# Scenarios for Amazon Cognito Identity Provider using AWS SDKs Scenarios The following code examples show you how to implement common scenarios in Amazon Cognito Identity Provider with AWS SDKs. These scenarios show you how to accomplish specific tasks by calling multiple functions within Amazon Cognito Identity Provider or combined with other AWS services. Each scenario includes a link to the complete source code, where you can find instructions on how to set up and run the code. Scenarios target an intermediate level of experience to help you understand service actions in context. **Topics** + [Automatically confirm known users with a Lambda function](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md) + [Automatically migrate known users with a Lambda function](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md) + [Sign up a user with a user pool that requires MFA](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md) + [Use Amazon Cognito identity pools](cognito-identity-provider_example_cross_CognitoFlows_section.md) + [Write custom activity data with a Lambda function after Amazon Cognito user authentication](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md) # Automatically confirm known Amazon Cognito users with a Lambda function using an AWS SDK Automatically confirm known users with a Lambda function The following code examples show how to automatically confirm known Amazon Cognito users with a Lambda function. + Configure a user pool to call a Lambda function for the `PreSignUp` trigger. + Sign up a user with Amazon Cognito. + The Lambda function scans a DynamoDB table and automatically confirms known users. + Sign in as the new user, then clean up resources. ------ #### [ Go ] **SDK for Go V2** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/workflows/user_pools_and_lambda_triggers#code-examples). Run an interactive scenario at a command prompt. ``` import ( "context" "errors" "log" "strings" "user_pools_and_lambda_triggers/actions" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // AutoConfirm separates the steps of this scenario into individual functions so that // they are simpler to read and understand. type AutoConfirm struct { helper IScenarioHelper questioner demotools.IQuestioner resources Resources cognitoActor *actions.CognitoActions } // NewAutoConfirm constructs a new auto confirm runner. func NewAutoConfirm(sdkConfig aws.Config, questioner demotools.IQuestioner, helper IScenarioHelper) AutoConfirm { scenario := AutoConfirm{ helper: helper, questioner: questioner, resources: Resources{}, cognitoActor: &actions.CognitoActions{CognitoClient: cognitoidentityprovider.NewFromConfig(sdkConfig)}, } scenario.resources.init(scenario.cognitoActor, questioner) return scenario } // AddPreSignUpTrigger adds a Lambda handler as an invocation target for the PreSignUp trigger. func (runner *AutoConfirm) AddPreSignUpTrigger(ctx context.Context, userPoolId string, functionArn string) { log.Printf("Let's add a Lambda function to handle the PreSignUp trigger from Cognito.\n" + "This trigger happens when a user signs up, and lets your function take action before the main Cognito\n" + "sign up processing occurs.\n") err := runner.cognitoActor.UpdateTriggers( ctx, userPoolId, actions.TriggerInfo{Trigger: actions.PreSignUp, HandlerArn: aws.String(functionArn)}) if err != nil { panic(err) } log.Printf("Lambda function %v added to user pool %v to handle the PreSignUp trigger.\n", functionArn, userPoolId) } // SignUpUser signs up a user from the known user table with a password you specify. func (runner *AutoConfirm) SignUpUser(ctx context.Context, clientId string, usersTable string) (string, string) { log.Println("Let's sign up a user to your Cognito user pool. When the user's email matches an email in the\n" + "DynamoDB known users table, it is automatically verified and the user is confirmed.") knownUsers, err := runner.helper.GetKnownUsers(ctx, usersTable) if err != nil { panic(err) } userChoice := runner.questioner.AskChoice("Which user do you want to use?\n", knownUsers.UserNameList()) user := knownUsers.Users[userChoice] var signedUp bool var userConfirmed bool password := runner.questioner.AskPassword("Enter a password that has at least eight characters, uppercase, lowercase, numbers and symbols.\n"+ "(the password will not display as you type):", 8) for !signedUp { log.Printf("Signing up user '%v' with email '%v' to Cognito.\n", user.UserName, user.UserEmail) userConfirmed, err = runner.cognitoActor.SignUp(ctx, clientId, user.UserName, password, user.UserEmail) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { password = runner.questioner.AskPassword("Enter another password:", 8) } else { panic(err) } } else { signedUp = true } } log.Printf("User %v signed up, confirmed = %v.\n", user.UserName, userConfirmed) log.Println(strings.Repeat("-", 88)) return user.UserName, password } // SignInUser signs in a user. func (runner *AutoConfirm) SignInUser(ctx context.Context, clientId string, userName string, password string) string { runner.questioner.Ask("Press Enter when you're ready to continue.") log.Printf("Let's sign in as %v...\n", userName) authResult, err := runner.cognitoActor.SignIn(ctx, clientId, userName, password) if err != nil { panic(err) } log.Printf("Successfully signed in. Your access token starts with: %v...\n", (*authResult.AccessToken)[:10]) log.Println(strings.Repeat("-", 88)) return *authResult.AccessToken } // Run runs the scenario. func (runner *AutoConfirm) Run(ctx context.Context, stackName string) { defer func() { if r := recover(); r != nil { log.Println("Something went wrong with the demo.") runner.resources.Cleanup(ctx) } }() log.Println(strings.Repeat("-", 88)) log.Printf("Welcome\n") log.Println(strings.Repeat("-", 88)) stackOutputs, err := runner.helper.GetStackOutputs(ctx, stackName) if err != nil { panic(err) } runner.resources.userPoolId = stackOutputs["UserPoolId"] runner.helper.PopulateUserTable(ctx, stackOutputs["TableName"]) runner.AddPreSignUpTrigger(ctx, stackOutputs["UserPoolId"], stackOutputs["AutoConfirmFunctionArn"]) runner.resources.triggers = append(runner.resources.triggers, actions.PreSignUp) userName, password := runner.SignUpUser(ctx, stackOutputs["UserPoolClientId"], stackOutputs["TableName"]) runner.helper.ListRecentLogEvents(ctx, stackOutputs["AutoConfirmFunction"]) runner.resources.userAccessTokens = append(runner.resources.userAccessTokens, runner.SignInUser(ctx, stackOutputs["UserPoolClientId"], userName, password)) runner.resources.Cleanup(ctx) log.Println(strings.Repeat("-", 88)) log.Println("Thanks for watching!") log.Println(strings.Repeat("-", 88)) } ``` Handle the `PreSignUp` trigger with a Lambda function. ``` import ( "context" "log" "os" "github.com/aws/aws-lambda-go/events" "github.com/aws/aws-lambda-go/lambda" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue" "github.com/aws/aws-sdk-go-v2/service/dynamodb" dynamodbtypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" ) const TABLE_NAME = "TABLE_NAME" // UserInfo defines structured user data that can be marshalled to a DynamoDB format. type UserInfo struct { UserName string `dynamodbav:"UserName"` UserEmail string `dynamodbav:"UserEmail"` } // GetKey marshals the user email value to a DynamoDB key format. func (user UserInfo) GetKey() map[string]dynamodbtypes.AttributeValue { userEmail, err := attributevalue.Marshal(user.UserEmail) if err != nil { panic(err) } return map[string]dynamodbtypes.AttributeValue{"UserEmail": userEmail} } type handler struct { dynamoClient *dynamodb.Client } // HandleRequest handles the PreSignUp event by looking up a user in an Amazon DynamoDB table and // specifying whether they should be confirmed and verified. func (h *handler) HandleRequest(ctx context.Context, event events.CognitoEventUserPoolsPreSignup) (events.CognitoEventUserPoolsPreSignup, error) { log.Printf("Received presignup from %v for user '%v'", event.TriggerSource, event.UserName) if event.TriggerSource != "PreSignUp_SignUp" { // Other trigger sources, such as PreSignUp_AdminInitiateAuth, ignore the response from this handler. return event, nil } tableName := os.Getenv(TABLE_NAME) user := UserInfo{ UserEmail: event.Request.UserAttributes["email"], } log.Printf("Looking up email %v in table %v.\n", user.UserEmail, tableName) output, err := h.dynamoClient.GetItem(ctx, &dynamodb.GetItemInput{ Key: user.GetKey(), TableName: aws.String(tableName), }) if err != nil { log.Printf("Error looking up email %v.\n", user.UserEmail) return event, err } if output.Item == nil { log.Printf("Email %v not found. Email verification is required.\n", user.UserEmail) return event, err } err = attributevalue.UnmarshalMap(output.Item, &user) if err != nil { log.Printf("Couldn't unmarshal DynamoDB item. Here's why: %v\n", err) return event, err } if user.UserName != event.UserName { log.Printf("UserEmail %v found, but stored UserName '%v' does not match supplied UserName '%v'. Verification is required.\n", user.UserEmail, user.UserName, event.UserName) } else { log.Printf("UserEmail %v found with matching UserName %v. User is confirmed.\n", user.UserEmail, user.UserName) event.Response.AutoConfirmUser = true event.Response.AutoVerifyEmail = true } return event, err } func main() { ctx := context.Background() sdkConfig, err := config.LoadDefaultConfig(ctx) if err != nil { log.Panicln(err) } h := handler{ dynamoClient: dynamodb.NewFromConfig(sdkConfig), } lambda.Start(h.HandleRequest) } ``` Create a struct that performs common tasks. ``` import ( "context" "log" "strings" "time" "user_pools_and_lambda_triggers/actions" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudformation" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs" "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // IScenarioHelper defines common functions used by the workflows in this example. type IScenarioHelper interface { Pause(secs int) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) PopulateUserTable(ctx context.Context, tableName string) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) AddKnownUser(ctx context.Context, tableName string, user actions.User) ListRecentLogEvents(ctx context.Context, functionName string) } // ScenarioHelper contains AWS wrapper structs used by the workflows in this example. type ScenarioHelper struct { questioner demotools.IQuestioner dynamoActor *actions.DynamoActions cfnActor *actions.CloudFormationActions cwlActor *actions.CloudWatchLogsActions isTestRun bool } // NewScenarioHelper constructs a new scenario helper. func NewScenarioHelper(sdkConfig aws.Config, questioner demotools.IQuestioner) ScenarioHelper { scenario := ScenarioHelper{ questioner: questioner, dynamoActor: &actions.DynamoActions{DynamoClient: dynamodb.NewFromConfig(sdkConfig)}, cfnActor: &actions.CloudFormationActions{CfnClient: cloudformation.NewFromConfig(sdkConfig)}, cwlActor: &actions.CloudWatchLogsActions{CwlClient: cloudwatchlogs.NewFromConfig(sdkConfig)}, } return scenario } // Pause waits for the specified number of seconds. func (helper ScenarioHelper) Pause(secs int) { if !helper.isTestRun { time.Sleep(time.Duration(secs) * time.Second) } } // GetStackOutputs gets the outputs from the specified CloudFormation stack in a structured format. func (helper ScenarioHelper) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) { return helper.cfnActor.GetOutputs(ctx, stackName), nil } // PopulateUserTable fills the known user table with example data. func (helper ScenarioHelper) PopulateUserTable(ctx context.Context, tableName string) { log.Printf("First, let's add some users to the DynamoDB %v table we'll use for this example.\n", tableName) err := helper.dynamoActor.PopulateTable(ctx, tableName) if err != nil { panic(err) } } // GetKnownUsers gets the users from the known users table in a structured format. func (helper ScenarioHelper) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) { knownUsers, err := helper.dynamoActor.Scan(ctx, tableName) if err != nil { log.Printf("Couldn't get known users from table %v. Here's why: %v\n", tableName, err) } return knownUsers, err } // AddKnownUser adds a user to the known users table. func (helper ScenarioHelper) AddKnownUser(ctx context.Context, tableName string, user actions.User) { log.Printf("Adding user '%v' with email '%v' to the DynamoDB known users table...\n", user.UserName, user.UserEmail) err := helper.dynamoActor.AddUser(ctx, tableName, user) if err != nil { panic(err) } } // ListRecentLogEvents gets the most recent log stream and events for the specified Lambda function and displays them. func (helper ScenarioHelper) ListRecentLogEvents(ctx context.Context, functionName string) { log.Println("Waiting a few seconds to let Lambda write to CloudWatch Logs...") helper.Pause(10) log.Println("Okay, let's check the logs to find what's happened recently with your Lambda function.") logStream, err := helper.cwlActor.GetLatestLogStream(ctx, functionName) if err != nil { panic(err) } log.Printf("Getting some recent events from log stream %v\n", *logStream.LogStreamName) events, err := helper.cwlActor.GetLogEvents(ctx, functionName, *logStream.LogStreamName, 10) if err != nil { panic(err) } for _, event := range events { log.Printf("\t%v", *event.Message) } log.Println(strings.Repeat("-", 88)) } ``` Create a struct that wraps Amazon Cognito actions. ``` import ( "context" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types" ) type CognitoActions struct { CognitoClient *cognitoidentityprovider.Client } // Trigger and TriggerInfo define typed data for updating an Amazon Cognito trigger. type Trigger int const ( PreSignUp Trigger = iota UserMigration PostAuthentication ) type TriggerInfo struct { Trigger Trigger HandlerArn *string } // UpdateTriggers adds or removes Lambda triggers for a user pool. When a trigger is specified with a `nil` value, // it is removed from the user pool. func (actor CognitoActions) UpdateTriggers(ctx context.Context, userPoolId string, triggers ...TriggerInfo) error { output, err := actor.CognitoClient.DescribeUserPool(ctx, &cognitoidentityprovider.DescribeUserPoolInput{ UserPoolId: aws.String(userPoolId), }) if err != nil { log.Printf("Couldn't get info about user pool %v. Here's why: %v\n", userPoolId, err) return err } lambdaConfig := output.UserPool.LambdaConfig for _, trigger := range triggers { switch trigger.Trigger { case PreSignUp: lambdaConfig.PreSignUp = trigger.HandlerArn case UserMigration: lambdaConfig.UserMigration = trigger.HandlerArn case PostAuthentication: lambdaConfig.PostAuthentication = trigger.HandlerArn } } _, err = actor.CognitoClient.UpdateUserPool(ctx, &cognitoidentityprovider.UpdateUserPoolInput{ UserPoolId: aws.String(userPoolId), LambdaConfig: lambdaConfig, }) if err != nil { log.Printf("Couldn't update user pool %v. Here's why: %v\n", userPoolId, err) } return err } // SignUp signs up a user with Amazon Cognito. func (actor CognitoActions) SignUp(ctx context.Context, clientId string, userName string, password string, userEmail string) (bool, error) { confirmed := false output, err := actor.CognitoClient.SignUp(ctx, &cognitoidentityprovider.SignUpInput{ ClientId: aws.String(clientId), Password: aws.String(password), Username: aws.String(userName), UserAttributes: []types.AttributeType{ {Name: aws.String("email"), Value: aws.String(userEmail)}, }, }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't sign up user %v. Here's why: %v\n", userName, err) } } else { confirmed = output.UserConfirmed } return confirmed, err } // SignIn signs in a user to Amazon Cognito using a username and password authentication flow. func (actor CognitoActions) SignIn(ctx context.Context, clientId string, userName string, password string) (*types.AuthenticationResultType, error) { var authResult *types.AuthenticationResultType output, err := actor.CognitoClient.InitiateAuth(ctx, &cognitoidentityprovider.InitiateAuthInput{ AuthFlow: "USER_PASSWORD_AUTH", ClientId: aws.String(clientId), AuthParameters: map[string]string{"USERNAME": userName, "PASSWORD": password}, }) if err != nil { var resetRequired *types.PasswordResetRequiredException if errors.As(err, &resetRequired) { log.Println(*resetRequired.Message) } else { log.Printf("Couldn't sign in user %v. Here's why: %v\n", userName, err) } } else { authResult = output.AuthenticationResult } return authResult, err } // ForgotPassword starts a password recovery flow for a user. This flow typically sends a confirmation code // to the user's configured notification destination, such as email. func (actor CognitoActions) ForgotPassword(ctx context.Context, clientId string, userName string) (*types.CodeDeliveryDetailsType, error) { output, err := actor.CognitoClient.ForgotPassword(ctx, &cognitoidentityprovider.ForgotPasswordInput{ ClientId: aws.String(clientId), Username: aws.String(userName), }) if err != nil { log.Printf("Couldn't start password reset for user '%v'. Here;s why: %v\n", userName, err) } return output.CodeDeliveryDetails, err } // ConfirmForgotPassword confirms a user with a confirmation code and a new password. func (actor CognitoActions) ConfirmForgotPassword(ctx context.Context, clientId string, code string, userName string, password string) error { _, err := actor.CognitoClient.ConfirmForgotPassword(ctx, &cognitoidentityprovider.ConfirmForgotPasswordInput{ ClientId: aws.String(clientId), ConfirmationCode: aws.String(code), Password: aws.String(password), Username: aws.String(userName), }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't confirm user %v. Here's why: %v", userName, err) } } return err } // DeleteUser removes a user from the user pool. func (actor CognitoActions) DeleteUser(ctx context.Context, userAccessToken string) error { _, err := actor.CognitoClient.DeleteUser(ctx, &cognitoidentityprovider.DeleteUserInput{ AccessToken: aws.String(userAccessToken), }) if err != nil { log.Printf("Couldn't delete user. Here's why: %v\n", err) } return err } // AdminCreateUser uses administrator credentials to add a user to a user pool. This method leaves the user // in a state that requires they enter a new password next time they sign in. func (actor CognitoActions) AdminCreateUser(ctx context.Context, userPoolId string, userName string, userEmail string) error { _, err := actor.CognitoClient.AdminCreateUser(ctx, &cognitoidentityprovider.AdminCreateUserInput{ UserPoolId: aws.String(userPoolId), Username: aws.String(userName), MessageAction: types.MessageActionTypeSuppress, UserAttributes: []types.AttributeType{{Name: aws.String("email"), Value: aws.String(userEmail)}}, }) if err != nil { var userExists *types.UsernameExistsException if errors.As(err, &userExists) { log.Printf("User %v already exists in the user pool.", userName) err = nil } else { log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err) } } return err } // AdminSetUserPassword uses administrator credentials to set a password for a user without requiring a // temporary password. func (actor CognitoActions) AdminSetUserPassword(ctx context.Context, userPoolId string, userName string, password string) error { _, err := actor.CognitoClient.AdminSetUserPassword(ctx, &cognitoidentityprovider.AdminSetUserPasswordInput{ Password: aws.String(password), UserPoolId: aws.String(userPoolId), Username: aws.String(userName), Permanent: true, }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't set password for user %v. Here's why: %v\n", userName, err) } } return err } ``` Create a struct that wraps DynamoDB actions. ``` import ( "context" "fmt" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue" "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" ) // DynamoActions encapsulates the Amazon Simple Notification Service (Amazon SNS) actions // used in the examples. type DynamoActions struct { DynamoClient *dynamodb.Client } // User defines structured user data. type User struct { UserName string UserEmail string LastLogin *LoginInfo `dynamodbav:",omitempty"` } // LoginInfo defines structured custom login data. type LoginInfo struct { UserPoolId string ClientId string Time string } // UserList defines a list of users. type UserList struct { Users []User } // UserNameList returns the usernames contained in a UserList as a list of strings. func (users *UserList) UserNameList() []string { names := make([]string, len(users.Users)) for i := 0; i < len(users.Users); i++ { names[i] = users.Users[i].UserName } return names } // PopulateTable adds a set of test users to the table. func (actor DynamoActions) PopulateTable(ctx context.Context, tableName string) error { var err error var item map[string]types.AttributeValue var writeReqs []types.WriteRequest for i := 1; i < 4; i++ { item, err = attributevalue.MarshalMap(User{UserName: fmt.Sprintf("test_user_%v", i), UserEmail: fmt.Sprintf("test_email_%v@example.com", i)}) if err != nil { log.Printf("Couldn't marshall user into DynamoDB format. Here's why: %v\n", err) return err } writeReqs = append(writeReqs, types.WriteRequest{PutRequest: &types.PutRequest{Item: item}}) } _, err = actor.DynamoClient.BatchWriteItem(ctx, &dynamodb.BatchWriteItemInput{ RequestItems: map[string][]types.WriteRequest{tableName: writeReqs}, }) if err != nil { log.Printf("Couldn't populate table %v with users. Here's why: %v\n", tableName, err) } return err } // Scan scans the table for all items. func (actor DynamoActions) Scan(ctx context.Context, tableName string) (UserList, error) { var userList UserList output, err := actor.DynamoClient.Scan(ctx, &dynamodb.ScanInput{ TableName: aws.String(tableName), }) if err != nil { log.Printf("Couldn't scan table %v for items. Here's why: %v\n", tableName, err) } else { err = attributevalue.UnmarshalListOfMaps(output.Items, &userList.Users) if err != nil { log.Printf("Couldn't unmarshal items into users. Here's why: %v\n", err) } } return userList, err } // AddUser adds a user item to a table. func (actor DynamoActions) AddUser(ctx context.Context, tableName string, user User) error { userItem, err := attributevalue.MarshalMap(user) if err != nil { log.Printf("Couldn't marshall user to item. Here's why: %v\n", err) } _, err = actor.DynamoClient.PutItem(ctx, &dynamodb.PutItemInput{ Item: userItem, TableName: aws.String(tableName), }) if err != nil { log.Printf("Couldn't put item in table %v. Here's why: %v", tableName, err) } return err } ``` Create a struct that wraps CloudWatch Logs actions. ``` import ( "context" "fmt" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types" ) type CloudWatchLogsActions struct { CwlClient *cloudwatchlogs.Client } // GetLatestLogStream gets the most recent log stream for a Lambda function. func (actor CloudWatchLogsActions) GetLatestLogStream(ctx context.Context, functionName string) (types.LogStream, error) { var logStream types.LogStream logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName) output, err := actor.CwlClient.DescribeLogStreams(ctx, &cloudwatchlogs.DescribeLogStreamsInput{ Descending: aws.Bool(true), Limit: aws.Int32(1), LogGroupName: aws.String(logGroupName), OrderBy: types.OrderByLastEventTime, }) if err != nil { log.Printf("Couldn't get log streams for log group %v. Here's why: %v\n", logGroupName, err) } else { logStream = output.LogStreams[0] } return logStream, err } // GetLogEvents gets the most recent eventCount events from the specified log stream. func (actor CloudWatchLogsActions) GetLogEvents(ctx context.Context, functionName string, logStreamName string, eventCount int32) ( []types.OutputLogEvent, error) { var events []types.OutputLogEvent logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName) output, err := actor.CwlClient.GetLogEvents(ctx, &cloudwatchlogs.GetLogEventsInput{ LogStreamName: aws.String(logStreamName), Limit: aws.Int32(eventCount), LogGroupName: aws.String(logGroupName), }) if err != nil { log.Printf("Couldn't get log event for log stream %v. Here's why: %v\n", logStreamName, err) } else { events = output.Events } return events, err } ``` Create a struct that wraps CloudFormation actions. ``` import ( "context" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudformation" ) // StackOutputs defines a map of outputs from a specific stack. type StackOutputs map[string]string type CloudFormationActions struct { CfnClient *cloudformation.Client } // GetOutputs gets the outputs from a CloudFormation stack and puts them into a structured format. func (actor CloudFormationActions) GetOutputs(ctx context.Context, stackName string) StackOutputs { output, err := actor.CfnClient.DescribeStacks(ctx, &cloudformation.DescribeStacksInput{ StackName: aws.String(stackName), }) if err != nil || len(output.Stacks) == 0 { log.Panicf("Couldn't find a CloudFormation stack named %v. Here's why: %v\n", stackName, err) } stackOutputs := StackOutputs{} for _, out := range output.Stacks[0].Outputs { stackOutputs[*out.OutputKey] = *out.OutputValue } return stackOutputs } ``` Clean up resources. ``` import ( "context" "log" "user_pools_and_lambda_triggers/actions" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // Resources keeps track of AWS resources created during an example and handles // cleanup when the example finishes. type Resources struct { userPoolId string userAccessTokens []string triggers []actions.Trigger cognitoActor *actions.CognitoActions questioner demotools.IQuestioner } func (resources *Resources) init(cognitoActor *actions.CognitoActions, questioner demotools.IQuestioner) { resources.userAccessTokens = []string{} resources.triggers = []actions.Trigger{} resources.cognitoActor = cognitoActor resources.questioner = questioner } // Cleanup deletes all AWS resources created during an example. func (resources *Resources) Cleanup(ctx context.Context) { defer func() { if r := recover(); r != nil { log.Printf("Something went wrong during cleanup.