@@ -32,3 +32,96 @@ Follow these steps to use the migration Lambda function:
3232 3 . Configure the ` OLD_ROLE_ARN ` and ` OLD_EXTERNAL_ID ` environment variables for the lambda function
3333
34345 . Configure the trigger _ User Migration_ for the new User Pool to call the migration lambda function
35+
36+
37+ ## Using AWS CLI
38+
39+ If you wish to use [ AWS CLI] ( https://docs.aws.amazon.com/cli/latest/ )
40+ This reduces the need to navigate around AWS Console which is always in flux and not the easiest to figure out.
41+
42+ Maintain a txt list of the following variables as you work your way through this
43+ * ` OLD_USER_POOL_ID ` - the pool id you are migrating * from* (us-east-2_xyzABC)
44+ * ` OLD_USER_POOL_ARN ` - the pool Arn you are migrating * from* (arn:aws:cognito-idp:us-east-2:12345: userpool /us-east-2_xyzABC)
45+ * ` OLD_USER_POOL_REGION ` - the region that pool is located in (us-east-1 or us-east-2 etc...)
46+ * ` NEW_USER_POOL_ID ` - the pool you are migrating * to* (us-east-2_xyzDEF)
47+ * ` ROLE_ARN ` (created in step 1)
48+ * ` POLICY_ARN ` (created in step 2)
49+ * ` OLD_CLIENT_ID ` (created in step 4)
50+ * ` LAMBDA_ARN ` (created in step 5)
51+
52+ 1 . Create Role
53+ * Update the role name to match your DevOps procedures
54+ * Note the Arn returned from this as it will be your ` ROLE_ARN `
55+
56+ ``` bash
57+ aws iam create-role --role-name cognito-migration-lambda-xxxx \
58+ --assume-role-policy-document file://trust-policy.json
59+ ```
60+
61+ 2 . Create Permissions for your lambda function to run
62+ * Update lambda-role-policy.json to the ARN of the * OLD* cognito user-pool (the one your migrating from)
63+ * "Resource": "arn:aws:cognito-idp: XXXXXXXXXXX " -> ` OLD_USER_POOL_ARN `
64+ * Name your policy to match your DevOps procedures "cognito-migration-lambda-policy-xxxx"
65+
66+ ``` bash
67+ aws iam create-policy --policy-name cognito-migration-lambda-policy-xxxx \
68+ --policy-document file://lambda-role-policy.json
69+ ```
70+ This allows your lambda function to authenticate and look up users against the old cognito instance
71+ Note the Arn returned from the command ` POLICY_ARN `
72+
73+
74+ 3 . Attach Permissions to role
75+ * Update role names to match your DevOps procedures
76+
77+ ``` bash
78+ # Standard lambda execution policy, including cloud logging
79+ aws iam attach-role-policy --role-name cognito-migration-lambda-xxxxx \
80+ --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
81+
82+ # Attach the policy you just created in step 2
83+ aws iam attach-role-policy --role-name cognito-migration-lambda-xxxxx \
84+ --policy-arn POLICY_ARN
85+ ```
86+
87+ 4 . Create user pool client in old user pool
88+ * Update user-pool-id with the ID of the * OLD* user pool
89+ * This is the client that the lambda function will connect to validate user / passwords with
90+ * Note the ClientId returned from this as it will be your ` OLD_CLIENT_ID `
91+
92+ ``` bash
93+ aws cognito-idp create-user-pool-client \
94+ --user-pool-id XXXXXXXX \
95+ --client-name lambda-migration-client \
96+ --no-generate-secret \
97+ --explicit-auth-flows " ALLOW_USER_PASSWORD_AUTH" " ALLOW_ADMIN_USER_PASSWORD_AUTH" "
98+ ` ` `
99+
100+ 5. Create lambda function
101+ * Edit lambda-skeleton.json
102+ * Update
103+ * " FunctionName" " test-migration-cognitio"
104+ * " Role" " ` ROLE_ARN` "
105+ * " OLD_CLIENT_ID" " XXX"
106+ * " OLD_USER_POOL_ID" " XXX"
107+ * " OLD_USER_POOL_REGION" " XXX"
108+ * Build the function code
109+ ` ` `
110+ npm install && npm run build
111+ ` ` `
112+ * Deploy it
113+ * Note the Arn returned from this, this is your ` LAMBDA_ARN`
114+ ` ` `
115+ aws lambda create-function --cli-input-json file://lambda-skeleton.json
116+ ` ` `
117+
118+ 6. Attach lambda to new user pool
119+ * This is where you hook up your lambda function to your new cognito instance
120+ * Update the ` NEW_USER_POOL_ID` and ` `
121+
122+ ` ` `
123+ aws cognito-idp update-user-pool \
124+ --user-pool-id NEW_USER_POOL_ID \
125+ --lambda-config UserMigration=LAMBDA_ARN
126+ ` ` `
127+
0 commit comments