I did NOT find a way to capture the email address (username entered by the users in login form) and password in Lambda Function. I have created a Lambda function (nodejs) and triggered it from Cognito Pre Authentication. It get triggered but if the email address does not exist in cognito user pool, event.request.userAttributes is empty.
Is there anyone facing the same problem and solved the problem ?
If the user doesn't exist, the lambda cannot get its attributes.
If the subsequent problem is that the user attributes object is empty even if it exists, check the IAM Role/Policy attached to the lambda.
It needs the cognito-idp:GetUser to retrieve the UserAttributes.
Related
After a user confirms their email, we want to run a Post Confirmation Lambda in AWS.
This lambda will store the user's email and password to a database that is separate from Cognito, so we need to fetch these credentials from AWS.
We believe it should be possible from the event object, but we can't find anything about this in the official documentation.
Is it possible to fetch a user's email and password from AWS from within a Post Confirmation Lambda?
After inspecting vars(context) and event, it seems that it is impossible to get a user's password from within the post confirmation lambda itself, as these objects do not contain it.
Thanks to everyone who helped.
I'm trying to make a custom authorizer in API Gateway that uses a lambda function to check if the user's email (passed in their request) to us, is a valid email (being valid, I mean a user that we have in our Cognito user pool/group) and is in a specific Cognito user pool, and then the specific Cognito user group that they are in.
I see that there are two different types of Lambda Authorizers that I can make, either Token or Request, I sort of think either are valid uses for this?
Because in the end I need to be able to specify the header the client is going to send and check that key's value to see if the username passed is in Cogntio.
Example,
User tries to query endpoint petstore.com/getDogs
user passes header: username: test#gmail.com
API Gateway custom lambda auth checks the header username, gets the value test#gmail.com and then verifies that it does or doesn't exist in a specific Cognito user pool/group.
I have a lambda function in an admin account that is triggered by an SQS queue, which receives messages from an SNS topic in a managed account, triggered by a compliance change for a Config Rule ("access-keys-rotated") in this same managed account.
I have noticed that the messages received from SNS only include the IAM User ID, not a User Name. In order to apply a policy/role to a user programmatically I have to have the UserName parameter.
Is there a way to resolve UserName from User ID that I just haven't stumbled upon yet? I've poured over the boto IAM API docs but every call I can think of to make requires a UserName.
Alternatively, is there a better way of architecting this workflow so that it is reliable AND provides me with the UserName for an IAM user?
AWS Cognito User Pools have some pre-defined events to handle user signup, confirmation etc. The full list is here.
However, there is no apparent trigger for deleting a user.
So, is there any way one can trigger a Lambda function when a user is deleted from Cognito User Pool (of course, with arguments like username and/or email address)?
If you are using "Amazon Cognito Sync":
Amazon Cognito raises the Sync Trigger event when a dataset is synchronized. You can use the Sync Trigger event to take an action when a user is updated or deleted.
Please have a look on below official document for more information and steps.
Ref: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-events.html
Records updated by the app user will have the 'op' field set as “replace” and the records deleted will have 'op' field as "remove".
According to above point in referenced documentation op field can help you to identify operation, So if value is "removed" in op then you can perform your actions for your business logic requirement.
If you are not using "Amazon Cognito Sync":
Create user records in DynamoDB table "user" using Post Confirmation Lambda Trigger.
Build your own user listing based on DynamoDB table "user".
Build your own user delete api using lambda function and aws api gateway.
You lambda function should handle delete user from cognito & also your business logic that you want to perform.
I'm trying to associate my user's Cognito identity with the SNS endpoints they create when registering for push notifications. I've created a Lambda functions connected to the SNS application's EndpointAdded topic. It is fired whenever an endpoint is created, but it does not include any information I can see that I can use to associate the endpoint to a user.
I see many examples where people are adding the user ID as custom user data, but this allows any user to sign up for any other user's notifications. Is there a more secure way to make this association?
If you front registering the endpoint with Lambda or APIGateway and you use SigV4 credentials vended by Cognito to make the call, the context passed in will contain the Cognito Identity Id extracted from the credentials that made the call. This will ensure that the identity id you associate with the endpoint hasn't been tampered with.