aws-solutions / cognito-user-profiles-export-reference-architecture

A reference architecture for exporting user profiles, group details, and group memberships from an Amazon Cognito User Pool to an Amazon DynamoDB global table using AWS Step Functions and AWS Lambda.
https://aws.amazon.com/solutions/implementations/cognito-user-profiles-export-reference-architecture/
Apache License 2.0
53 stars 19 forks source link

Import both CONFIRMED and UNCONFIRMED account statuses #9

Closed caiconkhicon closed 1 year ago

caiconkhicon commented 3 years ago

Is your feature request related to a problem? Please describe. When I run the import StepFunction, it fails because the Lambda function cannot import users with the account status UNCONFIRMED. The failing step is Parallel: CheckUserImportJob. Its log looks like this:

        "ImportedUsers": 14,
        "SkippedUsers": 0,
        "FailedUsers": 32,
        "CompletionMessage": "Too many users have failed or been skipped during the import."

Describe the feature you'd like The Lambda function should be able to import UNCONFIRMED users (or ideally, make it a parameter).

ericquinones commented 3 years ago

Hi @caiconkhicon - The CompletionMessage you see there is generated by Cognito's User Import job (more info).

For specific information about why the job failed, you will need to review the CloudWatch Logs for that Cognito Import Job. If you go to the CloudWatch console, you should see a log group for your user pool. Something like /aws/cognito/userpools/<pool id>/<pool name>

Inside the log group, you should find a Log Stream for the import job and within it, you should see more detailed logs about why each individual user failed to import. If there are unconfirmed users in the pool, it could be because of missing required attributes but the logs should confirm why those users failed to import.

caiconkhicon commented 3 years ago

@ericquinones : Thanks for your reply. Sorry I forgot replying you. Yes, now I know that. However, now I face another problem, which is with Cognito, but maybe you also can help me. When doing export/import, my user pool had several users with email_verified=false, and Cognito denied importing them. The problem is, from what I observe in CloudWatch, when there are users with email_verified=false, Cognito stops after the first 50 items (the log always stops at the 51st line). E.g. there are 500 users, 36 are imported, 14 are rejected, 450 are not mentioned. This behaviour blocks me from doing export/import. IMHO Cognito should just ignore these users and continue with others. Do you have any idea how I can overcome this issue?

ericquinones commented 3 years ago

Hi @caiconkhicon -

As you mentioned, that behavior comes from the Cogntio User Import process itself so there would be nothing we can do on the solution side to have Cognito continue processing users after their limit of failed imports is hit. I found information in the Cognito documentation stating that the destination user pool itself must have at least one auto-verified attribute and the users in the CSV need to have one of the auto-verified attributes set to true.

If your issue is limited to unconfirmed users, a workaround might be to sort the CSV file so that users with email_verified=false or phone_number_verified=false are at the end of the file. This way, the users that are expected to import successfully will be processed first. You can look into creating a custom build of the solution with these changes (please see the README file for how to build the solution from the source code). Or you could not add those users to the CSV at all if you know they will not be imported.

The logic for how the solution determines true/false for the auto-verified attributes is here. And the CSV file is created in this function.

Thank you

caiconkhicon commented 3 years ago

@ericquinones : Thanks a lot for your advise. I will try it and tell you the result later. What do you think if I create an PR here?

ericquinones commented 3 years ago

Hi @caiconkhicon -

Apologies for the delay. PRs are okay to submit and we will take a look. We have some guidance here.

Thanks!

Warns commented 2 years ago

Hi @ericquinones @caiconkhicon

Sorry it might be unrelated but after creating a CloudFormation stack pointed to the export template in S3, it creates everything with no errors. After that I deleted the users I had in Cognito user pool along with the groups then executed the import step function, giving it the current user pool ID as input, it also executed successfully with no errors. But I found that the user wasn't imported back. One note is that the table in DynamoDB also had no items. What am I missing here given that everything ran successfully. Would really appreciate your help.

Edit: I think the problem was that the user in Cognito wasn't verified neither reset password after creation so it wasn't exported. After fixing those the export and import functionality is working just fine.

mikeols commented 1 year ago

Appears questions have been addressed. Closing.