\n%v\n", r) log.Println("Use the AWS Management Console to remove any remaining resources \n" + "that were created for this scenario.") } }() wantDelete := resources.questioner.AskBool("Do you want to remove all of the AWS resources that were created "+ "during this demo (y/n)?", "y") if wantDelete { for _, accessToken := range resources.userAccessTokens { err := resources.cognitoActor.DeleteUser(ctx, accessToken) if err != nil { log.Println("Couldn't delete user during cleanup.") panic(err) } log.Println("Deleted user.") } triggerList := make([]actions.TriggerInfo, len(resources.triggers)) for i := 0; i < len(resources.triggers); i++ { triggerList[i] = actions.TriggerInfo{Trigger: resources.triggers[i], HandlerArn: nil} } err := resources.cognitoActor.UpdateTriggers(ctx, resources.userPoolId, triggerList...) if err != nil { log.Println("Couldn't update Cognito triggers during cleanup.") panic(err) } log.Println("Removed Cognito triggers from user pool.") } else { log.Println("Be sure to remove resources when you're done with them to avoid unexpected charges!") } } ``` + For API details, see the following topics in *AWS SDK for Go API Reference*. + [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.DeleteUser) + [InitiateAuth](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.InitiateAuth) + [SignUp](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.SignUp) + [UpdateUserPool](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.UpdateUserPool) ------ #### [ JavaScript ] **SDK for JavaScript (v3)** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-pools-triggers#code-examples). Configure an interactive "Scenario" run. The JavaScript (v3) examples share a Scenario runner to streamline complex examples. The complete source code is on GitHub. ``` import { AutoConfirm } from "./scenario-auto-confirm.js"; /** * The context is passed to every scenario. Scenario steps * will modify the context. */ const context = { errors: [], users: [ { UserName: "test_user_1", UserEmail: "test_email_1@example.com", }, { UserName: "test_user_2", UserEmail: "test_email_2@example.com", }, { UserName: "test_user_3", UserEmail: "test_email_3@example.com", }, ], }; /** * Three Scenarios are created for the workflow. A Scenario is an orchestration class * that simplifies running a series of steps. */ export const scenarios = { // Demonstrate automatically confirming known users in a database. "auto-confirm": AutoConfirm(context), }; // Call function if run directly import { fileURLToPath } from "node:url"; import { parseScenarioArgs } from "@aws-doc-sdk-examples/lib/scenario/index.js"; if (process.argv[1] === fileURLToPath(import.meta.url)) { parseScenarioArgs(scenarios, { name: "Cognito user pools and triggers", description: "Demonstrate how to use the AWS SDKs to customize Amazon Cognito authentication behavior.", }); } ``` This Scenario demonstrates auto-confirming a known user. It orchestrates the example steps. ``` import { wait } from "@aws-doc-sdk-examples/lib/utils/util-timers.js"; import { Scenario, ScenarioAction, ScenarioInput, ScenarioOutput, } from "@aws-doc-sdk-examples/lib/scenario/scenario.js"; import { getStackOutputs, logCleanUpReminder, promptForStackName, promptForStackRegion, skipWhenErrors, } from "./steps-common.js"; import { populateTable } from "./actions/dynamodb-actions.js"; import { addPreSignUpHandler, deleteUser, getUser, signIn, signUpUser, } from "./actions/cognito-actions.js"; import { getLatestLogStreamForLambda, getLogEvents, } from "./actions/cloudwatch-logs-actions.js"; /** * @typedef {{ * errors: Error[], * password: string, * users: { UserName: string, UserEmail: string }[], * selectedUser?: string, * stackName?: string, * stackRegion?: string, * token?: string, * confirmDeleteSignedInUser?: boolean, * TableName?: string, * UserPoolClientId?: string, * UserPoolId?: string, * UserPoolArn?: string, * AutoConfirmHandlerArn?: string, * AutoConfirmHandlerName?: string * }} State */ const greeting = new ScenarioOutput( "greeting", (/** @type {State} */ state) => `This demo will populate some users into the \ database created as part of the "${state.stackName}" stack. \ Then the AutoConfirmHandler will be linked to the PreSignUp \ trigger from Cognito. Finally, you will choose a user to sign up.`, { skipWhen: skipWhenErrors }, ); const logPopulatingUsers = new ScenarioOutput( "logPopulatingUsers", "Populating the DynamoDB table with some users.", { skipWhenErrors: skipWhenErrors }, ); const logPopulatingUsersComplete = new ScenarioOutput( "logPopulatingUsersComplete", "Done populating users.", { skipWhen: skipWhenErrors }, ); const populateUsers = new ScenarioAction( "populateUsers", async (/** @type {State} */ state) => { const [_, err] = await populateTable({ region: state.stackRegion, tableName: state.TableName, items: state.users, }); if (err) { state.errors.push(err); } }, { skipWhen: skipWhenErrors, }, ); const logSetupSignUpTrigger = new ScenarioOutput( "logSetupSignUpTrigger", "Setting up the PreSignUp trigger for the Cognito User Pool.", { skipWhen: skipWhenErrors }, ); const setupSignUpTrigger = new ScenarioAction( "setupSignUpTrigger", async (/** @type {State} */ state) => { const [_, err] = await addPreSignUpHandler({ region: state.stackRegion, userPoolId: state.UserPoolId, handlerArn: state.AutoConfirmHandlerArn, }); if (err) { state.errors.push(err); } }, { skipWhen: skipWhenErrors, }, ); const logSetupSignUpTriggerComplete = new ScenarioOutput( "logSetupSignUpTriggerComplete", ( /** @type {State} */ state, ) => `The lambda function "${state.AutoConfirmHandlerName}" \ has been configured as the PreSignUp trigger handler for the user pool "${state.UserPoolId}".`, { skipWhen: skipWhenErrors }, ); const selectUser = new ScenarioInput( "selectedUser", "Select a user to sign up.", { type: "select", choices: (/** @type {State} */ state) => state.users.map((u) => u.UserName), skipWhen: skipWhenErrors, default: (/** @type {State} */ state) => state.users[0].UserName, }, ); const checkIfUserAlreadyExists = new ScenarioAction( "checkIfUserAlreadyExists", async (/** @type {State} */ state) => { const [user, err] = await getUser({ region: state.stackRegion, userPoolId: state.UserPoolId, username: state.selectedUser, }); if (err?.name === "UserNotFoundException") { // Do nothing. We're not expecting the user to exist before // sign up is complete. return; } if (err) { state.errors.push(err); return; } if (user) { state.errors.push( new Error( `The user "${state.selectedUser}" already exists in the user pool "${state.UserPoolId}".`, ), ); } }, { skipWhen: skipWhenErrors, }, ); const createPassword = new ScenarioInput( "password", "Enter a password that has at least eight characters, uppercase, lowercase, numbers and symbols.", { type: "password", skipWhen: skipWhenErrors, default: "Abcd1234!" }, ); const logSignUpExistingUser = new ScenarioOutput( "logSignUpExistingUser", (/** @type {State} */ state) => `Signing up user "${state.selectedUser}".`, { skipWhen: skipWhenErrors }, ); const signUpExistingUser = new ScenarioAction( "signUpExistingUser", async (/** @type {State} */ state) => { const signUp = (password) => signUpUser({ region: state.stackRegion, userPoolClientId: state.UserPoolClientId, username: state.selectedUser, email: state.users.find((u) => u.UserName === state.selectedUser) .UserEmail, password, }); let [_, err] = await signUp(state.password); while (err?.name === "InvalidPasswordException") { console.warn("The password you entered was invalid."); await createPassword.handle(state); [_, err] = await signUp(state.password); } if (err) { state.errors.push(err); } }, { skipWhen: skipWhenErrors }, ); const logSignUpExistingUserComplete = new ScenarioOutput( "logSignUpExistingUserComplete", (/** @type {State} */ state) => `"${state.selectedUser} was signed up successfully.`, { skipWhen: skipWhenErrors }, ); const logLambdaLogs = new ScenarioAction( "logLambdaLogs", async (/** @type {State} */ state) => { console.log( "Waiting a few seconds to let Lambda write to CloudWatch Logs...\n", ); await wait(10); const [logStream, logStreamErr] = await getLatestLogStreamForLambda({ functionName: state.AutoConfirmHandlerName, region: state.stackRegion, }); if (logStreamErr) { state.errors.push(logStreamErr); return; } console.log( `Getting some recent events from log stream "${logStream.logStreamName}"`, ); const [logEvents, logEventsErr] = await getLogEvents({ functionName: state.AutoConfirmHandlerName, region: state.stackRegion, eventCount: 10, logStreamName: logStream.logStreamName, }); if (logEventsErr) { state.errors.push(logEventsErr); return; } console.log(logEvents.map((ev) => `\t${ev.message}`).join("")); }, { skipWhen: skipWhenErrors }, ); const logSignInUser = new ScenarioOutput( "logSignInUser", (/** @type {State} */ state) => `Let's sign in as ${state.selectedUser}`, { skipWhen: skipWhenErrors }, ); const signInUser = new ScenarioAction( "signInUser", async (/** @type {State} */ state) => { const [response, err] = await signIn({ region: state.stackRegion, clientId: state.UserPoolClientId, username: state.selectedUser, password: state.password, }); if (err?.name === "PasswordResetRequiredException") { state.errors.push(new Error("Please reset your password.")); return; } if (err) { state.errors.push(err); return; } state.token = response?.AuthenticationResult?.AccessToken; }, { skipWhen: skipWhenErrors }, ); const logSignInUserComplete = new ScenarioOutput( "logSignInUserComplete", (/** @type {State} */ state) => `Successfully signed in. Your access token starts with: ${state.token.slice(0, 11)}`, { skipWhen: skipWhenErrors }, ); const confirmDeleteSignedInUser = new ScenarioInput( "confirmDeleteSignedInUser", "Do you want to delete the currently signed in user?", { type: "confirm", skipWhen: skipWhenErrors }, ); const deleteSignedInUser = new ScenarioAction( "deleteSignedInUser", async (/** @type {State} */ state) => { const [_, err] = await deleteUser({ region: state.stackRegion, accessToken: state.token, }); if (err) { state.errors.push(err); } }, { skipWhen: (/** @type {State} */ state) => skipWhenErrors(state) || !state.confirmDeleteSignedInUser, }, ); const logErrors = new ScenarioOutput( "logErrors", (/** @type {State}*/ state) => { const errorList = state.errors .map((err) => ` - ${err.name}: ${err.message}`) .join("\n"); return `Scenario errors found:\n${errorList}`; }, { // Don't log errors when there aren't any! skipWhen: (/** @type {State} */ state) => state.errors.length === 0, }, ); export const AutoConfirm = (context) => new Scenario( "AutoConfirm", [ promptForStackName, promptForStackRegion, getStackOutputs, greeting, logPopulatingUsers, populateUsers, logPopulatingUsersComplete, logSetupSignUpTrigger, setupSignUpTrigger, logSetupSignUpTriggerComplete, selectUser, checkIfUserAlreadyExists, createPassword, logSignUpExistingUser, signUpExistingUser, logSignUpExistingUserComplete, logLambdaLogs, logSignInUser, signInUser, logSignInUserComplete, confirmDeleteSignedInUser, deleteSignedInUser, logCleanUpReminder, logErrors, ], context, ); ``` These are steps that are shared with other Scenarios. ``` import { ScenarioAction, ScenarioInput, ScenarioOutput, } from "@aws-doc-sdk-examples/lib/scenario/scenario.js"; import { getCfnOutputs } from "@aws-doc-sdk-examples/lib/sdk/cfn-outputs.js"; export const skipWhenErrors = (state) => state.errors.length > 0; export const getStackOutputs = new ScenarioAction( "getStackOutputs", async (state) => { if (!state.stackName || !state.stackRegion) { state.errors.push( new Error( "No stack name or region provided. The stack name and \ region are required to fetch CFN outputs relevant to this example.", ), ); return; } const outputs = await getCfnOutputs(state.stackName, state.stackRegion); Object.assign(state, outputs); }, ); export const promptForStackName = new ScenarioInput( "stackName", "Enter the name of the stack you deployed earlier.", { type: "input", default: "PoolsAndTriggersStack" }, ); export const promptForStackRegion = new ScenarioInput( "stackRegion", "Enter the region of the stack you deployed earlier.", { type: "input", default: "us-east-1" }, ); export const logCleanUpReminder = new ScenarioOutput( "logCleanUpReminder", "All done. Remember to run 'cdk destroy' to teardown the stack.", { skipWhen: skipWhenErrors }, ); ``` A handler for the `PreSignUp` trigger with a Lambda function. ``` import type { PreSignUpTriggerEvent, Handler } from "aws-lambda"; import type { UserRepository } from "./user-repository"; import { DynamoDBUserRepository } from "./user-repository"; export class PreSignUpHandler { private userRepository: UserRepository; constructor(userRepository: UserRepository) { this.userRepository = userRepository; } private isPreSignUpTriggerSource(event: PreSignUpTriggerEvent): boolean { return event.triggerSource === "PreSignUp_SignUp"; } private getEventUserEmail(event: PreSignUpTriggerEvent): string { return event.request.userAttributes.email; } async handlePreSignUpTriggerEvent( event: PreSignUpTriggerEvent, ): Promise { console.log( `Received presignup from ${event.triggerSource} for user '${event.userName}'`, ); if (!this.isPreSignUpTriggerSource(event)) { return event; } const eventEmail = this.getEventUserEmail(event); console.log(`Looking up email ${eventEmail}.`); const storedUserInfo = await this.userRepository.getUserInfoByEmail(eventEmail); if (!storedUserInfo) { console.log( `Email ${eventEmail} not found. Email verification is required.`, ); return event; } if (storedUserInfo.UserName !== event.userName) { console.log( `UserEmail ${eventEmail} found, but stored UserName '${storedUserInfo.UserName}' does not match supplied UserName '${event.userName}'. Verification is required.`, ); } else { console.log( `UserEmail ${eventEmail} found with matching UserName ${storedUserInfo.UserName}. User is confirmed.`, ); event.response.autoConfirmUser = true; event.response.autoVerifyEmail = true; } return event; } } const createPreSignUpHandler = (): PreSignUpHandler => { const tableName = process.env.TABLE_NAME; if (!tableName) { throw new Error("TABLE_NAME environment variable is not set"); } const userRepository = new DynamoDBUserRepository(tableName); return new PreSignUpHandler(userRepository); }; export const handler: Handler = async (event: PreSignUpTriggerEvent) => { const preSignUpHandler = createPreSignUpHandler(); return preSignUpHandler.handlePreSignUpTriggerEvent(event); }; ``` Module of CloudWatch Logs actions. ``` import { CloudWatchLogsClient, GetLogEventsCommand, OrderBy, paginateDescribeLogStreams, } from "@aws-sdk/client-cloudwatch-logs"; /** * Get the latest log stream for a Lambda function. * @param {{ functionName: string, region: string }} config * @returns {Promise<[import("@aws-sdk/client-cloudwatch-logs").LogStream | null, unknown]>} */ export const getLatestLogStreamForLambda = async ({ functionName, region }) => { try { const logGroupName = `/aws/lambda/${functionName}`; const cwlClient = new CloudWatchLogsClient({ region }); const paginator = paginateDescribeLogStreams( { client: cwlClient }, { descending: true, limit: 1, orderBy: OrderBy.LastEventTime, logGroupName, }, ); for await (const page of paginator) { return [page.logStreams[0], null]; } } catch (err) { return [null, err]; } }; /** * Get the log events for a Lambda function's log stream. * @param {{ * functionName: string, * logStreamName: string, * eventCount: number, * region: string * }} config * @returns {Promise<[import("@aws-sdk/client-cloudwatch-logs").OutputLogEvent[] | null, unknown]>} */ export const getLogEvents = async ({ functionName, logStreamName, eventCount, region, }) => { try { const cwlClient = new CloudWatchLogsClient({ region }); const logGroupName = `/aws/lambda/${functionName}`; const response = await cwlClient.send( new GetLogEventsCommand({ logStreamName: logStreamName, limit: eventCount, logGroupName: logGroupName, }), ); return [response.events, null]; } catch (err) { return [null, err]; } }; ``` Module of Amazon Cognito actions. ``` import { AdminGetUserCommand, CognitoIdentityProviderClient, DeleteUserCommand, InitiateAuthCommand, SignUpCommand, UpdateUserPoolCommand, } from "@aws-sdk/client-cognito-identity-provider"; /** * Connect a Lambda function to the PreSignUp trigger for a Cognito user pool * @param {{ region: string, userPoolId: string, handlerArn: string }} config * @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").UpdateUserPoolCommandOutput | null, unknown]>} */ export const addPreSignUpHandler = async ({ region, userPoolId, handlerArn, }) => { try { const cognitoClient = new CognitoIdentityProviderClient({ region, }); const command = new UpdateUserPoolCommand({ UserPoolId: userPoolId, LambdaConfig: { PreSignUp: handlerArn, }, }); const response = await cognitoClient.send(command); return [response, null]; } catch (err) { return [null, err]; } }; /** * Attempt to register a user to a user pool with a given username and password. * @param {{ * region: string, * userPoolClientId: string, * username: string, * email: string, * password: string * }} config * @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").SignUpCommandOutput | null, unknown]>} */ export const signUpUser = async ({ region, userPoolClientId, username, email, password, }) => { try { const cognitoClient = new CognitoIdentityProviderClient({ region, }); const response = await cognitoClient.send( new SignUpCommand({ ClientId: userPoolClientId, Username: username, Password: password, UserAttributes: [{ Name: "email", Value: email }], }), ); return [response, null]; } catch (err) { return [null, err]; } }; /** * Sign in a user to Amazon Cognito using a username and password authentication flow. * @param {{ region: string, clientId: string, username: string, password: string }} config * @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").InitiateAuthCommandOutput | null, unknown]>} */ export const signIn = async ({ region, clientId, username, password }) => { try { const cognitoClient = new CognitoIdentityProviderClient({ region }); const response = await cognitoClient.send( new InitiateAuthCommand({ AuthFlow: "USER_PASSWORD_AUTH", ClientId: clientId, AuthParameters: { USERNAME: username, PASSWORD: password }, }), ); return [response, null]; } catch (err) { return [null, err]; } }; /** * Retrieve an existing user from a user pool. * @param {{ region: string, userPoolId: string, username: string }} config * @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").AdminGetUserCommandOutput | null, unknown]>} */ export const getUser = async ({ region, userPoolId, username }) => { try { const cognitoClient = new CognitoIdentityProviderClient({ region }); const response = await cognitoClient.send( new AdminGetUserCommand({ UserPoolId: userPoolId, Username: username, }), ); return [response, null]; } catch (err) { return [null, err]; } }; /** * Delete the signed-in user. Useful for allowing a user to delete their * own profile. * @param {{ region: string, accessToken: string }} config * @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").DeleteUserCommandOutput | null, unknown]>} */ export const deleteUser = async ({ region, accessToken }) => { try { const client = new CognitoIdentityProviderClient({ region }); const response = await client.send( new DeleteUserCommand({ AccessToken: accessToken }), ); return [response, null]; } catch (err) { return [null, err]; } }; ``` Module of DynamoDB actions. ``` import { DynamoDBClient } from "@aws-sdk/client-dynamodb"; import { BatchWriteCommand, DynamoDBDocumentClient, } from "@aws-sdk/lib-dynamodb"; /** * Populate a DynamoDB table with provide items. * @param {{ region: string, tableName: string, items: Record[] }} config * @returns {Promise<[import("@aws-sdk/lib-dynamodb").BatchWriteCommandOutput | null, unknown]>} */ export const populateTable = async ({ region, tableName, items }) => { try { const ddbClient = new DynamoDBClient({ region }); const docClient = DynamoDBDocumentClient.from(ddbClient); const response = await docClient.send( new BatchWriteCommand({ RequestItems: { [tableName]: items.map((item) => ({ PutRequest: { Item: item, }, })), }, }), ); return [response, null]; } catch (err) { return [null, err]; } }; ``` + For API details, see the following topics in *AWS SDK for JavaScript API Reference*. + [DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DeleteUserCommand) + [InitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/InitiateAuthCommand) + [SignUp](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/SignUpCommand) + [UpdateUserPool](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/UpdateUserPoolCommand) ------ For a complete list of AWS SDK developer guides and code examples, see [Using this service with an AWS SDK](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions. # Automatically migrate known Amazon Cognito users with a Lambda function using an AWS SDK Automatically migrate known users with a Lambda function The following code example shows how to automatically migrate known Amazon Cognito users with a Lambda function. + Configure a user pool to call a Lambda function for the `MigrateUser` trigger. + Sign in to Amazon Cognito with a username and email that is not in the user pool. + The Lambda function scans a DynamoDB table and automatically migrates known users to the user pool. + Perform the forgot password flow to reset the password for the migrated user. + Sign in as the new user, then clean up resources. ------ #### [ Go ] **SDK for Go V2** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/workflows/user_pools_and_lambda_triggers#code-examples). Run an interactive scenario at a command prompt. ``` import ( "context" "errors" "fmt" "log" "strings" "user_pools_and_lambda_triggers/actions" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // MigrateUser separates the steps of this scenario into individual functions so that // they are simpler to read and understand. type MigrateUser struct { helper IScenarioHelper questioner demotools.IQuestioner resources Resources cognitoActor *actions.CognitoActions } // NewMigrateUser constructs a new migrate user runner. func NewMigrateUser(sdkConfig aws.Config, questioner demotools.IQuestioner, helper IScenarioHelper) MigrateUser { scenario := MigrateUser{ helper: helper, questioner: questioner, resources: Resources{}, cognitoActor: &actions.CognitoActions{CognitoClient: cognitoidentityprovider.NewFromConfig(sdkConfig)}, } scenario.resources.init(scenario.cognitoActor, questioner) return scenario } // AddMigrateUserTrigger adds a Lambda handler as an invocation target for the MigrateUser trigger. func (runner *MigrateUser) AddMigrateUserTrigger(ctx context.Context, userPoolId string, functionArn string) { log.Printf("Let's add a Lambda function to handle the MigrateUser trigger from Cognito.\n" + "This trigger happens when an unknown user signs in, and lets your function take action before Cognito\n" + "rejects the user.\n\n") err := runner.cognitoActor.UpdateTriggers( ctx, userPoolId, actions.TriggerInfo{Trigger: actions.UserMigration, HandlerArn: aws.String(functionArn)}) if err != nil { panic(err) } log.Printf("Lambda function %v added to user pool %v to handle the MigrateUser trigger.\n", functionArn, userPoolId) log.Println(strings.Repeat("-", 88)) } // SignInUser adds a new user to the known users table and signs that user in to Amazon Cognito. func (runner *MigrateUser) SignInUser(ctx context.Context, usersTable string, clientId string) (bool, actions.User) { log.Println("Let's sign in a user to your Cognito user pool. When the username and email matches an entry in the\n" + "DynamoDB known users table, the email is automatically verified and the user is migrated to the Cognito user pool.") user := actions.User{} user.UserName = runner.questioner.Ask("\nEnter a username:") user.UserEmail = runner.questioner.Ask("\nEnter an email that you own. This email will be used to confirm user migration\n" + "during this example:") runner.helper.AddKnownUser(ctx, usersTable, user) var err error var resetRequired *types.PasswordResetRequiredException var authResult *types.AuthenticationResultType signedIn := false for !signedIn && resetRequired == nil { log.Printf("Signing in to Cognito as user '%v'. The expected result is a PasswordResetRequiredException.