AWS Cognito – triggers

AWS Cognito Triggers are events that are automatically triggered in specific part of user interaction with Cognito e.g. when user is authenticated in your application, when user confirmed registration and more.

Here we will show how to automatically assign newly registered user to any Cognito User Group. This mechanism requires a little bit of programming.

Create Lambda function

First of all we will create a simple Lambda function for doing this job. In AWS console type Lambda in Services searching panel.

In Lambda console click Create function.

In next step choose Use a blueprint, then type hello-world-python to filter field and let it filter. Then select card hello-world-python and finally click Configure button.

In next step choose a name of your function, select Create a new role with basic Lambda permissions and click Create function.

In configuration editor of function you have to put following specific code ensuring the assignment of the user to group. You can see that GroupName has been hard-coded, but UserPoolId and Username will be taken from input parameters provided by Cognito.

import json
import boto3
from boto3.dynamodb.conditions import Key, Attr
from botocore.exceptions import ClientError
from datetime import datetime

#This function adds cognito user to user group of Litework projects when user confirms his registration.

def lambda_handler(event, context):
    
    # Resource
    client = boto3.client('cognito-idp')

    try:
        client.admin_add_user_to_group(
            UserPoolId =event['userPoolId'],
            Username = event['userName'],
            GroupName = 'LiteWorkProjects'                 
        )

    except ClientError as e:
        print(e)
        
    #print("Received event: " + json.dumps(event, indent=2))
    print("done :)")
    return event

Now specify test for this function, simply select Configure test events.

Then specify name of test and the content of JSON which is an entry parameter of our Lambda function. Then click Create.

Now run test via Test button and see that your function runs correctly.

Detail description of parameters which Cognito handles to your Lambda function you can find in AWS documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

IAM role

Now go down to Execution role section and click link to IAM console with policy automatically assigned to this function.

On Summary page click the policy and then Edit policy and then JSON tab.

You will see the editable JSON structure of the policy. Add there the section allowing access to cognito-idp:*. When you put the section you can see in the picture this allows the function to work with any cognito resources. You can naturally specific the proper one via Resource string.

Then click Review policy and then Save button. Now you can close IAM Management console tab.

Set Cognito trigger

Now go to Cognito service.

Select Manage User Pools and select user pool belonging to your project. On the screen of your user pool select Triggers.

Now go to section Post confirmation and populate Lambda function drop box and select Lambda function that we just created. Then click in the bottom of the page Save changes button.

And that’s all! Now let’s try to register new user and notice that this user has been automatically added to the group defined in Lambda function.

Happy coding!