Cognito Migration from one AWS account to another without changing sub
Cognito Migration from one aws to another without changing sub in new account
Published Oct 29, 2024
We are currently using Cognito in one AWS account and want to migrate to another account. However, when we use a Lambda trigger in the new account's user pool, a new user is created upon login, including all attributes, and the user’s sub will change since it differs between accounts. Our Cognito setup is integrated with API Gateway, and we rely on the sub to track users, which is a primary concern during migration.
While we can create a custom attribute and make it mandatory for users instead of using the sub, this raises another issue. If we implement a custom attribute, it won’t change during migration, but we still need a reliable way to track users in our MongoDB database. How can we effectively track users if we move away from using the sub
Please suggest me the best and simple way to migrate the cognito user pools ?
import boto3
def lambda_handler(event, context):
username = event['userName']
password = event['request']['password']
password = event['request']['password']
# Initialize Cognito clients for old and new user pools
old_cognito_client = boto3.client('cognito-idp', region_name='us-east-1')
new_cognito_client = boto3.client('cognito-idp', region_name='us-east-1')
old_cognito_client = boto3.client('cognito-idp', region_name='us-east-1')
new_cognito_client = boto3.client('cognito-idp', region_name='us-east-1')
old_user_pool_id = 'us-east-1_hfa37RQDe' # Dev User Pool ID
try:
# Authenticate against the old user pool
response = old_cognito_client.initiate_auth(
UserPoolId=old_user_pool_id,
ClientId='egshhhrhhdh', # Replace with your actual dev client ID
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': username,
'PASSWORD': password,
}
)
# Authenticate against the old user pool
response = old_cognito_client.initiate_auth(
UserPoolId=old_user_pool_id,
ClientId='egshhhrhhdh', # Replace with your actual dev client ID
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': username,
'PASSWORD': password,
}
)
# Get user attributes from the old user pool
user_attributes = {attr['Name']: attr['Value'] for attr in response['UserAttributes']}
original_sub = user_attributes.get('sub') # Get the original sub value
user_attributes = {attr['Name']: attr['Value'] for attr in response['UserAttributes']}
original_sub = user_attributes.get('sub') # Get the original sub value
# Create the user in the new pool (prod) with the original sub as a custom attribute
new_cognito_client.admin_create_user(
UserPoolId='us-east-1_ieJhg8gfefasfefesGUx', # Prod User Pool ID
Username=username,
UserAttributes=[
{
'Name': 'email',
'Value': user_attributes.get('email', '') # Get email if exists, default to empty string
},
{
'Name': 'custom:old_sub',
'Value': original_sub
},
]
)
new_cognito_client.admin_create_user(
UserPoolId='us-east-1_ieJhg8gfefasfefesGUx', # Prod User Pool ID
Username=username,
UserAttributes=[
{
'Name': 'email',
'Value': user_attributes.get('email', '') # Get email if exists, default to empty string
},
{
'Name': 'custom:old_sub',
'Value': original_sub
},
]
)
return {
'userAttributes': {
'email': user_attributes.get('email', ''),
},
'response': {
'statusCode': 200,
'body': 'User migrated successfully!',
},
}
'userAttributes': {
'email': user_attributes.get('email', ''),
},
'response': {
'statusCode': 200,
'body': 'User migrated successfully!',
},
}
except Exception as e:
# Handle exceptions
return {
'statusCode': 500,
'body': f'Error: {str(e)}'
# Handle exceptions
return {
'statusCode': 500,
'body': f'Error: {str(e)}'
}