\n\n", user.UserName) authResult, err = runner.cognitoActor.SignIn(ctx, clientId, user.UserName, "_") if err != nil { if errors.As(err, &resetRequired) { log.Printf("\nUser '%v' is not in the Cognito user pool but was found in the DynamoDB known users table.\n"+ "User migration is started and a password reset is required.", user.UserName) } else { panic(err) } } else { log.Printf("User '%v' successfully signed in. This is unexpected and probably means you have not\n"+ "cleaned up a previous run of this scenario, so the user exist in the Cognito user pool.\n"+ "You can continue this example and select to clean up resources, or manually remove\n"+ "the user from your user pool and try again.", user.UserName) runner.resources.userAccessTokens = append(runner.resources.userAccessTokens, *authResult.AccessToken) signedIn = true } } log.Println(strings.Repeat("-", 88)) return resetRequired != nil, user } // ResetPassword starts a password recovery flow. func (runner *MigrateUser) ResetPassword(ctx context.Context, clientId string, user actions.User) { wantCode := runner.questioner.AskBool(fmt.Sprintf("In order to migrate the user to Cognito, you must be able to receive a confirmation\n"+ "code by email at %v. Do you want to send a code (y/n)?", user.UserEmail), "y") if !wantCode { log.Println("To complete this example and successfully migrate a user to Cognito, you must enter an email\n" + "you own that can receive a confirmation code.") return } codeDelivery, err := runner.cognitoActor.ForgotPassword(ctx, clientId, user.UserName) if err != nil { panic(err) } log.Printf("\nA confirmation code has been sent to %v.", *codeDelivery.Destination) code := runner.questioner.Ask("Check your email and enter it here:") confirmed := false password := runner.questioner.AskPassword("\nEnter a password that has at least eight characters, uppercase, lowercase, numbers and symbols.\n"+ "(the password will not display as you type):", 8) for !confirmed { log.Printf("\nConfirming password reset for user '%v'.\n", user.UserName) err = runner.cognitoActor.ConfirmForgotPassword(ctx, clientId, code, user.UserName, password) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { password = runner.questioner.AskPassword("\nEnter another password:", 8) } else { panic(err) } } else { confirmed = true } } log.Printf("User '%v' successfully confirmed and migrated.\n", user.UserName) log.Println("Signing in with your username and password...") authResult, err := runner.cognitoActor.SignIn(ctx, clientId, user.UserName, password) if err != nil { panic(err) } log.Printf("Successfully signed in. Your access token starts with: %v...\n", (*authResult.AccessToken)[:10]) runner.resources.userAccessTokens = append(runner.resources.userAccessTokens, *authResult.AccessToken) log.Println(strings.Repeat("-", 88)) } // Run runs the scenario. func (runner *MigrateUser) Run(ctx context.Context, stackName string) { defer func() { if r := recover(); r != nil { log.Println("Something went wrong with the demo.") runner.resources.Cleanup(ctx) } }() log.Println(strings.Repeat("-", 88)) log.Printf("Welcome\n") log.Println(strings.Repeat("-", 88)) stackOutputs, err := runner.helper.GetStackOutputs(ctx, stackName) if err != nil { panic(err) } runner.resources.userPoolId = stackOutputs["UserPoolId"] runner.AddMigrateUserTrigger(ctx, stackOutputs["UserPoolId"], stackOutputs["MigrateUserFunctionArn"]) runner.resources.triggers = append(runner.resources.triggers, actions.UserMigration) resetNeeded, user := runner.SignInUser(ctx, stackOutputs["TableName"], stackOutputs["UserPoolClientId"]) if resetNeeded { runner.helper.ListRecentLogEvents(ctx, stackOutputs["MigrateUserFunction"]) runner.ResetPassword(ctx, stackOutputs["UserPoolClientId"], user) } runner.resources.Cleanup(ctx) log.Println(strings.Repeat("-", 88)) log.Println("Thanks for watching!") log.Println(strings.Repeat("-", 88)) } ``` Handle the `MigrateUser` trigger with a Lambda function. ``` import ( "context" "log" "os" "github.com/aws/aws-lambda-go/events" "github.com/aws/aws-lambda-go/lambda" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue" "github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression" "github.com/aws/aws-sdk-go-v2/service/dynamodb" ) const TABLE_NAME = "TABLE_NAME" // UserInfo defines structured user data that can be marshalled to a DynamoDB format. type UserInfo struct { UserName string `dynamodbav:"UserName"` UserEmail string `dynamodbav:"UserEmail"` } type handler struct { dynamoClient *dynamodb.Client } // HandleRequest handles the MigrateUser event by looking up a user in an Amazon DynamoDB table and // specifying whether they should be migrated to the user pool. func (h *handler) HandleRequest(ctx context.Context, event events.CognitoEventUserPoolsMigrateUser) (events.CognitoEventUserPoolsMigrateUser, error) { log.Printf("Received migrate trigger from %v for user '%v'", event.TriggerSource, event.UserName) if event.TriggerSource != "UserMigration_Authentication" { return event, nil } tableName := os.Getenv(TABLE_NAME) user := UserInfo{ UserName: event.UserName, } log.Printf("Looking up user '%v' in table %v.\n", user.UserName, tableName) filterEx := expression.Name("UserName").Equal(expression.Value(user.UserName)) expr, err := expression.NewBuilder().WithFilter(filterEx).Build() if err != nil { log.Printf("Error building expression to query for user '%v'.\n", user.UserName) return event, err } output, err := h.dynamoClient.Scan(ctx, &dynamodb.ScanInput{ TableName: aws.String(tableName), FilterExpression: expr.Filter(), ExpressionAttributeNames: expr.Names(), ExpressionAttributeValues: expr.Values(), }) if err != nil { log.Printf("Error looking up user '%v'.\n", user.UserName) return event, err } if len(output.Items) == 0 { log.Printf("User '%v' not found, not migrating user.\n", user.UserName) return event, err } var users []UserInfo err = attributevalue.UnmarshalListOfMaps(output.Items, &users) if err != nil { log.Printf("Couldn't unmarshal DynamoDB items. Here's why: %v\n", err) return event, err } user = users[0] log.Printf("UserName '%v' found with email %v. User is migrated and must reset password.\n", user.UserName, user.UserEmail) event.CognitoEventUserPoolsMigrateUserResponse.UserAttributes = map[string]string{ "email": user.UserEmail, "email_verified": "true", // email_verified is required for the forgot password flow. } event.CognitoEventUserPoolsMigrateUserResponse.FinalUserStatus = "RESET_REQUIRED" event.CognitoEventUserPoolsMigrateUserResponse.MessageAction = "SUPPRESS" return event, err } func main() { ctx := context.Background() sdkConfig, err := config.LoadDefaultConfig(ctx) if err != nil { log.Panicln(err) } h := handler{ dynamoClient: dynamodb.NewFromConfig(sdkConfig), } lambda.Start(h.HandleRequest) } ``` Create a struct that performs common tasks. ``` import ( "context" "log" "strings" "time" "user_pools_and_lambda_triggers/actions" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudformation" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs" "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // IScenarioHelper defines common functions used by the workflows in this example. type IScenarioHelper interface { Pause(secs int) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) PopulateUserTable(ctx context.Context, tableName string) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) AddKnownUser(ctx context.Context, tableName string, user actions.User) ListRecentLogEvents(ctx context.Context, functionName string) } // ScenarioHelper contains AWS wrapper structs used by the workflows in this example. type ScenarioHelper struct { questioner demotools.IQuestioner dynamoActor *actions.DynamoActions cfnActor *actions.CloudFormationActions cwlActor *actions.CloudWatchLogsActions isTestRun bool } // NewScenarioHelper constructs a new scenario helper. func NewScenarioHelper(sdkConfig aws.Config, questioner demotools.IQuestioner) ScenarioHelper { scenario := ScenarioHelper{ questioner: questioner, dynamoActor: &actions.DynamoActions{DynamoClient: dynamodb.NewFromConfig(sdkConfig)}, cfnActor: &actions.CloudFormationActions{CfnClient: cloudformation.NewFromConfig(sdkConfig)}, cwlActor: &actions.CloudWatchLogsActions{CwlClient: cloudwatchlogs.NewFromConfig(sdkConfig)}, } return scenario } // Pause waits for the specified number of seconds. func (helper ScenarioHelper) Pause(secs int) { if !helper.isTestRun { time.Sleep(time.Duration(secs) * time.Second) } } // GetStackOutputs gets the outputs from the specified CloudFormation stack in a structured format. func (helper ScenarioHelper) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) { return helper.cfnActor.GetOutputs(ctx, stackName), nil } // PopulateUserTable fills the known user table with example data. func (helper ScenarioHelper) PopulateUserTable(ctx context.Context, tableName string) { log.Printf("First, let's add some users to the DynamoDB %v table we'll use for this example.\n", tableName) err := helper.dynamoActor.PopulateTable(ctx, tableName) if err != nil { panic(err) } } // GetKnownUsers gets the users from the known users table in a structured format. func (helper ScenarioHelper) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) { knownUsers, err := helper.dynamoActor.Scan(ctx, tableName) if err != nil { log.Printf("Couldn't get known users from table %v. Here's why: %v\n", tableName, err) } return knownUsers, err } // AddKnownUser adds a user to the known users table. func (helper ScenarioHelper) AddKnownUser(ctx context.Context, tableName string, user actions.User) { log.Printf("Adding user '%v' with email '%v' to the DynamoDB known users table...\n", user.UserName, user.UserEmail) err := helper.dynamoActor.AddUser(ctx, tableName, user) if err != nil { panic(err) } } // ListRecentLogEvents gets the most recent log stream and events for the specified Lambda function and displays them. func (helper ScenarioHelper) ListRecentLogEvents(ctx context.Context, functionName string) { log.Println("Waiting a few seconds to let Lambda write to CloudWatch Logs...") helper.Pause(10) log.Println("Okay, let's check the logs to find what's happened recently with your Lambda function.") logStream, err := helper.cwlActor.GetLatestLogStream(ctx, functionName) if err != nil { panic(err) } log.Printf("Getting some recent events from log stream %v\n", *logStream.LogStreamName) events, err := helper.cwlActor.GetLogEvents(ctx, functionName, *logStream.LogStreamName, 10) if err != nil { panic(err) } for _, event := range events { log.Printf("\t%v", *event.Message) } log.Println(strings.Repeat("-", 88)) } ``` Create a struct that wraps Amazon Cognito actions. ``` import ( "context" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types" ) type CognitoActions struct { CognitoClient *cognitoidentityprovider.Client } // Trigger and TriggerInfo define typed data for updating an Amazon Cognito trigger. type Trigger int const ( PreSignUp Trigger = iota UserMigration PostAuthentication ) type TriggerInfo struct { Trigger Trigger HandlerArn *string } // UpdateTriggers adds or removes Lambda triggers for a user pool. When a trigger is specified with a `nil` value, // it is removed from the user pool. func (actor CognitoActions) UpdateTriggers(ctx context.Context, userPoolId string, triggers ...TriggerInfo) error { output, err := actor.CognitoClient.DescribeUserPool(ctx, &cognitoidentityprovider.DescribeUserPoolInput{ UserPoolId: aws.String(userPoolId), }) if err != nil { log.Printf("Couldn't get info about user pool %v. Here's why: %v\n", userPoolId, err) return err } lambdaConfig := output.UserPool.LambdaConfig for _, trigger := range triggers { switch trigger.Trigger { case PreSignUp: lambdaConfig.PreSignUp = trigger.HandlerArn case UserMigration: lambdaConfig.UserMigration = trigger.HandlerArn case PostAuthentication: lambdaConfig.PostAuthentication = trigger.HandlerArn } } _, err = actor.CognitoClient.UpdateUserPool(ctx, &cognitoidentityprovider.UpdateUserPoolInput{ UserPoolId: aws.String(userPoolId), LambdaConfig: lambdaConfig, }) if err != nil { log.Printf("Couldn't update user pool %v. Here's why: %v\n", userPoolId, err) } return err } // SignUp signs up a user with Amazon Cognito. func (actor CognitoActions) SignUp(ctx context.Context, clientId string, userName string, password string, userEmail string) (bool, error) { confirmed := false output, err := actor.CognitoClient.SignUp(ctx, &cognitoidentityprovider.SignUpInput{ ClientId: aws.String(clientId), Password: aws.String(password), Username: aws.String(userName), UserAttributes: []types.AttributeType{ {Name: aws.String("email"), Value: aws.String(userEmail)}, }, }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't sign up user %v. Here's why: %v\n", userName, err) } } else { confirmed = output.UserConfirmed } return confirmed, err } // SignIn signs in a user to Amazon Cognito using a username and password authentication flow. func (actor CognitoActions) SignIn(ctx context.Context, clientId string, userName string, password string) (*types.AuthenticationResultType, error) { var authResult *types.AuthenticationResultType output, err := actor.CognitoClient.InitiateAuth(ctx, &cognitoidentityprovider.InitiateAuthInput{ AuthFlow: "USER_PASSWORD_AUTH", ClientId: aws.String(clientId), AuthParameters: map[string]string{"USERNAME": userName, "PASSWORD": password}, }) if err != nil { var resetRequired *types.PasswordResetRequiredException if errors.As(err, &resetRequired) { log.Println(*resetRequired.Message) } else { log.Printf("Couldn't sign in user %v. Here's why: %v\n", userName, err) } } else { authResult = output.AuthenticationResult } return authResult, err } // ForgotPassword starts a password recovery flow for a user. This flow typically sends a confirmation code // to the user's configured notification destination, such as email. func (actor CognitoActions) ForgotPassword(ctx context.Context, clientId string, userName string) (*types.CodeDeliveryDetailsType, error) { output, err := actor.CognitoClient.ForgotPassword(ctx, &cognitoidentityprovider.ForgotPasswordInput{ ClientId: aws.String(clientId), Username: aws.String(userName), }) if err != nil { log.Printf("Couldn't start password reset for user '%v'. Here;s why: %v\n", userName, err) } return output.CodeDeliveryDetails, err } // ConfirmForgotPassword confirms a user with a confirmation code and a new password. func (actor CognitoActions) ConfirmForgotPassword(ctx context.Context, clientId string, code string, userName string, password string) error { _, err := actor.CognitoClient.ConfirmForgotPassword(ctx, &cognitoidentityprovider.ConfirmForgotPasswordInput{ ClientId: aws.String(clientId), ConfirmationCode: aws.String(code), Password: aws.String(password), Username: aws.String(userName), }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't confirm user %v. Here's why: %v", userName, err) } } return err } // DeleteUser removes a user from the user pool. func (actor CognitoActions) DeleteUser(ctx context.Context, userAccessToken string) error { _, err := actor.CognitoClient.DeleteUser(ctx, &cognitoidentityprovider.DeleteUserInput{ AccessToken: aws.String(userAccessToken), }) if err != nil { log.Printf("Couldn't delete user. Here's why: %v\n", err) } return err } // AdminCreateUser uses administrator credentials to add a user to a user pool. This method leaves the user // in a state that requires they enter a new password next time they sign in. func (actor CognitoActions) AdminCreateUser(ctx context.Context, userPoolId string, userName string, userEmail string) error { _, err := actor.CognitoClient.AdminCreateUser(ctx, &cognitoidentityprovider.AdminCreateUserInput{ UserPoolId: aws.String(userPoolId), Username: aws.String(userName), MessageAction: types.MessageActionTypeSuppress, UserAttributes: []types.AttributeType{{Name: aws.String("email"), Value: aws.String(userEmail)}}, }) if err != nil { var userExists *types.UsernameExistsException if errors.As(err, &userExists) { log.Printf("User %v already exists in the user pool.", userName) err = nil } else { log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err) } } return err } // AdminSetUserPassword uses administrator credentials to set a password for a user without requiring a // temporary password. func (actor CognitoActions) AdminSetUserPassword(ctx context.Context, userPoolId string, userName string, password string) error { _, err := actor.CognitoClient.AdminSetUserPassword(ctx, &cognitoidentityprovider.AdminSetUserPasswordInput{ Password: aws.String(password), UserPoolId: aws.String(userPoolId), Username: aws.String(userName), Permanent: true, }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't set password for user %v. Here's why: %v\n", userName, err) } } return err } ``` Create a struct that wraps DynamoDB actions. ``` import ( "context" "fmt" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue" "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" ) // DynamoActions encapsulates the Amazon Simple Notification Service (Amazon SNS) actions // used in the examples. type DynamoActions struct { DynamoClient *dynamodb.Client } // User defines structured user data. type User struct { UserName string UserEmail string LastLogin *LoginInfo `dynamodbav:",omitempty"` } // LoginInfo defines structured custom login data. type LoginInfo struct { UserPoolId string ClientId string Time string } // UserList defines a list of users. type UserList struct { Users []User } // UserNameList returns the usernames contained in a UserList as a list of strings. func (users *UserList) UserNameList() []string { names := make([]string, len(users.Users)) for i := 0; i < len(users.Users); i++ { names[i] = users.Users[i].UserName } return names } // PopulateTable adds a set of test users to the table. func (actor DynamoActions) PopulateTable(ctx context.Context, tableName string) error { var err error var item map[string]types.AttributeValue var writeReqs []types.WriteRequest for i := 1; i < 4; i++ { item, err = attributevalue.MarshalMap(User{UserName: fmt.Sprintf("test_user_%v", i), UserEmail: fmt.Sprintf("test_email_%v@example.com", i)}) if err != nil { log.Printf("Couldn't marshall user into DynamoDB format. Here's why: %v\n", err) return err } writeReqs = append(writeReqs, types.WriteRequest{PutRequest: &types.PutRequest{Item: item}}) } _, err = actor.DynamoClient.BatchWriteItem(ctx, &dynamodb.BatchWriteItemInput{ RequestItems: map[string][]types.WriteRequest{tableName: writeReqs}, }) if err != nil { log.Printf("Couldn't populate table %v with users. Here's why: %v\n", tableName, err) } return err } // Scan scans the table for all items. func (actor DynamoActions) Scan(ctx context.Context, tableName string) (UserList, error) { var userList UserList output, err := actor.DynamoClient.Scan(ctx, &dynamodb.ScanInput{ TableName: aws.String(tableName), }) if err != nil { log.Printf("Couldn't scan table %v for items. Here's why: %v\n", tableName, err) } else { err = attributevalue.UnmarshalListOfMaps(output.Items, &userList.Users) if err != nil { log.Printf("Couldn't unmarshal items into users. Here's why: %v\n", err) } } return userList, err } // AddUser adds a user item to a table. func (actor DynamoActions) AddUser(ctx context.Context, tableName string, user User) error { userItem, err := attributevalue.MarshalMap(user) if err != nil { log.Printf("Couldn't marshall user to item. Here's why: %v\n", err) } _, err = actor.DynamoClient.PutItem(ctx, &dynamodb.PutItemInput{ Item: userItem, TableName: aws.String(tableName), }) if err != nil { log.Printf("Couldn't put item in table %v. Here's why: %v", tableName, err) } return err } ``` Create a struct that wraps CloudWatch Logs actions. ``` import ( "context" "fmt" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types" ) type CloudWatchLogsActions struct { CwlClient *cloudwatchlogs.Client } // GetLatestLogStream gets the most recent log stream for a Lambda function. func (actor CloudWatchLogsActions) GetLatestLogStream(ctx context.Context, functionName string) (types.LogStream, error) { var logStream types.LogStream logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName) output, err := actor.CwlClient.DescribeLogStreams(ctx, &cloudwatchlogs.DescribeLogStreamsInput{ Descending: aws.Bool(true), Limit: aws.Int32(1), LogGroupName: aws.String(logGroupName), OrderBy: types.OrderByLastEventTime, }) if err != nil { log.Printf("Couldn't get log streams for log group %v. Here's why: %v\n", logGroupName, err) } else { logStream = output.LogStreams[0] } return logStream, err } // GetLogEvents gets the most recent eventCount events from the specified log stream. func (actor CloudWatchLogsActions) GetLogEvents(ctx context.Context, functionName string, logStreamName string, eventCount int32) ( []types.OutputLogEvent, error) { var events []types.OutputLogEvent logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName) output, err := actor.CwlClient.GetLogEvents(ctx, &cloudwatchlogs.GetLogEventsInput{ LogStreamName: aws.String(logStreamName), Limit: aws.Int32(eventCount), LogGroupName: aws.String(logGroupName), }) if err != nil { log.Printf("Couldn't get log event for log stream %v. Here's why: %v\n", logStreamName, err) } else { events = output.Events } return events, err } ``` Create a struct that wraps CloudFormation actions. ``` import ( "context" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudformation" ) // StackOutputs defines a map of outputs from a specific stack. type StackOutputs map[string]string type CloudFormationActions struct { CfnClient *cloudformation.Client } // GetOutputs gets the outputs from a CloudFormation stack and puts them into a structured format. func (actor CloudFormationActions) GetOutputs(ctx context.Context, stackName string) StackOutputs { output, err := actor.CfnClient.DescribeStacks(ctx, &cloudformation.DescribeStacksInput{ StackName: aws.String(stackName), }) if err != nil || len(output.Stacks) == 0 { log.Panicf("Couldn't find a CloudFormation stack named %v. Here's why: %v\n", stackName, err) } stackOutputs := StackOutputs{} for _, out := range output.Stacks[0].Outputs { stackOutputs[*out.OutputKey] = *out.OutputValue } return stackOutputs } ``` Clean up resources. ``` import ( "context" "log" "user_pools_and_lambda_triggers/actions" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // Resources keeps track of AWS resources created during an example and handles // cleanup when the example finishes. type Resources struct { userPoolId string userAccessTokens []string triggers []actions.Trigger cognitoActor *actions.CognitoActions questioner demotools.IQuestioner } func (resources *Resources) init(cognitoActor *actions.CognitoActions, questioner demotools.IQuestioner) { resources.userAccessTokens = []string{} resources.triggers = []actions.Trigger{} resources.cognitoActor = cognitoActor resources.questioner = questioner } // Cleanup deletes all AWS resources created during an example. func (resources *Resources) Cleanup(ctx context.Context) { defer func() { if r := recover(); r != nil { log.Printf("Something went wrong during cleanup.