I am trying to signup an user. I am using AWS cognito for user authentication and authorization. I have added new custom attribute "abc" in under attribute section in General Settings. I have enabled read & write for abc attribute in AppClients.
Now I am trying to hit the API to create user using Postman. I am able to create new user but problem I am facing is, I am unable to add custom attribute while creating user. To add custom attributes, everytime I have to run below cli command. How do I add custom attributes while creating user itself.
aws cognito-idp admin-update-user-attributes --user-pool-id us-west-2_aaaaaaaaa --username diego#example.com --user-attributes Name="custom:CustomAttr1",Value="Purple"
You can do the same by using the Post Confirmation Lambda Trigger, and writing relevant code in the Lambda trigger for this use-case.
Quoting the official AWS documentation for the Post Confirmation Lambda trigger:
Amazon Cognito invokes this trigger after a new user is confirmed,
allowing you to send custom messages or to add custom logic.
Hence, this looks perfect for your use-case as you can call AdminUpdateUserAttributes from the Lambda code. From my experience, AWS Lambda operates the best and has the least cold start time when you write the code in Node.js or Python, so I would implore you to take a look at the recommended API calls.
Related
I need to create a Custom Message lambda trigger but it appears that the only way to do so is to go through all the steps in updating the auth category. I don't want to mess up my user pool and auth settings. How do I skip all steps except the lambda options?
Thanks!
you can always add a new function using amplify add function and then attach this function as a trigger on cognito user pool config screen.
downside is you will have to do this for all your user pools but it doesn't mess your amplify configurations.
I am creating a web app using AWS amplify, and one of its features will be integration with AWS IoT for live MQTT data. I successfully setup Cognito to work with IoT, but there is one step that I currently have to do manually: attach the iot policy to a cognito identity. In all the AWS tutorials on this, they have you manually attach the policy for the user via the command line, but obviously in a production app this needs to be automated with something like a Lambda as part of the user signup flow. I know that lambda triggers are available with the user pools side of Cognito, but I don't see any documentation on them being available for identity pools. If I'm correct the user signup happens first in the user pool and then the identity pool, and since I need the identity ID to link to IoT, using user pool lambda triggers won't work for this. Of course I could always add this to my own API which is called after sign up, the only issue with that is that it relies on the client to call the API, which adds complexity, i.e. the client could disconnect after signup but before the API call is made, in which case the user would never get the policy attached. Is there any better server-side way to trigger this?
I have tried to invoke the custom message function to send emails through SendGrid, well it worked but I don't have a way to stop AWS from sending through their emails. I have tried to set the messageAction to "SUPPRESS" but another problem arises. There is no such support for self-registration since messageAction is only for adminCreateUser function. Did I miss something or am I not doing this properly?
Custom Sender Lambda Triggers is the way to use 3rd party notification service providers.
Cognito docs are lacking at the moment (steps are missing, Lambda code has to be fixed after copying from the example, no instructions of how to deploy with CloudFormation, ...).
High level overview of the steps:
Create a symmetric KMS key.
Create a Lambda function. Grant Lambda permission to kms:Decrypt the key. Pass the key ARN as the environment variable.
Create a User Pool and a User Pool Client. For the pool, configure LambdaConfig providing Lambda and KMS Key ARNs.
In the code, decrypt the notification code using the key passed in the env variables.
Send the notification code using the 3rd party (e.g. Twilio Sendgrid) API.
Tooling (as of March 2021):
Cognito Console does not support new triggers
AWS CLI supports new triggers
CloudFormation docs say triggers are not supported, but in reality it works
Terraform does not support setting new triggers yet (there's a workaround)
I've blogged about the process of setting up the Custom Email Lambda Trigger with CloudFormation and Terraform: Send AWS Cognito emails with 3rd party ESPs.
It seems that now Cognito is starting to support this.
