collaborne / migrate-cognito-user-pool-lambda Goto Github PK

View Code? Open in Web Editor NEW

67.0 7.0 29.0 27 KB

License: Apache License 2.0

TypeScript 100.00%

migrate-cognito-user-pool-lambda's Introduction

migrate-cognito-user-pool-lambda

See this blog post for a description

Usage

Follow these steps to use the migration Lambda function:

Create a new user pool client in the old user pool This client must have the OAuth flow ALLOW_ADMIN_USER_PASSWORD_AUTH enabled.
Configure all clients in the new user pool that are allowed to trigger user migration These clients must use the OAuth flow USER_PASSWORD_AUTH.
Build the lambda source code
```
npm install && npm run build
```
Create in Lambda function in the AWS console in the same account as the new user pool
- Configure the OLD_USER_POOL_REGION, OLD_USER_POOL_ID, and OLD_CLIENT_ID environment variables
- Grant the required permissions for accessing the user pool
  
  If the old user pool is in the same AWS account: Allow the actions cognito-idp:AdminGetUser and cognito-idp:AdminInitiateAuth in the execution role of the lambda function
  
  If the old user pool is in a different AWS account:
  1. Create a role in the account that owns the user pool that Allows the cognito-idp:AdminGetUser and cognito-idp:AdminInitiateAuth actions and that trusts the execution role of the lambda function
  2. Allow the action sts:AssumeRole for the ARN of the created role in the execution role of the lambda function
  3. Configure the OLD_ROLE_ARN and OLD_EXTERNAL_ID environment variables for the lambda function
Configure the trigger User Migration for the new User Pool to call the migration lambda function

Using AWS CLI

If you wish to use AWS CLI This reduces the need to navigate around AWS Console which is always in flux and not the easiest to figure out.

Maintain a txt list of the following variables as you work your way through this

OLD_USER_POOL_ID - the pool id you are migrating from (us-east-2_xyzABC)
OLD_USER_POOL_ARN - the pool Arn you are migrating from (arn:aws:cognito-idp:us-east-2:12345:userpool/us-east-2_xyzABC)
OLD_USER_POOL_REGION - the region that pool is located in (us-east-1 or us-east-2 etc...)
NEW_USER_POOL_ID - the pool you are migrating to (us-east-2_xyzDEF)
ROLE_ARN (created in step 1)
POLICY_ARN (created in step 2)
OLD_CLIENT_ID (created in step 4)
LAMBDA_ARN (created in step 5)

Create Role
- Update the role name to match your DevOps procedures
- Note the Arn returned from this as it will be your ROLE_ARN

   aws iam create-role --role-name cognito-migration-lambda-xxxx \
                       --assume-role-policy-document file://trust-policy.json

Create Permissions for your lambda function to run
- Update lambda-role-policy.json to the ARN of the OLD cognito user-pool (the one your migrating from)
- "Resource": "arn:aws:cognito-idp:XXXXXXXXXXX" -> OLD_USER_POOL_ARN
- Name your policy to match your DevOps procedures "cognito-migration-lambda-policy-xxxx"

   aws iam create-policy --policy-name cognito-migration-lambda-policy-xxxx \
                         --policy-document file://lambda-role-policy.json

This allows your lambda function to authenticate and look up users against the old cognito instance Note the Arn returned from the command POLICY_ARN

Attach Permissions to role
- Update role names to match your DevOps procedures

   # Standard lambda execution policy, including cloud logging
   aws iam attach-role-policy --role-name cognito-migration-lambda-xxxxx \
                              --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

   # Attach the policy you just created in step 2
   aws iam attach-role-policy --role-name cognito-migration-lambda-xxxxx \
                              --policy-arn POLICY_ARN

Create user pool client in old user pool
- Update user-pool-id with the ID of the OLD user pool
- This is the client that the lambda function will connect to validate user / passwords with
- Note the ClientId returned from this as it will be your OLD_CLIENT_ID

   aws cognito-idp create-user-pool-client \
      --user-pool-id XXXXXXXX \
      --client-name lambda-migration-client \
      --no-generate-secret \
      --explicit-auth-flows "ALLOW_USER_PASSWORD_AUTH" "ALLOW_ADMIN_USER_PASSWORD_AUTH""