\n%v\n", r) log.Println("Use the AWS Management Console to remove any remaining resources \n" + "that were created for this scenario.") } }() wantDelete := resources.questioner.AskBool("Do you want to remove all of the AWS resources that were created "+ "during this demo (y/n)?", "y") if wantDelete { for _, accessToken := range resources.userAccessTokens { err := resources.cognitoActor.DeleteUser(ctx, accessToken) if err != nil { log.Println("Couldn't delete user during cleanup.") panic(err) } log.Println("Deleted user.") } triggerList := make([]actions.TriggerInfo, len(resources.triggers)) for i := 0; i < len(resources.triggers); i++ { triggerList[i] = actions.TriggerInfo{Trigger: resources.triggers[i], HandlerArn: nil} } err := resources.cognitoActor.UpdateTriggers(ctx, resources.userPoolId, triggerList...) if err != nil { log.Println("Couldn't update Cognito triggers during cleanup.") panic(err) } log.Println("Removed Cognito triggers from user pool.") } else { log.Println("Be sure to remove resources when you're done with them to avoid unexpected charges!") } } ``` + For API details, see the following topics in *AWS SDK for Go API Reference*. + [ConfirmForgotPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.ConfirmForgotPassword) + [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.DeleteUser) + [ForgotPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.ForgotPassword) + [InitiateAuth](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.InitiateAuth) + [SignUp](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.SignUp) + [UpdateUserPool](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.UpdateUserPool) ------ For a complete list of AWS SDK developer guides and code examples, see [Using this service with an AWS SDK](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions. # Sign up a user with an Amazon Cognito user pool that requires MFA using an AWS SDK Sign up a user with a user pool that requires MFA The following code examples show how to: + Sign up and confirm a user with a username, password, and email address. + Set up multi-factor authentication by associating an MFA application with the user. + Sign in by using a password and an MFA code. ------ #### [ .NET ] **SDK for .NET** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples). ``` namespace CognitoBasics; public class CognitoBasics { private static ILogger logger = null!; static async Task Main(string[] args) { // Set up dependency injection for Amazon Cognito. using var host = Host.CreateDefaultBuilder(args) .ConfigureLogging(logging => logging.AddFilter("System", LogLevel.Debug) .AddFilter("Microsoft", LogLevel.Information) .AddFilter("Microsoft", LogLevel.Trace)) .ConfigureServices((_, services) => services.AddAWSService() .AddTransient() ) .Build(); logger = LoggerFactory.Create(builder => { builder.AddConsole(); }) .CreateLogger(); var configuration = new ConfigurationBuilder() .SetBasePath(Directory.GetCurrentDirectory()) .AddJsonFile("settings.json") // Load settings from .json file. .AddJsonFile("settings.local.json", true) // Optionally load local settings. .Build(); var cognitoWrapper = host.Services.GetRequiredService(); Console.WriteLine(new string('-', 80)); UiMethods.DisplayOverview(); Console.WriteLine(new string('-', 80)); // clientId - The app client Id value that you get from the AWS CDK script. var clientId = configuration["ClientId"]; // "*** REPLACE WITH CLIENT ID VALUE FROM CDK SCRIPT"; // poolId - The pool Id that you get from the AWS CDK script. var poolId = configuration["PoolId"]!; // "*** REPLACE WITH POOL ID VALUE FROM CDK SCRIPT"; var userName = configuration["UserName"]; var password = configuration["Password"]; var email = configuration["Email"]; // If the username wasn't set in the configuration file, // get it from the user now. if (userName is null) { do { Console.Write("Username: "); userName = Console.ReadLine(); } while (string.IsNullOrEmpty(userName)); } Console.WriteLine($"\nUsername: {userName}"); // If the password wasn't set in the configuration file, // get it from the user now. if (password is null) { do { Console.Write("Password: "); password = Console.ReadLine(); } while (string.IsNullOrEmpty(password)); } // If the email address wasn't set in the configuration file, // get it from the user now. if (email is null) { do { Console.Write("Email: "); email = Console.ReadLine(); } while (string.IsNullOrEmpty(email)); } // Now sign up the user. Console.WriteLine($"\nSigning up {userName} with email address: {email}"); await cognitoWrapper.SignUpAsync(clientId, userName, password, email); // Add the user to the user pool. Console.WriteLine($"Adding {userName} to the user pool"); await cognitoWrapper.GetAdminUserAsync(userName, poolId); UiMethods.DisplayTitle("Get confirmation code"); Console.WriteLine($"Conformation code sent to {userName}."); Console.Write("Would you like to send a new code? (Y/N) "); var answer = Console.ReadLine(); if (answer!.ToLower() == "y") { await cognitoWrapper.ResendConfirmationCodeAsync(clientId, userName); Console.WriteLine("Sending a new confirmation code"); } Console.Write("Enter confirmation code (from Email): "); var code = Console.ReadLine(); await cognitoWrapper.ConfirmSignupAsync(clientId, code, userName); UiMethods.DisplayTitle("Checking status"); Console.WriteLine($"Rechecking the status of {userName} in the user pool"); await cognitoWrapper.GetAdminUserAsync(userName, poolId); Console.WriteLine($"Setting up authenticator for {userName} in the user pool"); var setupResponse = await cognitoWrapper.InitiateAuthAsync(clientId, userName, password); var setupSession = await cognitoWrapper.AssociateSoftwareTokenAsync(setupResponse.Session); Console.Write("Enter the 6-digit code displayed in Google Authenticator: "); var setupCode = Console.ReadLine(); var setupResult = await cognitoWrapper.VerifySoftwareTokenAsync(setupSession, setupCode); Console.WriteLine($"Setup status: {setupResult}"); Console.WriteLine($"Now logging in {userName} in the user pool"); var authSession = await cognitoWrapper.AdminInitiateAuthAsync(clientId, poolId, userName, password); Console.Write("Enter a new 6-digit code displayed in Google Authenticator: "); var authCode = Console.ReadLine(); var authResult = await cognitoWrapper.AdminRespondToAuthChallengeAsync(userName, clientId, authCode, authSession, poolId); Console.WriteLine($"Authenticated and received access token: {authResult.AccessToken}"); Console.WriteLine(new string('-', 80)); Console.WriteLine("Cognito scenario is complete."); Console.WriteLine(new string('-', 80)); } } using System.Net; namespace CognitoActions; /// /// Methods to perform Amazon Cognito Identity Provider actions. /// public class CognitoWrapper { private readonly IAmazonCognitoIdentityProvider _cognitoService; /// /// Constructor for the wrapper class containing Amazon Cognito actions. /// /// The Amazon Cognito client object. public CognitoWrapper(IAmazonCognitoIdentityProvider cognitoService) { _cognitoService = cognitoService; } /// /// List the Amazon Cognito user pools for an account. /// /// A list of UserPoolDescriptionType objects. public async Task> ListUserPoolsAsync() { var userPools = new List(); var userPoolsPaginator = _cognitoService.Paginators.ListUserPools(new ListUserPoolsRequest()); await foreach (var response in userPoolsPaginator.Responses) { userPools.AddRange(response.UserPools); } return userPools; } /// /// Get a list of users for the Amazon Cognito user pool. /// /// The user pool ID. /// A list of users. public async Task> ListUsersAsync(string userPoolId) { var request = new ListUsersRequest { UserPoolId = userPoolId }; var users = new List(); var usersPaginator = _cognitoService.Paginators.ListUsers(request); await foreach (var response in usersPaginator.Responses) { users.AddRange(response.Users); } return users; } /// /// Respond to an admin authentication challenge. /// /// The name of the user. /// The client ID. /// The multi-factor authentication code. /// The current application session. /// The user pool ID. /// The result of the authentication response. public async Task AdminRespondToAuthChallengeAsync( string userName, string clientId, string mfaCode, string session, string userPoolId) { Console.WriteLine("SOFTWARE_TOKEN_MFA challenge is generated"); var challengeResponses = new Dictionary(); challengeResponses.Add("USERNAME", userName); challengeResponses.Add("SOFTWARE_TOKEN_MFA_CODE", mfaCode); var respondToAuthChallengeRequest = new AdminRespondToAuthChallengeRequest { ChallengeName = ChallengeNameType.SOFTWARE_TOKEN_MFA, ClientId = clientId, ChallengeResponses = challengeResponses, Session = session, UserPoolId = userPoolId, }; var response = await _cognitoService.AdminRespondToAuthChallengeAsync(respondToAuthChallengeRequest); Console.WriteLine($"Response to Authentication {response.AuthenticationResult.TokenType}"); return response.AuthenticationResult; } /// /// Verify the TOTP and register for MFA. /// /// The name of the session. /// The MFA code. /// The status of the software token. public async Task VerifySoftwareTokenAsync(string session, string code) { var tokenRequest = new VerifySoftwareTokenRequest { UserCode = code, Session = session, }; var verifyResponse = await _cognitoService.VerifySoftwareTokenAsync(tokenRequest); return verifyResponse.Status; } /// /// Get an MFA token to authenticate the user with the authenticator. /// /// The session name. /// The session name. public async Task AssociateSoftwareTokenAsync(string session) { var softwareTokenRequest = new AssociateSoftwareTokenRequest { Session = session, }; var tokenResponse = await _cognitoService.AssociateSoftwareTokenAsync(softwareTokenRequest); var secretCode = tokenResponse.SecretCode; Console.WriteLine($"Use the following secret code to set up the authenticator: {secretCode}"); return tokenResponse.Session; } /// /// Initiate an admin auth request. /// /// The client ID to use. /// The ID of the user pool. /// The username to authenticate. /// The user's password. /// The session to use in challenge-response. public async Task AdminInitiateAuthAsync(string clientId, string userPoolId, string userName, string password) { var authParameters = new Dictionary(); authParameters.Add("USERNAME", userName); authParameters.Add("PASSWORD", password); var request = new AdminInitiateAuthRequest { ClientId = clientId, UserPoolId = userPoolId, AuthParameters = authParameters, AuthFlow = AuthFlowType.ADMIN_USER_PASSWORD_AUTH, }; var response = await _cognitoService.AdminInitiateAuthAsync(request); return response.Session; } /// /// Initiate authorization. /// /// The client Id of the application. /// The name of the user who is authenticating. /// The password for the user who is authenticating. /// The response from the initiate auth request. public async Task InitiateAuthAsync(string clientId, string userName, string password) { var authParameters = new Dictionary(); authParameters.Add("USERNAME", userName); authParameters.Add("PASSWORD", password); var authRequest = new InitiateAuthRequest { ClientId = clientId, AuthParameters = authParameters, AuthFlow = AuthFlowType.USER_PASSWORD_AUTH, }; var response = await _cognitoService.InitiateAuthAsync(authRequest); Console.WriteLine($"Result Challenge is : {response.ChallengeName}"); return response; } /// /// Confirm that the user has signed up. /// /// The Id of this application. /// The confirmation code sent to the user. /// The username. /// True if successful. public async Task ConfirmSignupAsync(string clientId, string code, string userName) { var signUpRequest = new ConfirmSignUpRequest { ClientId = clientId, ConfirmationCode = code, Username = userName, }; var response = await _cognitoService.ConfirmSignUpAsync(signUpRequest); if (response.HttpStatusCode == HttpStatusCode.OK) { Console.WriteLine($"{userName} was confirmed"); return true; } return false; } /// /// Initiates and confirms tracking of the device. /// /// The user's access token. /// The key of the device from Amazon Cognito. /// The device name. /// public async Task ConfirmDeviceAsync(string accessToken, string deviceKey, string deviceName) { var request = new ConfirmDeviceRequest { AccessToken = accessToken, DeviceKey = deviceKey, DeviceName = deviceName }; var response = await _cognitoService.ConfirmDeviceAsync(request); return response.UserConfirmationNecessary; } /// /// Send a new confirmation code to a user. /// /// The Id of the client application. /// The username of user who will receive the code. /// The delivery details. public async Task ResendConfirmationCodeAsync(string clientId, string userName) { var codeRequest = new ResendConfirmationCodeRequest { ClientId = clientId, Username = userName, }; var response = await _cognitoService.ResendConfirmationCodeAsync(codeRequest); Console.WriteLine($"Method of delivery is {response.CodeDeliveryDetails.DeliveryMedium}"); return response.CodeDeliveryDetails; } /// /// Get the specified user from an Amazon Cognito user pool with administrator access. /// /// The name of the user. /// The Id of the Amazon Cognito user pool. /// Async task. public async Task GetAdminUserAsync(string userName, string poolId) { AdminGetUserRequest userRequest = new AdminGetUserRequest { Username = userName, UserPoolId = poolId, }; var response = await _cognitoService.AdminGetUserAsync(userRequest); Console.WriteLine($"User status {response.UserStatus}"); return response.UserStatus; } /// /// Sign up a new user. /// /// The client Id of the application. /// The username to use. /// The user's password. /// The email address of the user. /// A Boolean value indicating whether the user was confirmed. public async Task SignUpAsync(string clientId, string userName, string password, string email) { var userAttrs = new AttributeType { Name = "email", Value = email, }; var userAttrsList = new List(); userAttrsList.Add(userAttrs); var signUpRequest = new SignUpRequest { UserAttributes = userAttrsList, Username = userName, ClientId = clientId, Password = password }; var response = await _cognitoService.SignUpAsync(signUpRequest); return response.HttpStatusCode == HttpStatusCode.OK; } } ``` + For API details, see the following topics in *AWS SDK for .NET API Reference*. + [AdminGetUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminGetUser) + [AdminInitiateAuth](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminInitiateAuth) + [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) + [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AssociateSoftwareToken) + [ConfirmDevice](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ConfirmDevice) + [ConfirmSignUp](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ConfirmSignUp) + [InitiateAuth](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/InitiateAuth) + [ListUsers](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ListUsers) + [ResendConfirmationCode](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ResendConfirmationCode) + [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/RespondToAuthChallenge) + [SignUp](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/SignUp) + [VerifySoftwareToken](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/VerifySoftwareToken) ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples). ``` Aws::Client::ClientConfiguration clientConfig; // Optional: Set to the AWS Region (overrides config file). // clientConfig.region = "us-east-1"; //! Scenario that adds a user to an Amazon Cognito user pool. /*! \sa gettingStartedWithUserPools() \param clientID: Client ID associated with an Amazon Cognito user pool. \param userPoolID: An Amazon Cognito user pool ID. \param clientConfig: Aws client configuration. \return bool: Successful completion. */ bool AwsDoc::Cognito::gettingStartedWithUserPools(const Aws::String &clientID, const Aws::String &userPoolID, const Aws::Client::ClientConfiguration &clientConfig) { printAsterisksLine(); std::cout << "Welcome to the Amazon Cognito example scenario." << std::endl; printAsterisksLine(); std::cout << "This scenario will add a user to an Amazon Cognito user pool." << std::endl; const Aws::String userName = askQuestion("Enter a new username: "); const Aws::String password = askQuestion("Enter a new password: "); const Aws::String email = askQuestion("Enter a valid email for the user: "); std::cout << "Signing up " << userName << std::endl; Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig); bool userExists = false; do { // 1. Add a user with a username, password, and email address. Aws::CognitoIdentityProvider::Model::SignUpRequest request; request.AddUserAttributes( Aws::CognitoIdentityProvider::Model::AttributeType().WithName( "email").WithValue(email)); request.SetUsername(userName); request.SetPassword(password); request.SetClientId(clientID); Aws::CognitoIdentityProvider::Model::SignUpOutcome outcome = client.SignUp(request); if (outcome.IsSuccess()) { std::cout << "The signup request for " << userName << " was successful." << std::endl; } else if (outcome.GetError().GetErrorType() == Aws::CognitoIdentityProvider::CognitoIdentityProviderErrors::USERNAME_EXISTS) { std::cout << "The username already exists. Please enter a different username." << std::endl; userExists = true; } else { std::cerr << "Error with CognitoIdentityProvider::SignUpRequest. " << outcome.GetError().GetMessage() << std::endl; return false; } } while (userExists); printAsterisksLine(); std::cout << "Retrieving status of " << userName << " in the user pool." << std::endl; // 2. Confirm that the user was added to the user pool. if (!checkAdminUserStatus(userName, userPoolID, client)) { return false; } std::cout << "A confirmation code was sent to " << email << "." << std::endl; bool resend = askYesNoQuestion("Would you like to send a new code? (y/n) "); if (resend) { // Request a resend of the confirmation code to the email address. (ResendConfirmationCode) Aws::CognitoIdentityProvider::Model::ResendConfirmationCodeRequest request; request.SetUsername(userName); request.SetClientId(clientID); Aws::CognitoIdentityProvider::Model::ResendConfirmationCodeOutcome outcome = client.ResendConfirmationCode(request); if (outcome.IsSuccess()) { std::cout << "CognitoIdentityProvider::ResendConfirmationCode was successful." << std::endl; } else { std::cerr << "Error with CognitoIdentityProvider::ResendConfirmationCode. " << outcome.GetError().GetMessage() << std::endl; return false; } } printAsterisksLine(); { // 4. Send the confirmation code that's received in the email. (ConfirmSignUp) const Aws::String confirmationCode = askQuestion( "Enter the confirmation code that was emailed: "); Aws::CognitoIdentityProvider::Model::ConfirmSignUpRequest request; request.SetClientId(clientID); request.SetConfirmationCode(confirmationCode); request.SetUsername(userName); Aws::CognitoIdentityProvider::Model::ConfirmSignUpOutcome outcome = client.ConfirmSignUp(request); if (outcome.IsSuccess()) { std::cout << "ConfirmSignup was Successful." << std::endl; } else { std::cerr << "Error with CognitoIdentityProvider::ConfirmSignUp. " << outcome.GetError().GetMessage() << std::endl; return false; } } std::cout << "Rechecking the status of " << userName << " in the user pool." << std::endl; if (!checkAdminUserStatus(userName, userPoolID, client)) { return false; } printAsterisksLine(); std::cout << "Initiating authorization using the username and password." << std::endl; Aws::String session; // 5. Initiate authorization with username and password. (AdminInitiateAuth) if (!adminInitiateAuthorization(clientID, userPoolID, userName, password, session, client)) { return false; } printAsterisksLine(); std::cout << "Starting setup of time-based one-time password (TOTP) multi-factor authentication (MFA)." << std::endl; { // 6. Request a setup key for one-time password (TOTP) // multi-factor authentication (MFA). (AssociateSoftwareToken) Aws::CognitoIdentityProvider::Model::AssociateSoftwareTokenRequest request; request.SetSession(session); Aws::CognitoIdentityProvider::Model::AssociateSoftwareTokenOutcome outcome = client.AssociateSoftwareToken(request); if (outcome.IsSuccess()) { std::cout << "Enter this setup key into an authenticator app, for example Google Authenticator." << std::endl; std::cout << "Setup key: " << outcome.GetResult().GetSecretCode() << std::endl; #ifdef USING_QR printAsterisksLine(); std::cout << "\nOr scan the QR code in the file '" << QR_CODE_PATH << "." << std::endl; saveQRCode(std::string("otpauth://totp/") + userName + "?secret=" + outcome.GetResult().GetSecretCode()); #endif // USING_QR session = outcome.GetResult().GetSession(); } else { std::cerr << "Error with CognitoIdentityProvider::AssociateSoftwareToken. " << outcome.GetError().GetMessage() << std::endl; return false; } } askQuestion("Type enter to continue...", alwaysTrueTest); printAsterisksLine(); { Aws::String userCode = askQuestion( "Enter the 6 digit code displayed in the authenticator app: "); // 7. Send the MFA code copied from an authenticator app. (VerifySoftwareToken) Aws::CognitoIdentityProvider::Model::VerifySoftwareTokenRequest request; request.SetUserCode(userCode); request.SetSession(session); Aws::CognitoIdentityProvider::Model::VerifySoftwareTokenOutcome outcome = client.VerifySoftwareToken(request); if (outcome.IsSuccess()) { std::cout << "Verification of the code was successful." << std::endl; session = outcome.GetResult().GetSession(); } else { std::cerr << "Error with CognitoIdentityProvider::VerifySoftwareToken. " << outcome.GetError().GetMessage() << std::endl; return false; } } printAsterisksLine(); std::cout << "You have completed the MFA authentication setup." << std::endl; std::cout << "Now, sign in." << std::endl; // 8. Initiate authorization again with username and password. (AdminInitiateAuth) if (!adminInitiateAuthorization(clientID, userPoolID, userName, password, session, client)) { return false; } Aws::String accessToken; { Aws::String mfaCode = askQuestion( "Re-enter the 6 digit code displayed in the authenticator app: "); // 9. Send a new MFA code copied from an authenticator app. (AdminRespondToAuthChallenge) Aws::CognitoIdentityProvider::Model::AdminRespondToAuthChallengeRequest request; request.AddChallengeResponses("USERNAME", userName); request.AddChallengeResponses("SOFTWARE_TOKEN_MFA_CODE", mfaCode); request.SetChallengeName( Aws::CognitoIdentityProvider::Model::ChallengeNameType::SOFTWARE_TOKEN_MFA); request.SetClientId(clientID); request.SetUserPoolId(userPoolID); request.SetSession(session); Aws::CognitoIdentityProvider::Model::AdminRespondToAuthChallengeOutcome outcome = client.AdminRespondToAuthChallenge(request); if (outcome.IsSuccess()) { std::cout << "Here is the response to the challenge.\n" << outcome.GetResult().GetAuthenticationResult().Jsonize().View().WriteReadable() << std::endl; accessToken = outcome.GetResult().GetAuthenticationResult().GetAccessToken(); } else { std::cerr << "Error with CognitoIdentityProvider::AdminRespondToAuthChallenge. " << outcome.GetError().GetMessage() << std::endl; return false; } std::cout << "You have successfully added a user to Amazon Cognito." << std::endl; } if (askYesNoQuestion("Would you like to delete the user that you just added? (y/n) ")) { // 10. Delete the user that you just added. (DeleteUser) Aws::CognitoIdentityProvider::Model::DeleteUserRequest request; request.SetAccessToken(accessToken); Aws::CognitoIdentityProvider::Model::DeleteUserOutcome outcome = client.DeleteUser(request); if (outcome.IsSuccess()) { std::cout << "The user " << userName << " was deleted." << std::endl; } else { std::cerr << "Error with CognitoIdentityProvider::DeleteUser. " << outcome.GetError().GetMessage() << std::endl; } } return true; } //! Routine which checks the user status in an Amazon Cognito user pool. /*! \sa checkAdminUserStatus() \param userName: A username. \param userPoolID: An Amazon Cognito user pool ID. \return bool: Successful completion. */ bool AwsDoc::Cognito::checkAdminUserStatus(const Aws::String &userName, const Aws::String &userPoolID, const Aws::CognitoIdentityProvider::CognitoIdentityProviderClient &client) { Aws::CognitoIdentityProvider::Model::AdminGetUserRequest request; request.SetUsername(userName); request.SetUserPoolId(userPoolID); Aws::CognitoIdentityProvider::Model::AdminGetUserOutcome outcome = client.AdminGetUser(request); if (outcome.IsSuccess()) { std::cout << "The status for " << userName << " is " << Aws::CognitoIdentityProvider::Model::UserStatusTypeMapper::GetNameForUserStatusType( outcome.GetResult().GetUserStatus()) << std::endl; std::cout << "Enabled is " << outcome.GetResult().GetEnabled() << std::endl; } else { std::cerr << "Error with CognitoIdentityProvider::AdminGetUser. " << outcome.GetError().GetMessage() << std::endl; } return outcome.IsSuccess(); } //! Routine which starts authorization of an Amazon Cognito user. //! This routine requires administrator credentials. /*! \sa adminInitiateAuthorization() \param clientID: Client ID of tracked device. \param userPoolID: An Amazon Cognito user pool ID. \param userName: A username. \param password: A password. \param sessionResult: String to receive a session token. \return bool: Successful completion. */ bool AwsDoc::Cognito::adminInitiateAuthorization(const Aws::String &clientID, const Aws::String &userPoolID, const Aws::String &userName, const Aws::String &password, Aws::String &sessionResult, const Aws::CognitoIdentityProvider::CognitoIdentityProviderClient &client) { Aws::CognitoIdentityProvider::Model::AdminInitiateAuthRequest request; request.SetClientId(clientID); request.SetUserPoolId(userPoolID); request.AddAuthParameters("USERNAME", userName); request.AddAuthParameters("PASSWORD", password); request.SetAuthFlow( Aws::CognitoIdentityProvider::Model::AuthFlowType::ADMIN_USER_PASSWORD_AUTH); Aws::CognitoIdentityProvider::Model::AdminInitiateAuthOutcome outcome = client.AdminInitiateAuth(request); if (outcome.IsSuccess()) { std::cout << "Call to AdminInitiateAuth was successful." << std::endl; sessionResult = outcome.GetResult().GetSession(); } else { std::cerr << "Error with CognitoIdentityProvider::AdminInitiateAuth. " << outcome.GetError().GetMessage() << std::endl; } return outcome.IsSuccess(); } ``` + For API details, see the following topics in *AWS SDK for C\$1\$1 API Reference*. + [AdminGetUser](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminGetUser) + [AdminInitiateAuth](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminInitiateAuth) + [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) + [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AssociateSoftwareToken) + [ConfirmDevice](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ConfirmDevice) + [ConfirmSignUp](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ConfirmSignUp) + [InitiateAuth](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/InitiateAuth) + [ListUsers](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUsers) + [ResendConfirmationCode](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ResendConfirmationCode) + [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/RespondToAuthChallenge) + [SignUp](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SignUp) + [VerifySoftwareToken](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/VerifySoftwareToken) ------ #### [ Java ] **SDK for Java 2.x** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples). ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient; import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminRespondToAuthChallengeRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminRespondToAuthChallengeResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.AssociateSoftwareTokenRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.AssociateSoftwareTokenResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.AttributeType; import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthFlowType; import software.amazon.awssdk.services.cognitoidentityprovider.model.ChallengeNameType; import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException; import software.amazon.awssdk.services.cognitoidentityprovider.model.ConfirmSignUpRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.ResendConfirmationCodeRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.ResendConfirmationCodeResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.SignUpRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.VerifySoftwareTokenRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.VerifySoftwareTokenResponse; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Scanner; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html * * TIP: To set up the required user pool, run the AWS Cloud Development Kit (AWS * CDK) script provided in this GitHub repo at * resources/cdk/cognito_scenario_user_pool_with_mfa. * * This code example performs the following operations: * * 1. Invokes the signUp method to sign up a user. * 2. Invokes the adminGetUser method to get the user's confirmation status. * 3. Invokes the ResendConfirmationCode method if the user requested another * code. * 4. Invokes the confirmSignUp method. * 5. Invokes the AdminInitiateAuth to sign in. This results in being prompted * to set up TOTP (time-based one-time password). (The response is * “ChallengeName”: “MFA_SETUP”). * 6. Invokes the AssociateSoftwareToken method to generate a TOTP MFA private * key. This can be used with Google Authenticator. * 7. Invokes the VerifySoftwareToken method to verify the TOTP and register for * MFA. * 8. Invokes the AdminInitiateAuth to sign in again. This results in being * prompted to submit a TOTP (Response: “ChallengeName”: “SOFTWARE_TOKEN_MFA”). * 9. Invokes the AdminRespondToAuthChallenge to get back a token. */ public class CognitoMVP { public static final String DASHES = new String(new char[80]).replace("\0", "-"); public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException { final String usage = """ Usage: Where: clientId - The app client Id value that you can get from the AWS CDK script. poolId - The pool Id that you can get from the AWS CDK script.\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String clientId = args[0]; String poolId = args[1]; CognitoIdentityProviderClient identityProviderClient = CognitoIdentityProviderClient.builder() .region(Region.US_EAST_1) .build(); System.out.println(DASHES); System.out.println("Welcome to the Amazon Cognito example scenario."); System.out.println(DASHES); System.out.println(DASHES); System.out.println("*** Enter your user name"); Scanner in = new Scanner(System.in); String userName = in.nextLine(); System.out.println("*** Enter your password"); String password = in.nextLine(); System.out.println("*** Enter your email"); String email = in.nextLine(); System.out.println("1. Signing up " + userName); signUp(identityProviderClient, clientId, userName, password, email); System.out.println(DASHES); System.out.println(DASHES); System.out.println("2. Getting " + userName + " in the user pool"); getAdminUser(identityProviderClient, userName, poolId); System.out .println("*** Conformation code sent to " + userName + ". Would you like to send a new code? (Yes/No)"); System.out.println(DASHES); System.out.println(DASHES); String ans = in.nextLine(); if (ans.compareTo("Yes") == 0) { resendConfirmationCode(identityProviderClient, clientId, userName); System.out.println("3. Sending a new confirmation code"); } System.out.println(DASHES); System.out.println(DASHES); System.out.println("4. Enter confirmation code that was emailed"); String code = in.nextLine(); confirmSignUp(identityProviderClient, clientId, code, userName); System.out.println("Rechecking the status of " + userName + " in the user pool"); getAdminUser(identityProviderClient, userName, poolId); System.out.println(DASHES); System.out.println(DASHES); System.out.println("5. Invokes the initiateAuth to sign in"); AdminInitiateAuthResponse authResponse = initiateAuth(identityProviderClient, clientId, userName, password, poolId); String mySession = authResponse.session(); System.out.println(DASHES); System.out.println(DASHES); System.out.println("6. Invokes the AssociateSoftwareToken method to generate a TOTP key"); String newSession = getSecretForAppMFA(identityProviderClient, mySession); System.out.println(DASHES); System.out.println(DASHES); System.out.println("*** Enter the 6-digit code displayed in Google Authenticator"); String myCode = in.nextLine(); System.out.println(DASHES); System.out.println(DASHES); System.out.println("7. Verify the TOTP and register for MFA"); verifyTOTP(identityProviderClient, newSession, myCode); System.out.println(DASHES); System.out.println(DASHES); System.out.println("8. Re-enter a 6-digit code displayed in Google Authenticator"); String mfaCode = in.nextLine(); AdminInitiateAuthResponse authResponse1 = initiateAuth(identityProviderClient, clientId, userName, password, poolId); System.out.println(DASHES); System.out.println(DASHES); System.out.println("9. Invokes the AdminRespondToAuthChallenge"); String session2 = authResponse1.session(); adminRespondToAuthChallenge(identityProviderClient, userName, clientId, mfaCode, session2); System.out.println(DASHES); System.out.println(DASHES); System.out.println("All Amazon Cognito operations were successfully performed"); System.out.println(DASHES); } // Respond to an authentication challenge. public static void adminRespondToAuthChallenge(CognitoIdentityProviderClient identityProviderClient, String userName, String clientId, String mfaCode, String session) { System.out.println("SOFTWARE_TOKEN_MFA challenge is generated"); Map challengeResponses = new HashMap<>(); challengeResponses.put("USERNAME", userName); challengeResponses.put("SOFTWARE_TOKEN_MFA_CODE", mfaCode); AdminRespondToAuthChallengeRequest respondToAuthChallengeRequest = AdminRespondToAuthChallengeRequest.builder() .challengeName(ChallengeNameType.SOFTWARE_TOKEN_MFA) .clientId(clientId) .challengeResponses(challengeResponses) .session(session) .build(); AdminRespondToAuthChallengeResponse respondToAuthChallengeResult = identityProviderClient .adminRespondToAuthChallenge(respondToAuthChallengeRequest); System.out.println("respondToAuthChallengeResult.getAuthenticationResult()" + respondToAuthChallengeResult.authenticationResult()); } // Verify the TOTP and register for MFA. public static void verifyTOTP(CognitoIdentityProviderClient identityProviderClient, String session, String code) { try { VerifySoftwareTokenRequest tokenRequest = VerifySoftwareTokenRequest.builder() .userCode(code) .session(session) .build(); VerifySoftwareTokenResponse verifyResponse = identityProviderClient.verifySoftwareToken(tokenRequest); System.out.println("The status of the token is " + verifyResponse.statusAsString()); } catch (CognitoIdentityProviderException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } public static AdminInitiateAuthResponse initiateAuth(CognitoIdentityProviderClient identityProviderClient, String clientId, String userName, String password, String userPoolId) { try { Map authParameters = new HashMap<>(); authParameters.put("USERNAME", userName); authParameters.put("PASSWORD", password); AdminInitiateAuthRequest authRequest = AdminInitiateAuthRequest.builder() .clientId(clientId) .userPoolId(userPoolId) .authParameters(authParameters) .authFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH) .build(); AdminInitiateAuthResponse response = identityProviderClient.adminInitiateAuth(authRequest); System.out.println("Result Challenge is : " + response.challengeName()); return response; } catch (CognitoIdentityProviderException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return null; } public static String getSecretForAppMFA(CognitoIdentityProviderClient identityProviderClient, String session) { AssociateSoftwareTokenRequest softwareTokenRequest = AssociateSoftwareTokenRequest.builder() .session(session) .build(); AssociateSoftwareTokenResponse tokenResponse = identityProviderClient .associateSoftwareToken(softwareTokenRequest); String secretCode = tokenResponse.secretCode(); System.out.println("Enter this token into Google Authenticator"); System.out.println(secretCode); return tokenResponse.session(); } public static void confirmSignUp(CognitoIdentityProviderClient identityProviderClient, String clientId, String code, String userName) { try { ConfirmSignUpRequest signUpRequest = ConfirmSignUpRequest.builder() .clientId(clientId) .confirmationCode(code) .username(userName) .build(); identityProviderClient.confirmSignUp(signUpRequest); System.out.println(userName + " was confirmed"); } catch (CognitoIdentityProviderException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } public static void resendConfirmationCode(CognitoIdentityProviderClient identityProviderClient, String clientId, String userName) { try { ResendConfirmationCodeRequest codeRequest = ResendConfirmationCodeRequest.builder() .clientId(clientId) .username(userName) .build(); ResendConfirmationCodeResponse response = identityProviderClient.resendConfirmationCode(codeRequest); System.out.println("Method of delivery is " + response.codeDeliveryDetails().deliveryMediumAsString()); } catch (CognitoIdentityProviderException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } public static void signUp(CognitoIdentityProviderClient identityProviderClient, String clientId, String userName, String password, String email) { AttributeType userAttrs = AttributeType.builder() .name("email") .value(email) .build(); List userAttrsList = new ArrayList<>(); userAttrsList.add(userAttrs); try { SignUpRequest signUpRequest = SignUpRequest.builder() .userAttributes(userAttrsList) .username(userName) .clientId(clientId) .password(password) .build(); identityProviderClient.signUp(signUpRequest); System.out.println("User has been signed up "); } catch (CognitoIdentityProviderException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } public static void getAdminUser(CognitoIdentityProviderClient identityProviderClient, String userName, String poolId) { try { AdminGetUserRequest userRequest = AdminGetUserRequest.builder() .username(userName) .userPoolId(poolId) .build(); AdminGetUserResponse response = identityProviderClient.adminGetUser(userRequest); System.out.println("User status " + response.userStatusAsString()); } catch (CognitoIdentityProviderException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` + For API details, see the following topics in *AWS SDK for Java 2.x API Reference*. + [AdminGetUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminGetUser) + [AdminInitiateAuth](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminInitiateAuth) + [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) + [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AssociateSoftwareToken) + [ConfirmDevice](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ConfirmDevice) + [ConfirmSignUp](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ConfirmSignUp) + [InitiateAuth](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/InitiateAuth) + [ListUsers](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUsers) + [ResendConfirmationCode](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ResendConfirmationCode) + [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/RespondToAuthChallenge) + [SignUp](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SignUp) + [VerifySoftwareToken](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/VerifySoftwareToken) ------ #### [ JavaScript ] **SDK for JavaScript (v3)** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider/scenarios/basic#code-examples). For the best experience, clone the GitHub repository and run this example. The following code represents a sample of the full example application. ``` import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js"; import { signUp } from "../../../actions/sign-up.js"; import { FILE_USER_POOLS } from "./constants.js"; import { getSecondValuesFromEntries } from "@aws-doc-sdk-examples/lib/utils/util-csv.js"; const validateClient = (clientId) => { if (!clientId) { throw new Error( `App client id is missing. Did you run 'create-user-pool'?`, ); } }; const validateUser = (username, password, email) => { if (!(username && password && email)) { throw new Error( `Username, password, and email must be provided as arguments to the 'sign-up' command.`, ); } }; const signUpHandler = async (commands) => { const [_, username, password, email] = commands; try { validateUser(username, password, email); /** * @type {string[]} */ const values = getSecondValuesFromEntries(FILE_USER_POOLS); const clientId = values[0]; validateClient(clientId); logger.log("Signing up."); await signUp({ clientId, username, password, email }); logger.log(`Signed up. A confirmation email has been sent to: ${email}.`); logger.log( `Run 'confirm-sign-up ${username} ' to confirm your account.`, ); } catch (err) { logger.error(err); } }; export { signUpHandler }; const signUp = ({ clientId, username, password, email }) => { const client = new CognitoIdentityProviderClient({}); const command = new SignUpCommand({ ClientId: clientId, Username: username, Password: password, UserAttributes: [{ Name: "email", Value: email }], }); return client.send(command); }; import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js"; import { confirmSignUp } from "../../../actions/confirm-sign-up.js"; import { FILE_USER_POOLS } from "./constants.js"; import { getSecondValuesFromEntries } from "@aws-doc-sdk-examples/lib/utils/util-csv.js"; const validateClient = (clientId) => { if (!clientId) { throw new Error( `App client id is missing. Did you run 'create-user-pool'?`, ); } }; const validateUser = (username) => { if (!username) { throw new Error( `Username name is missing. It must be provided as an argument to the 'confirm-sign-up' command.`, ); } }; const validateCode = (code) => { if (!code) { throw new Error( `Verification code is missing. It must be provided as an argument to the 'confirm-sign-up' command.`, ); } }; const confirmSignUpHandler = async (commands) => { const [_, username, code] = commands; try { validateUser(username); validateCode(code); /** * @type {string[]} */ const values = getSecondValuesFromEntries(FILE_USER_POOLS); const clientId = values[0]; validateClient(clientId); logger.log("Confirming user."); await confirmSignUp({ clientId, username, code }); logger.log( `User confirmed. Run 'admin-initiate-auth ${username} ' to sign in.`, ); } catch (err) { logger.error(err); } }; export { confirmSignUpHandler }; const confirmSignUp = ({ clientId, username, code }) => { const client = new CognitoIdentityProviderClient({}); const command = new ConfirmSignUpCommand({ ClientId: clientId, Username: username, ConfirmationCode: code, }); return client.send(command); }; import qrcode from "qrcode-terminal"; import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js"; import { adminInitiateAuth } from "../../../actions/admin-initiate-auth.js"; import { associateSoftwareToken } from "../../../actions/associate-software-token.js"; import { FILE_USER_POOLS } from "./constants.js"; import { getFirstEntry } from "@aws-doc-sdk-examples/lib/utils/util-csv.js"; const handleMfaSetup = async (session, username) => { const { SecretCode, Session } = await associateSoftwareToken(session); // Store the Session for use with 'VerifySoftwareToken'. process.env.SESSION = Session; console.log( "Scan this code in your preferred authenticator app, then run 'verify-software-token' to finish the setup.", ); qrcode.generate( `otpauth://totp/${username}?secret=${SecretCode}`, { small: true }, console.log, ); }; const handleSoftwareTokenMfa = (session) => { // Store the Session for use with 'AdminRespondToAuthChallenge'. process.env.SESSION = session; }; const validateClient = (id) => { if (!id) { throw new Error( `User pool client id is missing. Did you run 'create-user-pool'?`, ); } }; const validateId = (id) => { if (!id) { throw new Error(`User pool id is missing. Did you run 'create-user-pool'?`); } }; const validateUser = (username, password) => { if (!(username && password)) { throw new Error( `Username and password must be provided as arguments to the 'admin-initiate-auth' command.`, ); } }; const adminInitiateAuthHandler = async (commands) => { const [_, username, password] = commands; try { validateUser(username, password); const [userPoolId, clientId] = getFirstEntry(FILE_USER_POOLS); validateId(userPoolId); validateClient(clientId); logger.log("Signing in."); const { ChallengeName, Session } = await adminInitiateAuth({ clientId, userPoolId, username, password, }); if (ChallengeName === "MFA_SETUP") { logger.log("MFA setup is required."); return handleMfaSetup(Session, username); } if (ChallengeName === "SOFTWARE_TOKEN_MFA") { handleSoftwareTokenMfa(Session); logger.log(`Run 'admin-respond-to-auth-challenge ${username} '`); } } catch (err) { logger.error(err); } }; export { adminInitiateAuthHandler }; const adminInitiateAuth = ({ clientId, userPoolId, username, password }) => { const client = new CognitoIdentityProviderClient({}); const command = new AdminInitiateAuthCommand({ ClientId: clientId, UserPoolId: userPoolId, AuthFlow: AuthFlowType.ADMIN_USER_PASSWORD_AUTH, AuthParameters: { USERNAME: username, PASSWORD: password }, }); return client.send(command); }; import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js"; import { adminRespondToAuthChallenge } from "../../../actions/admin-respond-to-auth-challenge.js"; import { getFirstEntry } from "@aws-doc-sdk-examples/lib/utils/util-csv.js"; import { FILE_USER_POOLS } from "./constants.js"; const verifyUsername = (username) => { if (!username) { throw new Error( `Username is missing. It must be provided as an argument to the 'admin-respond-to-auth-challenge' command.`, ); } }; const verifyTotp = (totp) => { if (!totp) { throw new Error( `Time-based one-time password (TOTP) is missing. It must be provided as an argument to the 'admin-respond-to-auth-challenge' command.`, ); } }; const storeAccessToken = (token) => { process.env.AccessToken = token; }; const adminRespondToAuthChallengeHandler = async (commands) => { const [_, username, totp] = commands; try { verifyUsername(username); verifyTotp(totp); const [userPoolId, clientId] = getFirstEntry(FILE_USER_POOLS); const session = process.env.SESSION; const { AuthenticationResult } = await adminRespondToAuthChallenge({ clientId, userPoolId, username, totp, session, }); storeAccessToken(AuthenticationResult.AccessToken); logger.log("Successfully authenticated."); } catch (err) { logger.error(err); } }; export { adminRespondToAuthChallengeHandler }; const respondToAuthChallenge = ({ clientId, username, session, userPoolId, code, }) => { const client = new CognitoIdentityProviderClient({}); const command = new RespondToAuthChallengeCommand({ ChallengeName: ChallengeNameType.SOFTWARE_TOKEN_MFA, ChallengeResponses: { SOFTWARE_TOKEN_MFA_CODE: code, USERNAME: username, }, ClientId: clientId, UserPoolId: userPoolId, Session: session, }); return client.send(command); }; import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js"; import { verifySoftwareToken } from "../../../actions/verify-software-token.js"; const validateTotp = (totp) => { if (!totp) { throw new Error( `Time-based one-time password (TOTP) must be provided to the 'validate-software-token' command.`, ); } }; const verifySoftwareTokenHandler = async (commands) => { const [_, totp] = commands; try { validateTotp(totp); logger.log("Verifying TOTP."); await verifySoftwareToken(totp); logger.log("TOTP Verified. Run 'admin-initiate-auth' again to sign-in."); } catch (err) { logger.error(err); } }; export { verifySoftwareTokenHandler }; const verifySoftwareToken = (totp) => { const client = new CognitoIdentityProviderClient({}); // The 'Session' is provided in the response to 'AssociateSoftwareToken'. const session = process.env.SESSION; if (!session) { throw new Error( "Missing a valid Session. Did you run 'admin-initiate-auth'?", ); } const command = new VerifySoftwareTokenCommand({ Session: session, UserCode: totp, }); return client.send(command); }; ``` + For API details, see the following topics in *AWS SDK for JavaScript API Reference*. + [AdminGetUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminGetUserCommand) + [AdminInitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminInitiateAuthCommand) + [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminRespondToAuthChallengeCommand) + [AssociateSoftwareToken](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AssociateSoftwareTokenCommand) + [ConfirmDevice](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ConfirmDeviceCommand) + [ConfirmSignUp](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ConfirmSignUpCommand) + [InitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/InitiateAuthCommand) + [ListUsers](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ListUsersCommand) + [ResendConfirmationCode](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ResendConfirmationCodeCommand) + [RespondToAuthChallenge](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/RespondToAuthChallengeCommand) + [SignUp](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/SignUpCommand) + [VerifySoftwareToken](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/VerifySoftwareTokenCommand) ------ #### [ Kotlin ] **SDK for Kotlin** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples). ``` /** Before running this Kotlin code example, set up your development environment, including your credentials. For more information, see the following documentation: https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/setup.html TIP: To set up the required user pool, run the AWS Cloud Development Kit (AWS CDK) script provided in this GitHub repo at resources/cdk/cognito_scenario_user_pool_with_mfa. This code example performs the following operations: 1. Invokes the signUp method to sign up a user. 2. Invokes the adminGetUser method to get the user's confirmation status. 3. Invokes the ResendConfirmationCode method if the user requested another code. 4. Invokes the confirmSignUp method. 5. Invokes the initiateAuth to sign in. This results in being prompted to set up TOTP (time-based one-time password). (The response is “ChallengeName”: “MFA_SETUP”). 6. Invokes the AssociateSoftwareToken method to generate a TOTP MFA private key. This can be used with Google Authenticator. 7. Invokes the VerifySoftwareToken method to verify the TOTP and register for MFA. 8. Invokes the AdminInitiateAuth to sign in again. This results in being prompted to submit a TOTP (Response: “ChallengeName”: “SOFTWARE_TOKEN_MFA”). 9. Invokes the AdminRespondToAuthChallenge to get back a token. */ suspend fun main(args: Array) { val usage = """ Usage: Where: clientId - The app client Id value that you can get from the AWS CDK script. poolId - The pool Id that you can get from the AWS CDK script. """ if (args.size != 2) { println(usage) exitProcess(1) } val clientId = args[0] val poolId = args[1] // Use the console to get data from the user. println("*** Enter your use name") val inOb = Scanner(System.