We're trying to migrate users from the old user pool into a new one, as part of switching AWS accounts after Well Architected review, using the "Migrate user" trigger on the new pool.
The problem is that despite trying multiple ways to migrate the users, the login screen keeps giving Exception migrating user in app client error.
Acc. to CloudWatch, the lambda finishes normally, is not out of memory, it does receive all necessary information (using the ALLOW_USER_PASSWORD_AUTH flow as described), and is based on AWS example on the docs page.
The flow of the migration lambda is as follows:
- attempt to authenticate the user on the old Cognito pool
- on success, fetch all user info from the old pool using the access token
- on success, fill in the
response section of the event and return
The data is filled in like this:
event['response']['userAttributes'] = {
'username': sub,
'email': email,
'email_verified': True,
'custom:prev_sub': sub
}
event['response']['finalUserStatus'] = 'CONFIRMED'
event['response']['messageAction'] = 'SUPPRESS'
return event
The custom:prev_sub is a custom field on the new pool to preserve the old sub of the user. I've left it in the snippet above, as we need this value, but most of the tests were done without sending this value at all.
The new pool has no required attributes, and through console it is possible to create a user with just an email.
Things we tried that did not help:
- sending
"true" as a value of email_verified as used in AWS Migrate User docs
- sending a different value for
username, such as email
- not sending the
username at all
Any help is very welcome!
AWS OFFICIALUpdated 2 years ago
