Amplify-cli: Create User in Admin API
Is your feature request related to a problem? Please describe.
I have a few customer apps where new users have to be created in Cognito.
This is not a public app, allowing "sign-up" and Administrators of the app do not have AWS console access.
Describe the solution you'd like
Add create user to the Admin API quries.
Admin API already allows to restrict access to specific group ("admin" in this case) so Administrators can add users to groups... But they need the ability to create new users and set a temp password for the user to change when they first log in (same as workflow from creating a user in cognito)
Describe alternatives you've considered
Alternatives include
1: making direct queries to the cognito Admin API, but this requires additional steps outside the app bypassing the amplify api.
2: have users "register" themselves then have the admin grant access by verifying their registration and adding them to the correct group... This is the workflow we are trying to avoid.
pseudyx
All 4 comments
@pseudyx Hello, you should be able to perform this yourself. The design of Admin Queries creates Functions in the Amplify project under ./amplify/backend/function/AdminQueriesXXX/src where you will see cognitoActions.js and app.js.
cognitoActions.js can be edited with the AWS Node SDK for Create User:
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminCreateUser-property
You can use one of the other functions as a template and then add the function name to the module.exports at the bottom. Then in app.js import your new function name at the top and add it as a route. I'd probably use a POST like:
app.post('/createUser', async (req, res, next) => {
if (!req.body.username) {
const err = new Error('username is required');
err.statusCode = 400;
return next(err);
}
try {
const response = await createUser(req.body.username);
res.status(200).json(response);
} catch (err) {
next(err);
}
});
Once you're happy with your changes, save them and you can run amplify push to deploy into your account.
Also for a user creation operation I would suggest you make sure that you have an Admin group defined to restrict this action to only those users if you only want certain Administrators to perform this task.
undefobj
on 21 May 2020
@pseudyx please get back to us if you made the modifications based on @undefobj's suggestion, but I mark this as an enhancement that we could potentially add to the AdminQueries functionality.
attilah
on 22 May 2020
Thank you @undefobj this is great. I have now done this.
However, I believe this should be a function out of the box for AdminQueries. It could be added when a group is selected to limit the Admin queries to.
pseudyx
on 25 May 2020
Note that this only works after you edit the file amplify/backend/function/AdminQueriesXXX-cloudformation-template.json
and add to the array
Resources.lambdaexecutionpolicy.Properties.PolicyDocument.Statement[1].Action
the value "cognito-idp:AdminCreateUser".
tobiasfeil
on 22 Aug 2020
Related issues
ffxsam
路
3Comments
gabriel-wilkes
路
3Comments
kangks
路
3Comments
jkeys-ecg-nmsu
路
3Comments
rehos
路
3Comments
Most helpful comment
@pseudyx Hello, you should be able to perform this yourself. The design of Admin Queries creates Functions in the Amplify project under
./amplify/backend/function/AdminQueriesXXX/srcwhere you will seecognitoActions.jsandapp.js.cognitoActions.jscan be edited with the AWS Node SDK for Create User:https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminCreateUser-property
You can use one of the other functions as a template and then add the function name to the
module.exportsat the bottom. Then inapp.jsimport your new function name at the top and add it as a route. I'd probably use a POST like:Once you're happy with your changes, save them and you can run
amplify pushto deploy into your account.Also for a user creation operation I would suggest you make sure that you have an Admin group defined to restrict this action to only those users if you only want certain Administrators to perform this task.