Create User in Admin API

[pseudyx]

Is your feature request related to a problem? Please describe. I have a few customer apps where new users have to be created in Cognito. This is not a public app, allowing "sign-up" and Administrators of the app do not have AWS console access.

Describe the solution you'd like Add create user to the Admin API quries. Admin API already allows to restrict access to specific group ("admin" in this case) so Administrators can add users to groups... But they need the ability to create new users and set a temp password for the user to change when they first log in (same as workflow from creating a user in cognito)

Describe alternatives you've considered Alternatives include 1: making direct queries to the cognito Admin API, but this requires additional steps outside the app bypassing the amplify api. 2: have users "register" themselves then have the admin grant access by verifying their registration and adding them to the correct group... This is the workflow we are trying to avoid.

[undefobj]

@pseudyx Hello, you should be able to perform this yourself. The design of Admin Queries creates Functions in the Amplify project under ./amplify/backend/function/AdminQueriesXXX/src where you will see cognitoActions.js and app.js.

cognitoActions.js can be edited with the AWS Node SDK for Create User: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminCreateUser-property

You can use one of the other functions as a template and then add the function name to the module.exports at the bottom. Then in app.js import your new function name at the top and add it as a route. I'd probably use a POST like:

app.post('/createUser', async (req, res, next) => {
  if (!req.body.username) {
    const err = new Error('username is required');
    err.statusCode = 400;
    return next(err);
  }

  try {
    const response = await createUser(req.body.username);
    res.status(200).json(response);
  } catch (err) {
    next(err);
  }
});

Once you're happy with your changes, save them and you can run amplify push to deploy into your account.

Also for a user creation operation I would suggest you make sure that you have an Admin group defined to restrict this action to only those users if you only want certain Administrators to perform this task.

[attilah]

@pseudyx please get back to us if you made the modifications based on @undefobj's suggestion, but I mark this as an enhancement that we could potentially add to the AdminQueries functionality.

[pseudyx]

Thank you @undefobj this is great. I have now done this. However, I believe this should be a function out of the box for AdminQueries. It could be added when a group is selected to limit the Admin queries to.

[tobiasfeil]

Note that this only works after you edit the file amplify/backend/function/AdminQueriesXXX-cloudformation-template.json and add to the array

Resources.lambdaexecutionpolicy.Properties.PolicyDocument.Statement[1].Action

the value "cognito-idp:AdminCreateUser".

[dopry]

@attilah yes, please add this. It would be nice to see the entire admin API exposed.

[rewardle-jason]

A note to anyone else that finds this thread. If you update the generated cognitoActions.js and you then add a new group via amplify auth update it will overwrite the cognitoActions.js file and your changes will be lost. This same statement goes for the cloudformation that is generated. Speaking from experience.

[bishonbopanna]

Please add the feature to create new users through admin APIs.

[jerocosio]

If you don't want to loose the policies for this action, you can create a new file in your main function directory called custom-policies.json and add this information:

[
  {
    "Action": ["cognito-idp:AdminCreateUser"],
    "Resource": ["arn:aws:cognito-idp:*:*:userpool/*"]
  }
]

I believe this is safer than editing the auto generated file as it won't be overwritten.