Can't create new Cognito User Pool User when username belongs to deleted former user

Question

I've run into an issue that I need some resolution on, or at least insight into why it's not working. We have a process that deletes Cognito users when we fail to fully create the corresponding user record in our system, as a transactional rollback. This has never triggered before, until one time recently, and attempting to resolve the issue for this one user has become a bit of a headache.

Upon retrying to re-create the user, we found that Cognito refuses to create, claiming the Username (we use `UsernameAttributes=["email"]`) is already taken. I have confirmed that when searching by the email, Cognito ID, and other attributes, the deleted user is not visible via CLI queries.

I attempted to work around this by creating a new User with a new temporary unique email address + Username (the values must be identical, according to errors we got when attempting otherwise to create with unique Username + canonical email address), and then updating just the email attribute, but that too complained of a conflict/collision with an existing user (which is, I remind, **deleted**).

I have tried using the force-alias-change parameter on create, but that does not work and is not truly applicable to this method, it would seem.

In my dev stack, I was able to get the create-with-unique-email-then-update-email case to work, but that might have been because the initial deletion of the "old" user that I triggered there was from the AWS Console which included a required step of Disabling Login Access for the user, which may have had some additional effect like unlinking the email as in-use or clearing any active sessions in the user pool or identity pool.

Is there some undocumented cool off period for a deleted user's Username? Is there any other way around this?

re:Post Agent · Answer

This is a known issue with Amazon Cognito user pools. When you delete a user, there appears to be a hidden association that persists for some time, preventing you from creating a new user with the same email address (when using email as the username attribute).

There are a few potential explanations and workarounds:

1. **Propagation delay**: When you delete a user, it can take time (sometimes 24-48 hours) for the deletion to fully propagate through AWS systems. During this time, the email address may still be considered "in use" even though the user appears to be deleted.

2. **Case sensitivity differences**: If your user pool is case-insensitive (the default for user pools created in the AWS Management Console), there might be conflicts with usernames or email addresses that differ only by case. Check your user pool's case sensitivity settings.

3. **Verification status**: In user pools with alias attributes, Amazon Cognito prevents using the public API to check whether a user exists with a given email address. This behavior might be affecting your ability to recreate the user.

Possible workarounds:

1. **Wait longer**: Allow more time for the deletion to fully propagate through AWS systems.

2. **Use admin APIs**: Try using the `admin-create-user` command instead of the public signup API, as it might bypass some of the restrictions.

3. **Disable and re-enable custom domain**: If you're using a custom domain with your user pool, try disabling and then re-enabling it.

4. **Contact AWS Support**: If the issue persists after trying these workarounds, you may need to contact AWS Support to help clear any hidden associations with the email address.

The difference you observed between your production and development environments might be related to the different deletion methods used (programmatic deletion versus console deletion with the additional step of disabling login access).  
**Sources**  
[Managing user existence error responses - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html)  
[User pool case sensitivity - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-case-sensitivity.html)  
[One or more of the CNAMEs you provided are already associated with a different resource | AWS re:Post](https://repost.aws/questions/QU1TSWdlngRu6rGWxFeOybVw/one-or-more-of-the-cnames-you-provided-are-already-associated-with-a-different-resource)  
[Working with user attributes - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html)  
[admin-create-user — AWS CLI 2.27.41 Command Reference](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/admin-create-user.html)

Can't create new Cognito User Pool User when username belongs to deleted former user

添加回答

相关内容