Cognito provides two Lambda triggers CustomEmailSender and CustomSMSSender to enable third-party email and SMS notifications.1
1 Source from AWS Cognito docs
Cognito recently started the support for allowing users to send emails via third party. You will have to do this via a lambda so here are the steps:
Create a lambda which will be calling your email provider to send the email/pass the data
Give kinesis permissions to the lambda function role that you created
Create a symmetric KMS key
Add the lambda function role to users list of key
Add KEY_ID and KEY_ALIAS in the lambda preferable as an env variable
Give permission to lambda function to invoke cognito using cli
aws lambda add-permission --function-name YOURLAMBDAARN --statement-id "CognitoLambdaInvokeAccess" --action lambda:InvokeFunction --principal cognito-idp.amazonaws.com
Setup your cognito
This will reset cognito settings so have a look at what was enabled first
aws cognito-idp update-user-pool --user-pool-id yourpoolid --lambda-config PreSignUp="oranyofyourtriggers",CustomEmailSender="{LambdaVersion="V1_0",LambdaArn="yourlambdaarn"}",KMSKeyID="yourkeyarn"
the above command would have reset cognito so all the triggers if any that were being used previously will have to be set
now in MFA and verifications, in what attributes to verify select email (and sms settings and give a role if that was used previously) and save those changes
I want to send verification code to the users mobile as SMS using a local provider in my country without using AWS SNS.
I have a trigger in CustomMessage and lambda function is working fine. But my problem I am unable to find verification code in lambda function.Only find codeParameter which is {####}.
So how can I get the verification code to send it using local provider?
You need to implement Custom Authentication in this scenario. Because Cognito wouldn't share the secret with you. We have implemented Custom Authentication scenario using Cognito Custom authentication mechanism.
you could use DefineAuth,CreateAuth and VerifyAuth triggers for implementation. please refer to the following flow.
https://aws.amazon.com/blogs/mobile/customizing-your-user-pool-authentication-flow/
For those looking for an alternative solution, I would recommend using Cognito's Custom SMS Sender trigger. When you use custom SMS trigger, you do not have to implement a custom authentication mechanism.
Custom SMS Sender trigger will enable you to get encrypted code parameter, then you can decrypt it using the KMS key you configured for your user pool.
The steps you can follow:
Crete a KSM key.
Create a Custom SMS Sender lambda function. This function should be able to perform kms:decrypt operation.
Implement your custom sms logic in the lambda function. Since you have the code parameter now, this will be very easy.
Give your user pool access to invoke custom sms sender function.
Set custom sms sender trigger for your user pool. When you do that you also need to set KMS key that Cognito will use. You can use aws-cli to do this.
References:
Official documentation
Terraform currently does not support custom sms sender trigger. There is an open issue regarding this
Aws cli update user pool
I am relatively new to AWS but read through tons of documentation and couldn't find what I need.
I am trying to implement authentication where users pay for subscription and based on whether they have paid they get access to S3 buckets and items.
I tried using API Gateway with a Cognito authorizer but I have no idea how to add the check if a user has paid (for example by looking it up in DynamoDB). Is there any way to add custom authorization logic to Cognito authorizer? If not, is it possible to still use Cognito User Pool with a custom authorizer? And most importantly, how would you implement the whole thing?
I am open to suggestions.
I found what I was looking for.
I added a custom user attribute subscribed. Then, created a lambda function which I used as a custom authorizer, using the blueprint for custom authorizer for Amazon Cognito User Pools. I modified the code so that I also extract the custom attribute subscribed (which is prefixed by custom:, so it becomes custom:subscribed) and check if it is set to true. I uploaded the blueprint to the lambda function and set it as an authorizer to the endpoints and methods I needed.
For updating the flag I used CognitoIdentityServiceProvider. adminUpdateUserAttributes which I call in a custom location in lambda after the user successfully pays (or remove subscription with cron jobs to check if it is valid).
Articles:
https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/
https://aws.amazon.com/blogs/compute/author/