Create lambda function
- Edit lambda-skeleton.json
  - Update
    - "FunctionName": "test-migration-cognitio"
    - "Role": "ROLE_ARN"
    - "OLD_CLIENT_ID": "XXX",
    - "OLD_USER_POOL_ID": "XXX",
    - "OLD_USER_POOL_REGION": "XXX"
- Build the function code

   npm install && npm run build

Deploy it
- Note the Arn returned from this, this is your LAMBDA_ARN

   aws lambda create-function --cli-input-json file://lambda-skeleton.json

Attach lambda to new user pool
- This is where you hook up your lambda function to your new cognito instance
- Update the NEW_USER_POOL_ID and LAMBDA_ARN

   aws cognito-idp update-user-pool \
  --user-pool-id NEW_USER_POOL_ID \
  --lambda-config  UserMigration=LAMBDA_ARN

migrate-cognito-user-pool-lambda's People

Contributors

Stargazers

Watchers

migrate-cognito-user-pool-lambda's Issues

MFA config migration

I wonder if the proposed solution also migration the MFA config along user and password migration.

Throw creates log in CloudWatch with stack trace

Hey guys,

Thanks for this. I already had similar code and came to here as I was searching for solutions to not have flood my log and show invocations as "errored" in Lambda when throwing errors. I mean, throwing errors is considered expected here and not really an error.

My question goes; Are you seeing the same and are you okay with that? If not, maybe I have something wrong or maybe you found a way to swallow the errors in logs?

Trigger not firing when signing in

I have followed all the processes mentioned. For the test, I am using this app "https://github.com/dbroadhurst/aws-cognito-react"

My trigger is working fine when I hit the forget password button but it is not firing upon the sign-in process.
I tried passing JSON requests manually and it is working fine. Lambda was able to search and respond back but somehow on the sign-in button trigger is not firing up.

Any help ??

Same issue mentioned here as well "https://stackoverflow.com/questions/62355507/aws-cognito-user-migration-pool-trigger-not-working-on-login-flow"

Incorrect username or password.

I have implemented this code as per example and applied for the required permissions however all old users always show the error "Incorrect username or password." when using the Hosted UI.

PS My real issue is that when using the Drop-in UI Cognito authentication it used to ask for email and mobile so users could be authenticated however now that I need to enable federated authentication I had to go to the hostedUI which doesnt show these fields (Yes it was my mistake that I did not click on them in the standard pool attributes).
Now that the pool is already created I can not add these attributes hence I am trying to migrate the users to a new pool.

Thanks in advance

Readme update

This did the trick - thank you for releasing it!

There's one update I'd suggest to the readme
When creating a user pool client in the old user pool, untick "generate secret" it's enabled by default; otherwise you'll get an error

authenticateUser: error {
     "message":"Client XXXXXX is configured for secret but secret was not received",
      "code":"NotAuthorizedException"
.........
}

Migrating users from a different AWS Account

First of all, thanks a lot for this repo. I think it's an invaluable resource. I've used it in order to migrate users from different pools in the same account without any issue.

Unfortunately, I'm getting an error while trying to do the same for different AWS accounts.

I've followed the instructions detailed in the readme but I must be clearly doing something wrong as I'm getting the following error message:

"message": "User: arn:aws:sts::000357920396:assumed-role/cognito-migration-role-sgvzr4d2/cognito-migration is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::080729486186:role/cognito-migration-admin"

Not sure how to provide this authorization to a what it seems to be a temporary role. How did you manage this? I have already provided sts:* to the lambda's role (cognito-migration)

and created an externalId in the original's pool role (cognito-migration-role).

Should I create a non temporary role for this to work?

How to migrate social signin entries?

Cognito saves separately for social signIn rows like Google for user pool.
So for one gmail, we can have 2 or more user rows in cognito user pool.
In this case, how can we migrate these social sign in rows?

Thank you!!!

Just want to say i struggled for a while but this one made it easy. Especially after realizing to get rid of the oldARN!! thanks again.

Error getting credentials when using migration lambda

Firstly, thanks for the code! Very helpful as the AWS docs are not very clear about how this workflow should be set up.

I'm getting this error when the lambda is run in the migration sequence.
UserMigration failed with error Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1."

Am I missing something? I assumed that since it would be running in the AWS lambda env, that it would already have account configuration info?

I've set up the IAM permissions as told in the readme, but still no jazz. Any ideas what I might be doing wrong?

Is possible migrate the user group information

First, thank you so much for the script, was very usefull. In this moment I need migrate all the user information, I know that I could get the group with adminListGroupsForUser, but I don't know how add it to the new cognito pool. Maybe do you have any idea?