`in`) val userName = inOb.nextLine() println(userName) println("*** Enter your password") val password: String = inOb.nextLine() println("*** Enter your email") val email = inOb.nextLine() println("*** Signing up $userName") signUp(clientId, userName, password, email) println("*** Getting $userName in the user pool") getAdminUser(userName, poolId) println("*** Conformation code sent to $userName. Would you like to send a new code? (Yes/No)") val ans = inOb.nextLine() if (ans.compareTo("Yes") == 0) { println("*** Sending a new confirmation code") resendConfirmationCode(clientId, userName) } println("*** Enter the confirmation code that was emailed") val code = inOb.nextLine() confirmSignUp(clientId, code, userName) println("*** Rechecking the status of $userName in the user pool") getAdminUser(userName, poolId) val authResponse = checkAuthMethod(clientId, userName, password, poolId) val mySession = authResponse.session val newSession = getSecretForAppMFA(mySession) println("*** Enter the 6-digit code displayed in Google Authenticator") val myCode = inOb.nextLine() // Verify the TOTP and register for MFA. verifyTOTP(newSession, myCode) println("*** Re-enter a 6-digit code displayed in Google Authenticator") val mfaCode: String = inOb.nextLine() val authResponse1 = checkAuthMethod(clientId, userName, password, poolId) val session2 = authResponse1.session adminRespondToAuthChallenge(userName, clientId, mfaCode, session2) } suspend fun checkAuthMethod( clientIdVal: String, userNameVal: String, passwordVal: String, userPoolIdVal: String, ): AdminInitiateAuthResponse { val authParas = mutableMapOf() authParas["USERNAME"] = userNameVal authParas["PASSWORD"] = passwordVal val authRequest = AdminInitiateAuthRequest { clientId = clientIdVal userPoolId = userPoolIdVal authParameters = authParas authFlow = AuthFlowType.AdminUserPasswordAuth } CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient -> val response = identityProviderClient.adminInitiateAuth(authRequest) println("Result Challenge is ${response.challengeName}") return response } } suspend fun resendConfirmationCode( clientIdVal: String?, userNameVal: String?, ) { val codeRequest = ResendConfirmationCodeRequest { clientId = clientIdVal username = userNameVal } CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient -> val response = identityProviderClient.resendConfirmationCode(codeRequest) println("Method of delivery is " + (response.codeDeliveryDetails?.deliveryMedium)) } } // Respond to an authentication challenge. suspend fun adminRespondToAuthChallenge( userName: String, clientIdVal: String?, mfaCode: String, sessionVal: String?, ) { println("SOFTWARE_TOKEN_MFA challenge is generated") val challengeResponsesOb = mutableMapOf() challengeResponsesOb["USERNAME"] = userName challengeResponsesOb["SOFTWARE_TOKEN_MFA_CODE"] = mfaCode val adminRespondToAuthChallengeRequest = AdminRespondToAuthChallengeRequest { challengeName = ChallengeNameType.SoftwareTokenMfa clientId = clientIdVal challengeResponses = challengeResponsesOb session = sessionVal } CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient -> val respondToAuthChallengeResult = identityProviderClient.adminRespondToAuthChallenge(adminRespondToAuthChallengeRequest) println("respondToAuthChallengeResult.getAuthenticationResult() ${respondToAuthChallengeResult.authenticationResult}") } } // Verify the TOTP and register for MFA. suspend fun verifyTOTP( sessionVal: String?, codeVal: String?, ) { val tokenRequest = VerifySoftwareTokenRequest { userCode = codeVal session = sessionVal } CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient -> val verifyResponse = identityProviderClient.verifySoftwareToken(tokenRequest) println("The status of the token is ${verifyResponse.status}") } } suspend fun getSecretForAppMFA(sessionVal: String?): String? { val softwareTokenRequest = AssociateSoftwareTokenRequest { session = sessionVal } CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient -> val tokenResponse = identityProviderClient.associateSoftwareToken(softwareTokenRequest) val secretCode = tokenResponse.secretCode println("Enter this token into Google Authenticator") println(secretCode) return tokenResponse.session } } suspend fun confirmSignUp( clientIdVal: String?, codeVal: String?, userNameVal: String?, ) { val signUpRequest = ConfirmSignUpRequest { clientId = clientIdVal confirmationCode = codeVal username = userNameVal } CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient -> identityProviderClient.confirmSignUp(signUpRequest) println("$userNameVal was confirmed") } } suspend fun getAdminUser( userNameVal: String?, poolIdVal: String?, ) { val userRequest = AdminGetUserRequest { username = userNameVal userPoolId = poolIdVal } CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient -> val response = identityProviderClient.adminGetUser(userRequest) println("User status ${response.userStatus}") } } suspend fun signUp( clientIdVal: String?, userNameVal: String?, passwordVal: String?, emailVal: String?, ) { val userAttrs = AttributeType { name = "email" value = emailVal } val userAttrsList = mutableListOf() userAttrsList.add(userAttrs) val signUpRequest = SignUpRequest { userAttributes = userAttrsList username = userNameVal clientId = clientIdVal password = passwordVal } CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient -> identityProviderClient.signUp(signUpRequest) println("User has been signed up") } } ``` + For API details, see the following topics in *AWS SDK for Kotlin API reference*. + [AdminGetUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [AdminInitiateAuth](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [AdminRespondToAuthChallenge](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [AssociateSoftwareToken](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [ConfirmDevice](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [ConfirmSignUp](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [InitiateAuth](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [ListUsers](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [ResendConfirmationCode](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [RespondToAuthChallenge](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [SignUp](https://sdk.amazonaws.com/kotlin/api/latest/index.html) + [VerifySoftwareToken](https://sdk.amazonaws.com/kotlin/api/latest/index.html) ------ #### [ Python ] **SDK for Python (Boto3)** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples). Create a class that wraps Amazon Cognito functions used in the scenario. ``` class CognitoIdentityProviderWrapper: """Encapsulates Amazon Cognito actions""" def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None): """ :param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client. :param user_pool_id: The ID of an existing Amazon Cognito user pool. :param client_id: The ID of a client application registered with the user pool. :param client_secret: The client secret, if the client has a secret. """ self.cognito_idp_client = cognito_idp_client self.user_pool_id = user_pool_id self.client_id = client_id self.client_secret = client_secret def _secret_hash(self, user_name): """ Calculates a secret hash from a user name and a client secret. :param user_name: The user name to use when calculating the hash. :return: The secret hash. """ key = self.client_secret.encode() msg = bytes(user_name + self.client_id, "utf-8") secret_hash = base64.b64encode( hmac.new(key, msg, digestmod=hashlib.sha256).digest() ).decode() logger.info("Made secret hash for %s: %s.", user_name, secret_hash) return secret_hash def sign_up_user(self, user_name, password, user_email): """ Signs up a new user with Amazon Cognito. This action prompts Amazon Cognito to send an email to the specified email address. The email contains a code that can be used to confirm the user. When the user already exists, the user status is checked to determine whether the user has been confirmed. :param user_name: The user name that identifies the new user. :param password: The password for the new user. :param user_email: The email address for the new user. :return: True when the user is already confirmed with Amazon Cognito. Otherwise, false. """ try: kwargs = { "ClientId": self.client_id, "Username": user_name, "Password": password, "UserAttributes": [{"Name": "email", "Value": user_email}], } if self.client_secret is not None: kwargs["SecretHash"] = self._secret_hash(user_name) response = self.cognito_idp_client.sign_up(**kwargs) confirmed = response["UserConfirmed"] except ClientError as err: if err.response["Error"]["Code"] == "UsernameExistsException": response = self.cognito_idp_client.admin_get_user( UserPoolId=self.user_pool_id, Username=user_name ) logger.warning( "User %s exists and is %s.", user_name, response["UserStatus"] ) confirmed = response["UserStatus"] == "CONFIRMED" else: logger.error( "Couldn't sign up %s. Here's why: %s: %s", user_name, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise return confirmed def resend_confirmation(self, user_name): """ Prompts Amazon Cognito to resend an email with a new confirmation code. :param user_name: The name of the user who will receive the email. :return: Delivery information about where the email is sent. """ try: kwargs = {"ClientId": self.client_id, "Username": user_name} if self.client_secret is not None: kwargs["SecretHash"] = self._secret_hash(user_name) response = self.cognito_idp_client.resend_confirmation_code(**kwargs) delivery = response["CodeDeliveryDetails"] except ClientError as err: logger.error( "Couldn't resend confirmation to %s. Here's why: %s: %s", user_name, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: return delivery def confirm_user_sign_up(self, user_name, confirmation_code): """ Confirms a previously created user. A user must be confirmed before they can sign in to Amazon Cognito. :param user_name: The name of the user to confirm. :param confirmation_code: The confirmation code sent to the user's registered email address. :return: True when the confirmation succeeds. """ try: kwargs = { "ClientId": self.client_id, "Username": user_name, "ConfirmationCode": confirmation_code, } if self.client_secret is not None: kwargs["SecretHash"] = self._secret_hash(user_name) self.cognito_idp_client.confirm_sign_up(**kwargs) except ClientError as err: logger.error( "Couldn't confirm sign up for %s. Here's why: %s: %s", user_name, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: return True def list_users(self): """ Returns a list of the users in the current user pool. :return: The list of users. """ try: response = self.cognito_idp_client.list_users(UserPoolId=self.user_pool_id) users = response["Users"] except ClientError as err: logger.error( "Couldn't list users for %s. Here's why: %s: %s", self.user_pool_id, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: return users def start_sign_in(self, user_name, password): """ Starts the sign-in process for a user by using administrator credentials. This method of signing in is appropriate for code running on a secure server. If the user pool is configured to require MFA and this is the first sign-in for the user, Amazon Cognito returns a challenge response to set up an MFA application. When this occurs, this function gets an MFA secret from Amazon Cognito and returns it to the caller. :param user_name: The name of the user to sign in. :param password: The user's password. :return: The result of the sign-in attempt. When sign-in is successful, this returns an access token that can be used to get AWS credentials. Otherwise, Amazon Cognito returns a challenge to set up an MFA application, or a challenge to enter an MFA code from a registered MFA application. """ try: kwargs = { "UserPoolId": self.user_pool_id, "ClientId": self.client_id, "AuthFlow": "ADMIN_USER_PASSWORD_AUTH", "AuthParameters": {"USERNAME": user_name, "PASSWORD": password}, } if self.client_secret is not None: kwargs["AuthParameters"]["SECRET_HASH"] = self._secret_hash(user_name) response = self.cognito_idp_client.admin_initiate_auth(**kwargs) challenge_name = response.get("ChallengeName", None) if challenge_name == "MFA_SETUP": if ( "SOFTWARE_TOKEN_MFA" in response["ChallengeParameters"]["MFAS_CAN_SETUP"] ): response.update(self.get_mfa_secret(response["Session"])) else: raise RuntimeError( "The user pool requires MFA setup, but the user pool is not " "configured for TOTP MFA. This example requires TOTP MFA." ) except ClientError as err: logger.error( "Couldn't start sign in for %s. Here's why: %s: %s", user_name, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: response.pop("ResponseMetadata", None) return response def get_mfa_secret(self, session): """ Gets a token that can be used to associate an MFA application with the user. :param session: Session information returned from a previous call to initiate authentication. :return: An MFA token that can be used to set up an MFA application. """ try: response = self.cognito_idp_client.associate_software_token(Session=session) except ClientError as err: logger.error( "Couldn't get MFA secret. Here's why: %s: %s", err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: response.pop("ResponseMetadata", None) return response def verify_mfa(self, session, user_code): """ Verify a new MFA application that is associated with a user. :param session: Session information returned from a previous call to initiate authentication. :param user_code: A code generated by the associated MFA application. :return: Status that indicates whether the MFA application is verified. """ try: response = self.cognito_idp_client.verify_software_token( Session=session, UserCode=user_code ) except ClientError as err: logger.error( "Couldn't verify MFA. Here's why: %s: %s", err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: response.pop("ResponseMetadata", None) return response def respond_to_mfa_challenge(self, user_name, session, mfa_code): """ Responds to a challenge for an MFA code. This completes the second step of a two-factor sign-in. When sign-in is successful, it returns an access token that can be used to get AWS credentials from Amazon Cognito. :param user_name: The name of the user who is signing in. :param session: Session information returned from a previous call to initiate authentication. :param mfa_code: A code generated by the associated MFA application. :return: The result of the authentication. When successful, this contains an access token for the user. """ try: kwargs = { "UserPoolId": self.user_pool_id, "ClientId": self.client_id, "ChallengeName": "SOFTWARE_TOKEN_MFA", "Session": session, "ChallengeResponses": { "USERNAME": user_name, "SOFTWARE_TOKEN_MFA_CODE": mfa_code, }, } if self.client_secret is not None: kwargs["ChallengeResponses"]["SECRET_HASH"] = self._secret_hash( user_name ) response = self.cognito_idp_client.admin_respond_to_auth_challenge(**kwargs) auth_result = response["AuthenticationResult"] except ClientError as err: if err.response["Error"]["Code"] == "ExpiredCodeException": logger.warning( "Your MFA code has expired or has been used already. You might have " "to wait a few seconds until your app shows you a new code." ) else: logger.error( "Couldn't respond to mfa challenge for %s. Here's why: %s: %s", user_name, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: return auth_result def confirm_mfa_device( self, user_name, device_key, device_group_key, device_password, access_token, aws_srp, ): """ Confirms an MFA device to be tracked by Amazon Cognito. When a device is tracked, its key and password can be used to sign in without requiring a new MFA code from the MFA application. :param user_name: The user that is associated with the device. :param device_key: The key of the device, returned by Amazon Cognito. :param device_group_key: The group key of the device, returned by Amazon Cognito. :param device_password: The password that is associated with the device. :param access_token: The user's access token. :param aws_srp: A class that helps with Secure Remote Password (SRP) calculations. The scenario associated with this example uses the warrant package. :return: True when the user must confirm the device. Otherwise, False. When False, the device is automatically confirmed and tracked. """ srp_helper = aws_srp.AWSSRP( username=user_name, password=device_password, pool_id="_", client_id=self.client_id, client_secret=None, client=self.cognito_idp_client, ) device_and_pw = f"{device_group_key}{device_key}:{device_password}" device_and_pw_hash = aws_srp.hash_sha256(device_and_pw.encode("utf-8")) salt = aws_srp.pad_hex(aws_srp.get_random(16)) x_value = aws_srp.hex_to_long(aws_srp.hex_hash(salt + device_and_pw_hash)) verifier = aws_srp.pad_hex(pow(srp_helper.val_g, x_value, srp_helper.big_n)) device_secret_verifier_config = { "PasswordVerifier": base64.standard_b64encode( bytearray.fromhex(verifier) ).decode("utf-8"), "Salt": base64.standard_b64encode(bytearray.fromhex(salt)).decode("utf-8"), } try: response = self.cognito_idp_client.confirm_device( AccessToken=access_token, DeviceKey=device_key, DeviceSecretVerifierConfig=device_secret_verifier_config, ) user_confirm = response["UserConfirmationNecessary"] except ClientError as err: logger.error( "Couldn't confirm mfa device %s. Here's why: %s: %s", device_key, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: return user_confirm def sign_in_with_tracked_device( self, user_name, password, device_key, device_group_key, device_password, aws_srp, ): """ Signs in to Amazon Cognito as a user who has a tracked device. Signing in with a tracked device lets a user sign in without entering a new MFA code. Signing in with a tracked device requires that the client respond to the SRP protocol. The scenario associated with this example uses the warrant package to help with SRP calculations. For more information on SRP, see https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol. :param user_name: The user that is associated with the device. :param password: The user's password. :param device_key: The key of a tracked device. :param device_group_key: The group key of a tracked device. :param device_password: The password that is associated with the device. :param aws_srp: A class that helps with SRP calculations. The scenario associated with this example uses the warrant package. :return: The result of the authentication. When successful, this contains an access token for the user. """ try: srp_helper = aws_srp.AWSSRP( username=user_name, password=device_password, pool_id="_", client_id=self.client_id, client_secret=None, client=self.cognito_idp_client, ) response_init = self.cognito_idp_client.initiate_auth( ClientId=self.client_id, AuthFlow="USER_PASSWORD_AUTH", AuthParameters={ "USERNAME": user_name, "PASSWORD": password, "DEVICE_KEY": device_key, }, ) if response_init["ChallengeName"] != "DEVICE_SRP_AUTH": raise RuntimeError( f"Expected DEVICE_SRP_AUTH challenge but got {response_init['ChallengeName']}." ) auth_params = srp_helper.get_auth_params() auth_params["DEVICE_KEY"] = device_key response_auth = self.cognito_idp_client.respond_to_auth_challenge( ClientId=self.client_id, ChallengeName="DEVICE_SRP_AUTH", ChallengeResponses=auth_params, ) if response_auth["ChallengeName"] != "DEVICE_PASSWORD_VERIFIER": raise RuntimeError( f"Expected DEVICE_PASSWORD_VERIFIER challenge but got " f"{response_init['ChallengeName']}." ) challenge_params = response_auth["ChallengeParameters"] challenge_params["USER_ID_FOR_SRP"] = device_group_key + device_key cr = srp_helper.process_challenge(challenge_params, {"USERNAME": user_name}) cr["USERNAME"] = user_name cr["DEVICE_KEY"] = device_key response_verifier = self.cognito_idp_client.respond_to_auth_challenge( ClientId=self.client_id, ChallengeName="DEVICE_PASSWORD_VERIFIER", ChallengeResponses=cr, ) auth_tokens = response_verifier["AuthenticationResult"] except ClientError as err: logger.error( "Couldn't start client sign in for %s. Here's why: %s: %s", user_name, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: return auth_tokens ``` Create a class that runs the scenario. This example also registers an MFA device to be tracked by Amazon Cognito and shows you how to sign in by using a password and information from the tracked device. This avoids the need to enter a new MFA code. ``` def run_scenario(cognito_idp_client, user_pool_id, client_id): logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s") print("-" * 88) print("Welcome to the Amazon Cognito user signup with MFA demo.") print("-" * 88) cog_wrapper = CognitoIdentityProviderWrapper( cognito_idp_client, user_pool_id, client_id ) user_name = q.ask("Let's sign up a new user. Enter a user name: ", q.non_empty) password = q.ask("Enter a password for the user: ", q.non_empty) email = q.ask("Enter a valid email address that you own: ", q.non_empty) confirmed = cog_wrapper.sign_up_user(user_name, password, email) while not confirmed: print( f"User {user_name} requires confirmation. Check {email} for " f"a verification code." ) confirmation_code = q.ask("Enter the confirmation code from the email: ") if not confirmation_code: if q.ask("Do you need another confirmation code (y/n)? ", q.is_yesno): delivery = cog_wrapper.resend_confirmation(user_name) print( f"Confirmation code sent by {delivery['DeliveryMedium']} " f"to {delivery['Destination']}." ) else: confirmed = cog_wrapper.confirm_user_sign_up(user_name, confirmation_code) print(f"User {user_name} is confirmed and ready to use.") print("-" * 88) print("Let's get a list of users in the user pool.") q.ask("Press Enter when you're ready.") users = cog_wrapper.list_users() if users: print(f"Found {len(users)} users:") pp(users) else: print("No users found.") print("-" * 88) print("Let's sign in and get an access token.") auth_tokens = None challenge = "ADMIN_USER_PASSWORD_AUTH" response = {} while challenge is not None: if challenge == "ADMIN_USER_PASSWORD_AUTH": response = cog_wrapper.start_sign_in(user_name, password) challenge = response["ChallengeName"] elif response["ChallengeName"] == "MFA_SETUP": print("First, we need to set up an MFA application.") qr_img = qrcode.make( f"otpauth://totp/{user_name}?secret={response['SecretCode']}" ) qr_img.save("qr.png") q.ask( "Press Enter to see a QR code on your screen. Scan it into an MFA " "application, such as Google Authenticator." ) webbrowser.open("qr.png") mfa_code = q.ask( "Enter the verification code from your MFA application: ", q.non_empty ) response = cog_wrapper.verify_mfa(response["Session"], mfa_code) print(f"MFA device setup {response['Status']}") print("Now that an MFA application is set up, let's sign in again.") print( "You might have to wait a few seconds for a new MFA code to appear in " "your MFA application." ) challenge = "ADMIN_USER_PASSWORD_AUTH" elif response["ChallengeName"] == "SOFTWARE_TOKEN_MFA": auth_tokens = None while auth_tokens is None: mfa_code = q.ask( "Enter a verification code from your MFA application: ", q.non_empty ) auth_tokens = cog_wrapper.respond_to_mfa_challenge( user_name, response["Session"], mfa_code ) print(f"You're signed in as {user_name}.") print("Here's your access token:") pp(auth_tokens["AccessToken"]) print("And your device information:") pp(auth_tokens["NewDeviceMetadata"]) challenge = None else: raise Exception(f"Got unexpected challenge {response['ChallengeName']}") print("-" * 88) device_group_key = auth_tokens["NewDeviceMetadata"]["DeviceGroupKey"] device_key = auth_tokens["NewDeviceMetadata"]["DeviceKey"] device_password = base64.standard_b64encode(os.urandom(40)).decode("utf-8") print("Let's confirm your MFA device so you don't have re-enter MFA tokens for it.") q.ask("Press Enter when you're ready.") cog_wrapper.confirm_mfa_device( user_name, device_key, device_group_key, device_password, auth_tokens["AccessToken"], aws_srp, ) print(f"Your device {device_key} is confirmed.") print("-" * 88) print( f"Now let's sign in as {user_name} from your confirmed device {device_key}.