create a Lambda function” of documentation [1] and check if there are any errors.

You can check Lambda execution log for troubleshooting the Lambda code by using following steps [3] :

(i) Open the Functions page of the Lambda console.

(ii) Choose a function.

(iii) Choose Monitor.

(iv) Choose View logs in CloudWatch.

References:
———————

[1] https://aws.amazon.com/premiumsupport/knowledge-center/cognito-change-user-pool-attributes/

[2] Password Policy- https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html

[3] Accessing Amazon CloudWatch logs for AWS Lambda https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html

AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions