See this blog post for a description
Follow these steps to use the migration Lambda function:
-
Create a new user pool client in the old user pool This client must have the OAuth flow
ALLOW_ADMIN_USER_PASSWORD_AUTH
enabled. -
Configure all clients in the new user pool that are allowed to trigger user migration These clients must use the OAuth flow
USER_PASSWORD_AUTH
. -
Build the lambda source code
npm install && npm run build
-
Create in Lambda function in the AWS console in the same account as the new user pool
-
Configure the
OLD_USER_POOL_REGION
,OLD_USER_POOL_ID
, andOLD_CLIENT_ID
environment variables -
Grant the required permissions for accessing the user pool
If the old user pool is in the same AWS account:
Allow
the actionscognito-idp:AdminGetUser
andcognito-idp:AdminInitiateAuth
in the execution role of the lambda functionIf the old user pool is in a different AWS account:
- Create a role in the account that owns the user pool that
Allow
s thecognito-idp:AdminGetUser
andcognito-idp:AdminInitiateAuth
actions and that trusts the execution role of the lambda function Allow
the actionsts:AssumeRole
for the ARN of the created role in the execution role of the lambda function- Configure the
OLD_ROLE_ARN
andOLD_EXTERNAL_ID
environment variables for the lambda function
- Create a role in the account that owns the user pool that
-
-
Configure the trigger User Migration for the new User Pool to call the migration lambda function