Seamless migrations of users in AWS Cognito user pools

Cognito User pools comes in with out of the box and quick integrations when you start. With this in place users had the flexibility of signing in, signing up using web or mobile. But as soon as we started supporting Social Authentication, this became a problem.

Problem:

We hit a limitation where user pools cannot be updated after you have configured Attributes which are predefined. e.g. if one creates a user pool with phone as mandatory it remains forever and cannot be changed.

Solution

The only way to get out of this problem is to move to a new pool with desired configuration and not an easy task when you have hundred thousand users live. Only way was to build a migration strategy where existing users get seamlessly moved to a new pool

We devised a 2 step migration approach

Step 1 — Migration of users registered using Phone — Lesser complexity

Since these users were authenticated using custom authentication flow where they were logged into app using OTP. We do not have to worry about passwords.

An export script to get users from one Cognito Pool and importing them into another Cognito pool

Step 2 — Migration of users registered using email, this involved not only login but forgot password too.

Export and import in this case would have resulted in temporary password emails to all our users.

Step 2 (a) — Users Login to Web app

We came up with a migration lambdas which took care of moving users pool to another pool. Flow diagram in screenshot below.

Step 2 (a) — Users resetting their password using Web app

Flow diagram.

Lambda

References: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html