\n" f"Because this device is tracked by Amazon Cognito, you won't have to re-enter an MFA code." ) q.ask("Press Enter when ready.") auth_tokens = cog_wrapper.sign_in_with_tracked_device( user_name, password, device_key, device_group_key, device_password, aws_srp ) print("You're signed in. Your access token is:") pp(auth_tokens["AccessToken"]) print("-" * 88) print("Don't forget to delete your user pool when you're done with this example.") print("\nThanks for watching!") print("-" * 88) def main(): parser = argparse.ArgumentParser( description="Shows how to sign up a new user with Amazon Cognito and associate " "the user with an MFA application for multi-factor authentication." ) parser.add_argument( "user_pool_id", help="The ID of the user pool to use for the example." ) parser.add_argument( "client_id", help="The ID of the client application to use for the example." ) args = parser.parse_args() try: run_scenario(boto3.client("cognito-idp"), args.user_pool_id, args.client_id) except Exception: logging.exception("Something went wrong with the demo.") if __name__ == "__main__": main() ``` + For API details, see the following topics in *AWS SDK for Python (Boto3) API Reference*. + [AdminGetUser](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminGetUser) + [AdminInitiateAuth](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminInitiateAuth) + [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) + [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AssociateSoftwareToken) + [ConfirmDevice](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmDevice) + [ConfirmSignUp](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmSignUp) + [InitiateAuth](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/InitiateAuth) + [ListUsers](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUsers) + [ResendConfirmationCode](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ResendConfirmationCode) + [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/RespondToAuthChallenge) + [SignUp](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SignUp) + [VerifySoftwareToken](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/VerifySoftwareToken) ------ #### [ Swift ] **SDK for Swift** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples). The `Package.swift` file. ``` // swift-tools-version: 5.9 // // The swift-tools-version declares the minimum version of Swift required to // build this package. import PackageDescription let package = Package( name: "cognito-scenario", // Let Xcode know the minimum Apple platforms supported. platforms: [ .macOS(.v13), .iOS(.v15) ], dependencies: [ // Dependencies declare other packages that this package depends on. .package( url: "https://github.com/awslabs/aws-sdk-swift", from: "1.0.0"), .package( url: "https://github.com/apple/swift-argument-parser.git", branch: "main" ) ], targets: [ // Targets are the basic building blocks of a package, defining a module or a test suite. // Targets can depend on other targets in this package and products // from dependencies. .executableTarget( name: "cognito-scenario", dependencies: [ .product(name: "AWSCognitoIdentityProvider", package: "aws-sdk-swift"), .product(name: "ArgumentParser", package: "swift-argument-parser") ], path: "Sources") ] ) ``` The Swift code file. ``` // An example demonstrating various features of Amazon Cognito. Before running // this Swift code example, set up your development environment, including // your credentials. // // For more information, see the following documentation: // https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/setup.html // // TIP: To set up the required user pool, run the AWS Cloud Development Kit // (AWS CDK) script provided in this GitHub repo at // resources/cdk/cognito_scenario_user_pool_with_mfa. // // This example performs the following functions: // // 1. Invokes the signUp method to sign up a user. // 2. Invokes the adminGetUser method to get the user's confirmation status. // 3. Invokes the ResendConfirmationCode method if the user requested another // code. // 4. Invokes the confirmSignUp method. // 5. Invokes the initiateAuth to sign in. This results in being prompted to // set up TOTP (time-based one-time password). (The response is // “ChallengeName”: “MFA_SETUP”). // 6. Invokes the AssociateSoftwareToken method to generate a TOTP MFA private // key. This can be used with Google Authenticator. // 7. Invokes the VerifySoftwareToken method to verify the TOTP and register // for MFA. // 8. Invokes the AdminInitiateAuth to sign in again. This results in being // prompted to submit a TOTP (Response: “ChallengeName”: // “SOFTWARE_TOKEN_MFA”). // 9. Invokes the AdminRespondToAuthChallenge to get back a token. import ArgumentParser import Foundation import AWSClientRuntime import AWSCognitoIdentityProvider struct ExampleCommand: ParsableCommand { @Argument(help: "The application clientId.") var clientId: String @Argument(help: "The user pool ID to use.") var poolId: String @Option(help: "Name of the Amazon Region to use") var region = "us-east-1" static var configuration = CommandConfiguration( commandName: "cognito-scenario", abstract: """ Demonstrates various features of Amazon Cognito. """, discussion: """ """ ) /// Prompt for an input string of at least a minimum length. /// /// - Parameters: /// - prompt: The prompt string to display. /// - minLength: The minimum number of characters to allow in the /// response. Default value is 0. /// /// - Returns: The entered string. func stringRequest(_ prompt: String, minLength: Int = 1) -> String { while true { print(prompt, terminator: "") let str = readLine() guard let str else { continue } if str.count >= minLength { return str } else { print("*** Response must be at least \(minLength) character(s) long.") } } } /// Ask a yes/no question. /// /// - Parameter prompt: A prompt string to print. /// /// - Returns: `true` if the user answered "Y", otherwise `false`. func yesNoRequest(_ prompt: String) -> Bool { while true { let answer = stringRequest(prompt).lowercased() if answer == "y" || answer == "n" { return answer == "y" } } } /// Get information about a specific user in a user pool. /// /// - Parameters: /// - cipClient: The Amazon Cognito Identity Provider client to use. /// - userName: The user to retrieve information about. /// - userPoolId: The user pool to search for the specified user. /// /// - Returns: `true` if the user's information was successfully /// retrieved. Otherwise returns `false`. func adminGetUser(cipClient: CognitoIdentityProviderClient, userName: String, userPoolId: String) async -> Bool { do { let output = try await cipClient.adminGetUser( input: AdminGetUserInput( userPoolId: userPoolId, username: userName ) ) guard let userStatus = output.userStatus else { print("*** Unable to get the user's status.") return false } print("User status: \(userStatus)") return true } catch { return false } } /// Create a new user in a user pool. /// /// - Parameters: /// - cipClient: The `CognitoIdentityProviderClient` to use. /// - clientId: The ID of the app client to create a user for. /// - userName: The username for the new user. /// - password: The new user's password. /// - email: The new user's email address. /// /// - Returns: `true` if successful; otherwise `false`. func signUp(cipClient: CognitoIdentityProviderClient, clientId: String, userName: String, password: String, email: String) async -> Bool { let emailAttr = CognitoIdentityProviderClientTypes.AttributeType( name: "email", value: email ) let userAttrsList = [emailAttr] do { _ = try await cipClient.signUp( input: SignUpInput( clientId: clientId, password: password, userAttributes: userAttrsList, username: userName ) ) print("=====> User \(userName) signed up.") } catch _ as AWSCognitoIdentityProvider.UsernameExistsException { print("*** The username \(userName) already exists. Please use a different one.") return false } catch let error as AWSCognitoIdentityProvider.InvalidPasswordException { print("*** Error: The specified password is invalid. Reason: \(error.properties.message ?? "").") return false } catch _ as AWSCognitoIdentityProvider.ResourceNotFoundException { print("*** Error: The specified client ID (\(clientId)) doesn't exist.") return false } catch { print("*** Unexpected error: \(error)") return false } return true } /// Requests a new confirmation code be sent to the given user's contact /// method. /// /// - Parameters: /// - cipClient: The `CognitoIdentityProviderClient` to use. /// - clientId: The application client ID. /// - userName: The user to resend a code for. /// /// - Returns: `true` if a new code was sent successfully, otherwise /// `false`. func resendConfirmationCode(cipClient: CognitoIdentityProviderClient, clientId: String, userName: String) async -> Bool { do { let output = try await cipClient.resendConfirmationCode( input: ResendConfirmationCodeInput( clientId: clientId, username: userName ) ) guard let deliveryMedium = output.codeDeliveryDetails?.deliveryMedium else { print("*** Unable to get the delivery method for the resent code.") return false } print("=====> A new code has been sent by \(deliveryMedium)") return true } catch { print("*** Unable to resend the confirmation code to user \(userName).") return false } } /// Submit a confirmation code for the specified user. This is the code as /// entered by the user after they've received it by email or text /// message. /// /// - Parameters: /// - cipClient: The `CognitoIdentityProviderClient` to use. /// - clientId: The app client ID the user is signing up for. /// - userName: The username of the user whose code is being sent. /// - code: The user's confirmation code. /// /// - Returns: `true` if the code was successfully confirmed; otherwise `false`. func confirmSignUp(cipClient: CognitoIdentityProviderClient, clientId: String, userName: String, code: String) async -> Bool { do { _ = try await cipClient.confirmSignUp( input: ConfirmSignUpInput( clientId: clientId, confirmationCode: code, username: userName ) ) print("=====> \(userName) has been confirmed.") return true } catch { print("=====> \(userName)'s code was entered incorrectly.") return false } } /// Begin an authentication session. /// /// - Parameters: /// - cipClient: The `CongitoIdentityProviderClient` to use. /// - clientId: The app client ID to use. /// - userName: The username to check. /// - password: The user's password. /// - userPoolId: The user pool to use. /// /// - Returns: The session token associated with this authentication /// session. func initiateAuth(cipClient: CognitoIdentityProviderClient, clientId: String, userName: String, password: String, userPoolId: String) async -> String? { var authParams: [String: String] = [:] authParams["USERNAME"] = userName authParams["PASSWORD"] = password do { let output = try await cipClient.adminInitiateAuth( input: AdminInitiateAuthInput( authFlow: CognitoIdentityProviderClientTypes.AuthFlowType.adminUserPasswordAuth, authParameters: authParams, clientId: clientId, userPoolId: userPoolId ) ) guard let challengeName = output.challengeName else { print("*** Invalid response from the auth service.") return nil } print("=====> Response challenge is \(challengeName)") return output.session } catch _ as UserNotFoundException { print("*** The specified username, \(userName), doesn't exist.") return nil } catch _ as UserNotConfirmedException { print("*** The user \(userName) has not been confirmed.") return nil } catch { print("*** An unexpected error occurred.") return nil } } /// Request and display an MFA secret token that the user should enter /// into their authenticator to set it up for the user account. /// /// - Parameters: /// - cipClient: The `CognitoIdentityProviderClient` to use. /// - authSession: The authentication session to request an MFA secret /// for. /// /// - Returns: A string containing the MFA secret token that should be /// entered into the authenticator software. func getSecretForAppMFA(cipClient: CognitoIdentityProviderClient, authSession: String?) async -> String? { do { let output = try await cipClient.associateSoftwareToken( input: AssociateSoftwareTokenInput( session: authSession ) ) guard let secretCode = output.secretCode else { print("*** Unable to get the secret code") return nil } print("=====> Enter this token into Google Authenticator: \(secretCode)") return output.session } catch _ as SoftwareTokenMFANotFoundException { print("*** The specified user pool isn't configured for MFA.") return nil } catch { print("*** An unexpected error occurred getting the secret for the app's MFA.") return nil } } /// Confirm that the user's TOTP authenticator is configured correctly by /// sending a code to it to check that it matches successfully. /// /// - Parameters: /// - cipClient: The `CongnitoIdentityProviderClient` to use. /// - session: An authentication session previously returned by an /// `associateSoftwareToken()` call. /// - mfaCode: The 6-digit code currently displayed by the user's /// authenticator, as provided by the user. func verifyTOTP(cipClient: CognitoIdentityProviderClient, session: String?, mfaCode: String?) async { do { let output = try await cipClient.verifySoftwareToken( input: VerifySoftwareTokenInput( session: session, userCode: mfaCode ) ) guard let tokenStatus = output.status else { print("*** Unable to get the token's status.") return } print("=====> The token's status is: \(tokenStatus)") } catch _ as SoftwareTokenMFANotFoundException { print("*** The specified user pool isn't configured for MFA.") return } catch _ as CodeMismatchException { print("*** The specified MFA code doesn't match the expected value.") return } catch _ as UserNotFoundException { print("*** The specified username doesn't exist.") return } catch _ as UserNotConfirmedException { print("*** The user has not been confirmed.") return } catch { print("*** Error verifying the MFA token!") return } } /// Respond to the authentication challenge received from Cognito after /// initiating an authentication session. This involves sending a current /// MFA code to the service. /// /// - Parameters: /// - cipClient: The `CognitoIdentityProviderClient` to use. /// - userName: The user's username. /// - clientId: The app client ID. /// - userPoolId: The user pool to sign into. /// - mfaCode: The 6-digit MFA code currently displayed by the user's /// authenticator. /// - session: The authentication session to continue processing. func adminRespondToAuthChallenge(cipClient: CognitoIdentityProviderClient, userName: String, clientId: String, userPoolId: String, mfaCode: String, session: String) async { print("=====> SOFTWARE_TOKEN_MFA challenge is generated...") var challengeResponsesOb: [String: String] = [:] challengeResponsesOb["USERNAME"] = userName challengeResponsesOb["SOFTWARE_TOKEN_MFA_CODE"] = mfaCode do { let output = try await cipClient.adminRespondToAuthChallenge( input: AdminRespondToAuthChallengeInput( challengeName: CognitoIdentityProviderClientTypes.ChallengeNameType.softwareTokenMfa, challengeResponses: challengeResponsesOb, clientId: clientId, session: session, userPoolId: userPoolId ) ) guard let authenticationResult = output.authenticationResult else { print("*** Unable to get authentication result.") return } print("=====> Authentication result (JWTs are redacted):") print(authenticationResult) } catch _ as SoftwareTokenMFANotFoundException { print("*** The specified user pool isn't configured for MFA.") return } catch _ as CodeMismatchException { print("*** The specified MFA code doesn't match the expected value.") return } catch _ as UserNotFoundException { print("*** The specified username, \(userName), doesn't exist.") return } catch _ as UserNotConfirmedException { print("*** The user \(userName) has not been confirmed.") return } catch let error as NotAuthorizedException { print("*** Unauthorized access. Reason: \(error.properties.message ?? "")") } catch { print("*** Error responding to the MFA challenge.") return } } /// Called by ``main()`` to run the bulk of the example. func runAsync() async throws { let config = try await CognitoIdentityProviderClient.CognitoIdentityProviderClientConfiguration(region: region) let cipClient = CognitoIdentityProviderClient(config: config) print(""" This example collects information about a user, then creates that user in the specified user pool. Then, it enables Multi-Factor Authentication (MFA) for that user by associating an authenticator application (such as Google Authenticator or a password manager that supports TOTP). Then, the user uses a code from their authenticator application to sign in. """) let userName = stringRequest("Please enter a new username: ") let password = stringRequest("Enter a password: ") let email = stringRequest("Enter your email address: ", minLength: 5) // Submit the sign-up request to AWS. print("==> Signing up user \(userName)...") if await signUp(cipClient: cipClient, clientId: clientId, userName: userName, password: password, email: email) == false { return } // Check the user's status. This time, it should come back "unconfirmed". print("==> Getting the status of user \(userName) from the user pool (should be 'unconfirmed')...") if await adminGetUser(cipClient: cipClient, userName: userName, userPoolId: poolId) == false { return } // Ask the user if they want a replacement code sent, such as if the // code hasn't arrived yet. If the user responds with a "yes," send a // new code. if yesNoRequest("==> A confirmation code was sent to \(userName). Would you like to send a new code (Y/N)? ") { print("==> Sending a new confirmation code...") if await resendConfirmationCode(cipClient: cipClient, clientId: clientId, userName: userName) == false { return } } // Ask the user to enter the confirmation code, then send it to Amazon // Cognito to verify it. let code = stringRequest("==> Enter the confirmation code sent to \(userName): ") if await confirmSignUp(cipClient: cipClient, clientId: clientId, userName: userName, code: code) == false { // The code didn't match. Your application may wish to offer to // re-send the confirmation code here and try again. return } // Check the user's status again. This time it should come back // "confirmed". print("==> Rechecking status of user \(userName) in the user pool (should be 'confirmed')...") if await adminGetUser(cipClient: cipClient, userName: userName, userPoolId: poolId) == false { return } // Check the challenge mode. Here, it should be "mfaSetup", indicating // that the user needs to add MFA before using it. This returns a // session that can be used to register MFA, or nil if an error occurs. let authSession = await initiateAuth(cipClient: cipClient, clientId: clientId, userName: userName, password: password, userPoolId: poolId) if authSession == nil { return } // Ask Cognito for an MFA secret token that the user should enter into // their authenticator software (such as Google Authenticator) or // password manager to configure it for this user account. This // returns a new session that should be used for the new stage of the // authentication process. let newSession = await getSecretForAppMFA(cipClient: cipClient, authSession: authSession) if newSession == nil { return } // Ask the user to enter the current 6-digit code displayed by their // authenticator. Then verify that it matches the value expected for // the session. let mfaCode1 = stringRequest("==> Enter the 6-digit code displayed in your authenticator: ", minLength: 6) await verifyTOTP(cipClient: cipClient, session: newSession, mfaCode: mfaCode1) // Ask the user to authenticate now that the authenticator has been // configured. This creates a new session using the user's username // and password as already entered. print("\nNow starting the sign-in process for user \(userName)...\n") let session2 = await initiateAuth(cipClient: cipClient, clientId: clientId, userName: userName, password: password, userPoolId: poolId) guard let session2 else { return } // Now that we have a new auth session, `session2`, ask the user for a // new 6-digit code from their authenticator, and send it to the auth // session. let mfaCode2 = stringRequest("==> Wait for your authenticator to show a new 6-digit code, then enter it: ", minLength: 6) await adminRespondToAuthChallenge(cipClient: cipClient, userName: userName, clientId: clientId, userPoolId: poolId, mfaCode: mfaCode2, session: session2) } } /// The program's asynchronous entry point. @main struct Main { static func main() async { let args = Array(CommandLine.arguments.dropFirst()) do { let command = try ExampleCommand.parse(args) try await command.runAsync() } catch { ExampleCommand.exit(withError: error) } } } ``` + For API details, see the following topics in *AWS SDK for Swift API reference*. + [AdminGetUser](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/admingetuser(input:)) + [AdminInitiateAuth](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/admininitiateauth(input:)) + [AdminRespondToAuthChallenge](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/adminrespondtoauthchallenge(input:)) + [AssociateSoftwareToken](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/associatesoftwaretoken(input:)) + [ConfirmDevice](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/confirmdevice(input:)) + [ConfirmSignUp](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/confirmsignup(input:)) + [InitiateAuth](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/initiateauth(input:)) + [ListUsers](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/listusers(input:)) + [ResendConfirmationCode](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/resendconfirmationcode(input:)) + [RespondToAuthChallenge](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/respondtoauthchallenge(input:)) + [SignUp](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/signup(input:)) + [VerifySoftwareToken](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/verifysoftwaretoken(input:)) ------ For a complete list of AWS SDK developer guides and code examples, see [Using this service with an AWS SDK](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions. # Use Amazon Cognito identity pools and authentication flows Use Amazon Cognito identity pools The following code example shows how to create a web-based demo application that demonstrates identity pools authentication flows. ------ #### [ Python ] **SDK for Python (Boto3)** Shows web-based demo application that demonstrates Amazon Cognito identity pools authentication flows, allowing users to interactively explore both enhanced and basic authentication flows with various identity providers. For complete source code and instructions on how to set up and run, see the full example on [ GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito/scenarios/identity_pools_example_demo). **Services used in this example** + Amazon Cognito Identity Provider ------ For a complete list of AWS SDK developer guides and code examples, see [Using this service with an AWS SDK](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions. # Write custom activity data with a Lambda function after Amazon Cognito user authentication using an AWS SDK Write custom activity data with a Lambda function after Amazon Cognito user authentication The following code example shows how to write custom activity data with a Lambda function after Amazon Cognito user authentication. + Use administrator functions to add a user to a user pool. + Configure a user pool to call a Lambda function for the `PostAuthentication` trigger. + Sign the new user in to Amazon Cognito. + The Lambda function writes custom information to CloudWatch Logs and to an DynamoDB table. + Get and display custom data from the DynamoDB table, then clean up resources. ------ #### [ Go ] **SDK for Go V2** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/workflows/user_pools_and_lambda_triggers#code-examples). Run an interactive scenario at a command prompt. ``` import ( "context" "errors" "log" "strings" "user_pools_and_lambda_triggers/actions" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // ActivityLog separates the steps of this scenario into individual functions so that // they are simpler to read and understand. type ActivityLog struct { helper IScenarioHelper questioner demotools.IQuestioner resources Resources cognitoActor *actions.CognitoActions } // NewActivityLog constructs a new activity log runner. func NewActivityLog(sdkConfig aws.Config, questioner demotools.IQuestioner, helper IScenarioHelper) ActivityLog { scenario := ActivityLog{ helper: helper, questioner: questioner, resources: Resources{}, cognitoActor: &actions.CognitoActions{CognitoClient: cognitoidentityprovider.NewFromConfig(sdkConfig)}, } scenario.resources.init(scenario.cognitoActor, questioner) return scenario } // AddUserToPool selects a user from the known users table and uses administrator credentials to add the user to the user pool. func (runner *ActivityLog) AddUserToPool(ctx context.Context, userPoolId string, tableName string) (string, string) { log.Println("To facilitate this example, let's add a user to the user pool using administrator privileges.") users, err := runner.helper.GetKnownUsers(ctx, tableName) if err != nil { panic(err) } user := users.Users[0] log.Printf("Adding known user %v to the user pool.\n", user.UserName) err = runner.cognitoActor.AdminCreateUser(ctx, userPoolId, user.UserName, user.UserEmail) if err != nil { panic(err) } pwSet := false password := runner.questioner.AskPassword("\nEnter a password that has at least eight characters, uppercase, lowercase, numbers and symbols.\n"+ "(the password will not display as you type):", 8) for !pwSet { log.Printf("\nSetting password for user '%v'.\n", user.UserName) err = runner.cognitoActor.AdminSetUserPassword(ctx, userPoolId, user.UserName, password) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { password = runner.questioner.AskPassword("\nEnter another password:", 8) } else { panic(err) } } else { pwSet = true } } log.Println(strings.Repeat("-", 88)) return user.UserName, password } // AddActivityLogTrigger adds a Lambda handler as an invocation target for the PostAuthentication trigger. func (runner *ActivityLog) AddActivityLogTrigger(ctx context.Context, userPoolId string, activityLogArn string) { log.Println("Let's add a Lambda function to handle the PostAuthentication trigger from Cognito.\n" + "This trigger happens after a user is authenticated, and lets your function take action, such as logging\n" + "the outcome.") err := runner.cognitoActor.UpdateTriggers( ctx, userPoolId, actions.TriggerInfo{Trigger: actions.PostAuthentication, HandlerArn: aws.String(activityLogArn)}) if err != nil { panic(err) } runner.resources.triggers = append(runner.resources.triggers, actions.PostAuthentication) log.Printf("Lambda function %v added to user pool %v to handle PostAuthentication Cognito trigger.\n", activityLogArn, userPoolId) log.Println(strings.Repeat("-", 88)) } // SignInUser signs in as the specified user. func (runner *ActivityLog) SignInUser(ctx context.Context, clientId string, userName string, password string) { log.Printf("Now we'll sign in user %v and check the results in the logs and the DynamoDB table.", userName) runner.questioner.Ask("Press Enter when you're ready.") authResult, err := runner.cognitoActor.SignIn(ctx, clientId, userName, password) if err != nil { panic(err) } log.Println("Sign in successful.", "The PostAuthentication Lambda handler writes custom information to CloudWatch Logs.") runner.resources.userAccessTokens = append(runner.resources.userAccessTokens, *authResult.AccessToken) } // GetKnownUserLastLogin gets the login info for a user from the Amazon DynamoDB table and displays it. func (runner *ActivityLog) GetKnownUserLastLogin(ctx context.Context, tableName string, userName string) { log.Println("The PostAuthentication handler also writes login data to the DynamoDB table.") runner.questioner.Ask("Press Enter when you're ready to continue.") users, err := runner.helper.GetKnownUsers(ctx, tableName) if err != nil { panic(err) } for _, user := range users.Users { if user.UserName == userName { log.Println("The last login info for the user in the known users table is:") log.Printf("\t%+v", *user.LastLogin) } } log.Println(strings.Repeat("-", 88)) } // Run runs the scenario. func (runner *ActivityLog) Run(ctx context.Context, stackName string) { defer func() { if r := recover(); r != nil { log.Println("Something went wrong with the demo.") runner.resources.Cleanup(ctx) } }() log.Println(strings.Repeat("-", 88)) log.Printf("Welcome\n") log.Println(strings.Repeat("-", 88)) stackOutputs, err := runner.helper.GetStackOutputs(ctx, stackName) if err != nil { panic(err) } runner.resources.userPoolId = stackOutputs["UserPoolId"] runner.helper.PopulateUserTable(ctx, stackOutputs["TableName"]) userName, password := runner.AddUserToPool(ctx, stackOutputs["UserPoolId"], stackOutputs["TableName"]) runner.AddActivityLogTrigger(ctx, stackOutputs["UserPoolId"], stackOutputs["ActivityLogFunctionArn"]) runner.SignInUser(ctx, stackOutputs["UserPoolClientId"], userName, password) runner.helper.ListRecentLogEvents(ctx, stackOutputs["ActivityLogFunction"]) runner.GetKnownUserLastLogin(ctx, stackOutputs["TableName"], userName) runner.resources.Cleanup(ctx) log.Println(strings.Repeat("-", 88)) log.Println("Thanks for watching!") log.Println(strings.Repeat("-", 88)) } ``` Handle the `PostAuthentication` trigger with a Lambda function. ``` import ( "context" "fmt" "log" "os" "time" "github.com/aws/aws-lambda-go/events" "github.com/aws/aws-lambda-go/lambda" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue" "github.com/aws/aws-sdk-go-v2/service/dynamodb" dynamodbtypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" ) const TABLE_NAME = "TABLE_NAME" // LoginInfo defines structured login data that can be marshalled to a DynamoDB format. type LoginInfo struct { UserPoolId string `dynamodbav:"UserPoolId"` ClientId string `dynamodbav:"ClientId"` Time string `dynamodbav:"Time"` } // UserInfo defines structured user data that can be marshalled to a DynamoDB format. type UserInfo struct { UserName string `dynamodbav:"UserName"` UserEmail string `dynamodbav:"UserEmail"` LastLogin LoginInfo `dynamodbav:"LastLogin"` } // GetKey marshals the user email value to a DynamoDB key format. func (user UserInfo) GetKey() map[string]dynamodbtypes.AttributeValue { userEmail, err := attributevalue.Marshal(user.UserEmail) if err != nil { panic(err) } return map[string]dynamodbtypes.AttributeValue{"UserEmail": userEmail} } type handler struct { dynamoClient *dynamodb.Client } // HandleRequest handles the PostAuthentication event by writing custom data to the logs and // to an Amazon DynamoDB table. func (h *handler) HandleRequest(ctx context.Context, event events.CognitoEventUserPoolsPostAuthentication) (events.CognitoEventUserPoolsPostAuthentication, error) { log.Printf("Received post authentication trigger from %v for user '%v'", event.TriggerSource, event.UserName) tableName := os.Getenv(TABLE_NAME) user := UserInfo{ UserName: event.UserName, UserEmail: event.Request.UserAttributes["email"], LastLogin: LoginInfo{ UserPoolId: event.UserPoolID, ClientId: event.CallerContext.ClientID, Time: time.Now().Format(time.UnixDate), }, } // Write to CloudWatch Logs. fmt.Printf("%#v", user) // Also write to an external system. This examples uses DynamoDB to demonstrate. userMap, err := attributevalue.MarshalMap(user) if err != nil { log.Printf("Couldn't marshal to DynamoDB map. Here's why: %v\n", err) } else if len(userMap) == 0 { log.Printf("User info marshaled to an empty map.") } else { _, err := h.dynamoClient.PutItem(ctx, &dynamodb.PutItemInput{ Item: userMap, TableName: aws.String(tableName), }) if err != nil { log.Printf("Couldn't write to DynamoDB. Here's why: %v\n", err) } else { log.Printf("Wrote user info to DynamoDB table %v.\n", tableName) } } return event, nil } func main() { ctx := context.Background() sdkConfig, err := config.LoadDefaultConfig(ctx) if err != nil { log.Panicln(err) } h := handler{ dynamoClient: dynamodb.NewFromConfig(sdkConfig), } lambda.Start(h.HandleRequest) } ``` Create a struct that performs common tasks. ``` import ( "context" "log" "strings" "time" "user_pools_and_lambda_triggers/actions" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudformation" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs" "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // IScenarioHelper defines common functions used by the workflows in this example. type IScenarioHelper interface { Pause(secs int) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) PopulateUserTable(ctx context.Context, tableName string) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) AddKnownUser(ctx context.Context, tableName string, user actions.User) ListRecentLogEvents(ctx context.Context, functionName string) } // ScenarioHelper contains AWS wrapper structs used by the workflows in this example. type ScenarioHelper struct { questioner demotools.IQuestioner dynamoActor *actions.DynamoActions cfnActor *actions.CloudFormationActions cwlActor *actions.CloudWatchLogsActions isTestRun bool } // NewScenarioHelper constructs a new scenario helper. func NewScenarioHelper(sdkConfig aws.Config, questioner demotools.IQuestioner) ScenarioHelper { scenario := ScenarioHelper{ questioner: questioner, dynamoActor: &actions.DynamoActions{DynamoClient: dynamodb.NewFromConfig(sdkConfig)}, cfnActor: &actions.CloudFormationActions{CfnClient: cloudformation.NewFromConfig(sdkConfig)}, cwlActor: &actions.CloudWatchLogsActions{CwlClient: cloudwatchlogs.NewFromConfig(sdkConfig)}, } return scenario } // Pause waits for the specified number of seconds. func (helper ScenarioHelper) Pause(secs int) { if !helper.isTestRun { time.Sleep(time.Duration(secs) * time.Second) } } // GetStackOutputs gets the outputs from the specified CloudFormation stack in a structured format. func (helper ScenarioHelper) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) { return helper.cfnActor.GetOutputs(ctx, stackName), nil } // PopulateUserTable fills the known user table with example data. func (helper ScenarioHelper) PopulateUserTable(ctx context.Context, tableName string) { log.Printf("First, let's add some users to the DynamoDB %v table we'll use for this example.\n", tableName) err := helper.dynamoActor.PopulateTable(ctx, tableName) if err != nil { panic(err) } } // GetKnownUsers gets the users from the known users table in a structured format. func (helper ScenarioHelper) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) { knownUsers, err := helper.dynamoActor.Scan(ctx, tableName) if err != nil { log.Printf("Couldn't get known users from table %v. Here's why: %v\n", tableName, err) } return knownUsers, err } // AddKnownUser adds a user to the known users table. func (helper ScenarioHelper) AddKnownUser(ctx context.Context, tableName string, user actions.User) { log.Printf("Adding user '%v' with email '%v' to the DynamoDB known users table...\n", user.UserName, user.UserEmail) err := helper.dynamoActor.AddUser(ctx, tableName, user) if err != nil { panic(err) } } // ListRecentLogEvents gets the most recent log stream and events for the specified Lambda function and displays them. func (helper ScenarioHelper) ListRecentLogEvents(ctx context.Context, functionName string) { log.Println("Waiting a few seconds to let Lambda write to CloudWatch Logs...") helper.Pause(10) log.Println("Okay, let's check the logs to find what's happened recently with your Lambda function.") logStream, err := helper.cwlActor.GetLatestLogStream(ctx, functionName) if err != nil { panic(err) } log.Printf("Getting some recent events from log stream %v\n", *logStream.LogStreamName) events, err := helper.cwlActor.GetLogEvents(ctx, functionName, *logStream.LogStreamName, 10) if err != nil { panic(err) } for _, event := range events { log.Printf("\t%v", *event.Message) } log.Println(strings.Repeat("-", 88)) } ``` Create a struct that wraps Amazon Cognito actions. ``` import ( "context" "errors" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider" "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types" ) type CognitoActions struct { CognitoClient *cognitoidentityprovider.Client } // Trigger and TriggerInfo define typed data for updating an Amazon Cognito trigger. type Trigger int const ( PreSignUp Trigger = iota UserMigration PostAuthentication ) type TriggerInfo struct { Trigger Trigger HandlerArn *string } // UpdateTriggers adds or removes Lambda triggers for a user pool. When a trigger is specified with a `nil` value, // it is removed from the user pool. func (actor CognitoActions) UpdateTriggers(ctx context.Context, userPoolId string, triggers ...TriggerInfo) error { output, err := actor.CognitoClient.DescribeUserPool(ctx, &cognitoidentityprovider.DescribeUserPoolInput{ UserPoolId: aws.String(userPoolId), }) if err != nil { log.Printf("Couldn't get info about user pool %v. Here's why: %v\n", userPoolId, err) return err } lambdaConfig := output.UserPool.LambdaConfig for _, trigger := range triggers { switch trigger.Trigger { case PreSignUp: lambdaConfig.PreSignUp = trigger.HandlerArn case UserMigration: lambdaConfig.UserMigration = trigger.HandlerArn case PostAuthentication: lambdaConfig.PostAuthentication = trigger.HandlerArn } } _, err = actor.CognitoClient.UpdateUserPool(ctx, &cognitoidentityprovider.UpdateUserPoolInput{ UserPoolId: aws.String(userPoolId), LambdaConfig: lambdaConfig, }) if err != nil { log.Printf("Couldn't update user pool %v. Here's why: %v\n", userPoolId, err) } return err } // SignUp signs up a user with Amazon Cognito. func (actor CognitoActions) SignUp(ctx context.Context, clientId string, userName string, password string, userEmail string) (bool, error) { confirmed := false output, err := actor.CognitoClient.SignUp(ctx, &cognitoidentityprovider.SignUpInput{ ClientId: aws.String(clientId), Password: aws.String(password), Username: aws.String(userName), UserAttributes: []types.AttributeType{ {Name: aws.String("email"), Value: aws.String(userEmail)}, }, }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't sign up user %v. Here's why: %v\n", userName, err) } } else { confirmed = output.UserConfirmed } return confirmed, err } // SignIn signs in a user to Amazon Cognito using a username and password authentication flow. func (actor CognitoActions) SignIn(ctx context.Context, clientId string, userName string, password string) (*types.AuthenticationResultType, error) { var authResult *types.AuthenticationResultType output, err := actor.CognitoClient.InitiateAuth(ctx, &cognitoidentityprovider.InitiateAuthInput{ AuthFlow: "USER_PASSWORD_AUTH", ClientId: aws.String(clientId), AuthParameters: map[string]string{"USERNAME": userName, "PASSWORD": password}, }) if err != nil { var resetRequired *types.PasswordResetRequiredException if errors.As(err, &resetRequired) { log.Println(*resetRequired.Message) } else { log.Printf("Couldn't sign in user %v. Here's why: %v\n", userName, err) } } else { authResult = output.AuthenticationResult } return authResult, err } // ForgotPassword starts a password recovery flow for a user. This flow typically sends a confirmation code // to the user's configured notification destination, such as email. func (actor CognitoActions) ForgotPassword(ctx context.Context, clientId string, userName string) (*types.CodeDeliveryDetailsType, error) { output, err := actor.CognitoClient.ForgotPassword(ctx, &cognitoidentityprovider.ForgotPasswordInput{ ClientId: aws.String(clientId), Username: aws.String(userName), }) if err != nil { log.Printf("Couldn't start password reset for user '%v'. Here;s why: %v\n", userName, err) } return output.CodeDeliveryDetails, err } // ConfirmForgotPassword confirms a user with a confirmation code and a new password. func (actor CognitoActions) ConfirmForgotPassword(ctx context.Context, clientId string, code string, userName string, password string) error { _, err := actor.CognitoClient.ConfirmForgotPassword(ctx, &cognitoidentityprovider.ConfirmForgotPasswordInput{ ClientId: aws.String(clientId), ConfirmationCode: aws.String(code), Password: aws.String(password), Username: aws.String(userName), }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't confirm user %v. Here's why: %v", userName, err) } } return err } // DeleteUser removes a user from the user pool. func (actor CognitoActions) DeleteUser(ctx context.Context, userAccessToken string) error { _, err := actor.CognitoClient.DeleteUser(ctx, &cognitoidentityprovider.DeleteUserInput{ AccessToken: aws.String(userAccessToken), }) if err != nil { log.Printf("Couldn't delete user. Here's why: %v\n", err) } return err } // AdminCreateUser uses administrator credentials to add a user to a user pool. This method leaves the user // in a state that requires they enter a new password next time they sign in. func (actor CognitoActions) AdminCreateUser(ctx context.Context, userPoolId string, userName string, userEmail string) error { _, err := actor.CognitoClient.AdminCreateUser(ctx, &cognitoidentityprovider.AdminCreateUserInput{ UserPoolId: aws.String(userPoolId), Username: aws.String(userName), MessageAction: types.MessageActionTypeSuppress, UserAttributes: []types.AttributeType{{Name: aws.String("email"), Value: aws.String(userEmail)}}, }) if err != nil { var userExists *types.UsernameExistsException if errors.As(err, &userExists) { log.Printf("User %v already exists in the user pool.", userName) err = nil } else { log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err) } } return err } // AdminSetUserPassword uses administrator credentials to set a password for a user without requiring a // temporary password. func (actor CognitoActions) AdminSetUserPassword(ctx context.Context, userPoolId string, userName string, password string) error { _, err := actor.CognitoClient.AdminSetUserPassword(ctx, &cognitoidentityprovider.AdminSetUserPasswordInput{ Password: aws.String(password), UserPoolId: aws.String(userPoolId), Username: aws.String(userName), Permanent: true, }) if err != nil { var invalidPassword *types.InvalidPasswordException if errors.As(err, &invalidPassword) { log.Println(*invalidPassword.Message) } else { log.Printf("Couldn't set password for user %v. Here's why: %v\n", userName, err) } } return err } ``` Create a struct that wraps DynamoDB actions. ``` import ( "context" "fmt" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue" "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" ) // DynamoActions encapsulates the Amazon Simple Notification Service (Amazon SNS) actions // used in the examples. type DynamoActions struct { DynamoClient *dynamodb.Client } // User defines structured user data. type User struct { UserName string UserEmail string LastLogin *LoginInfo `dynamodbav:",omitempty"` } // LoginInfo defines structured custom login data. type LoginInfo struct { UserPoolId string ClientId string Time string } // UserList defines a list of users. type UserList struct { Users []User } // UserNameList returns the usernames contained in a UserList as a list of strings. func (users *UserList) UserNameList() []string { names := make([]string, len(users.Users)) for i := 0; i < len(users.Users); i++ { names[i] = users.Users[i].UserName } return names } // PopulateTable adds a set of test users to the table. func (actor DynamoActions) PopulateTable(ctx context.Context, tableName string) error { var err error var item map[string]types.AttributeValue var writeReqs []types.WriteRequest for i := 1; i < 4; i++ { item, err = attributevalue.MarshalMap(User{UserName: fmt.Sprintf("test_user_%v", i), UserEmail: fmt.Sprintf("test_email_%v@example.com", i)}) if err != nil { log.Printf("Couldn't marshall user into DynamoDB format. Here's why: %v\n", err) return err } writeReqs = append(writeReqs, types.WriteRequest{PutRequest: &types.PutRequest{Item: item}}) } _, err = actor.DynamoClient.BatchWriteItem(ctx, &dynamodb.BatchWriteItemInput{ RequestItems: map[string][]types.WriteRequest{tableName: writeReqs}, }) if err != nil { log.Printf("Couldn't populate table %v with users. Here's why: %v\n", tableName, err) } return err } // Scan scans the table for all items. func (actor DynamoActions) Scan(ctx context.Context, tableName string) (UserList, error) { var userList UserList output, err := actor.DynamoClient.Scan(ctx, &dynamodb.ScanInput{ TableName: aws.String(tableName), }) if err != nil { log.Printf("Couldn't scan table %v for items. Here's why: %v\n", tableName, err) } else { err = attributevalue.UnmarshalListOfMaps(output.Items, &userList.Users) if err != nil { log.Printf("Couldn't unmarshal items into users. Here's why: %v\n", err) } } return userList, err } // AddUser adds a user item to a table. func (actor DynamoActions) AddUser(ctx context.Context, tableName string, user User) error { userItem, err := attributevalue.MarshalMap(user) if err != nil { log.Printf("Couldn't marshall user to item. Here's why: %v\n", err) } _, err = actor.DynamoClient.PutItem(ctx, &dynamodb.PutItemInput{ Item: userItem, TableName: aws.String(tableName), }) if err != nil { log.Printf("Couldn't put item in table %v. Here's why: %v", tableName, err) } return err } ``` Create a struct that wraps CloudWatch Logs actions. ``` import ( "context" "fmt" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs" "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types" ) type CloudWatchLogsActions struct { CwlClient *cloudwatchlogs.Client } // GetLatestLogStream gets the most recent log stream for a Lambda function. func (actor CloudWatchLogsActions) GetLatestLogStream(ctx context.Context, functionName string) (types.LogStream, error) { var logStream types.LogStream logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName) output, err := actor.CwlClient.DescribeLogStreams(ctx, &cloudwatchlogs.DescribeLogStreamsInput{ Descending: aws.Bool(true), Limit: aws.Int32(1), LogGroupName: aws.String(logGroupName), OrderBy: types.OrderByLastEventTime, }) if err != nil { log.Printf("Couldn't get log streams for log group %v. Here's why: %v\n", logGroupName, err) } else { logStream = output.LogStreams[0] } return logStream, err } // GetLogEvents gets the most recent eventCount events from the specified log stream. func (actor CloudWatchLogsActions) GetLogEvents(ctx context.Context, functionName string, logStreamName string, eventCount int32) ( []types.OutputLogEvent, error) { var events []types.OutputLogEvent logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName) output, err := actor.CwlClient.GetLogEvents(ctx, &cloudwatchlogs.GetLogEventsInput{ LogStreamName: aws.String(logStreamName), Limit: aws.Int32(eventCount), LogGroupName: aws.String(logGroupName), }) if err != nil { log.Printf("Couldn't get log event for log stream %v. Here's why: %v\n", logStreamName, err) } else { events = output.Events } return events, err } ``` Create a struct that wraps CloudFormation actions. ``` import ( "context" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudformation" ) // StackOutputs defines a map of outputs from a specific stack. type StackOutputs map[string]string type CloudFormationActions struct { CfnClient *cloudformation.Client } // GetOutputs gets the outputs from a CloudFormation stack and puts them into a structured format. func (actor CloudFormationActions) GetOutputs(ctx context.Context, stackName string) StackOutputs { output, err := actor.CfnClient.DescribeStacks(ctx, &cloudformation.DescribeStacksInput{ StackName: aws.String(stackName), }) if err != nil || len(output.Stacks) == 0 { log.Panicf("Couldn't find a CloudFormation stack named %v. Here's why: %v\n", stackName, err) } stackOutputs := StackOutputs{} for _, out := range output.Stacks[0].Outputs { stackOutputs[*out.OutputKey] = *out.OutputValue } return stackOutputs } ``` Clean up resources. ``` import ( "context" "log" "user_pools_and_lambda_triggers/actions" "github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools" ) // Resources keeps track of AWS resources created during an example and handles // cleanup when the example finishes. type Resources struct { userPoolId string userAccessTokens []string triggers []actions.Trigger cognitoActor *actions.CognitoActions questioner demotools.IQuestioner } func (resources *Resources) init(cognitoActor *actions.CognitoActions, questioner demotools.IQuestioner) { resources.userAccessTokens = []string{} resources.triggers = []actions.Trigger{} resources.cognitoActor = cognitoActor resources.questioner = questioner } // Cleanup deletes all AWS resources created during an example. func (resources *Resources) Cleanup(ctx context.Context) { defer func() { if r := recover(); r != nil { log.Printf("Something went wrong during cleanup.\n%v\n", r) log.Println("Use the AWS Management Console to remove any remaining resources \n" + "that were created for this scenario.") } }() wantDelete := resources.questioner.AskBool("Do you want to remove all of the AWS resources that were created "+ "during this demo (y/n)?", "y") if wantDelete { for _, accessToken := range resources.userAccessTokens { err := resources.cognitoActor.DeleteUser(ctx, accessToken) if err != nil { log.Println("Couldn't delete user during cleanup.") panic(err) } log.Println("Deleted user.") } triggerList := make([]actions.TriggerInfo, len(resources.triggers)) for i := 0; i < len(resources.triggers); i++ { triggerList[i] = actions.TriggerInfo{Trigger: resources.triggers[i], HandlerArn: nil} } err := resources.cognitoActor.UpdateTriggers(ctx, resources.userPoolId, triggerList...) if err != nil { log.Println("Couldn't update Cognito triggers during cleanup.") panic(err) } log.Println("Removed Cognito triggers from user pool.") } else { log.Println("Be sure to remove resources when you're done with them to avoid unexpected charges!") } } ``` + For API details, see the following topics in *AWS SDK for Go API Reference*. + [AdminCreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.AdminCreateUser) + [AdminSetUserPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.AdminSetUserPassword) + [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.DeleteUser) + [InitiateAuth](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.InitiateAuth) + [UpdateUserPool](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.UpdateUserPool) ------ For a complete list of AWS SDK developer guides and code examples, see [Using this service with an AWS SDK](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions.