I edited a custom value on Cognito with this command:
aws cognito-idp admin-update-user-attributes --user-pool-id us-east-2_XXXX --username some_email#gmail.com --user-attributes Name="custom:address",Value="Some values"
But I put the wrong email. Is there a way to rollback that change or retrieve the old data for that user?
You will not be able to roll back the change and the data will not be available unless you had it stored elsewhere prior.
Related
"userIdentity":{
"principalId":"Amazon-customer-ID-of-the-user-who-caused-the-event"
},
How I can convert the principal id, which is available with S3 Event Notification, into the user Name which is responsible for the action?
I couldn't find how to do this either. I ended up sending the sub from user attributes as part of the object key. Then you have access to the sub in the event notification.
It's mind-boggling why the IAM console UI does not show this nor allow for searching.
Have to use the AWS CLI to pull out these info.
aws iam list-users
Is there a way I can update another user attributes using AWS amplify with cognito? I.e. when user reply to a post I want to change a rating of a person that started a thread. Or for this I will need a table in DB to manage it.
In docs i see that there is a method:
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminUpdateUserAttributes-property
but I dont see a way to use it in Amplify.
I have not seen any API of aws-amplify which can alter user attributes as admin.
Generally, it is good practice not to duplicate data or keeping data duplication minimal if unavoidable. In other words, keeping a single source of truth. Use Cognito as only for authentication, I mean obtaining JWT token.
Rating, user basic info, and role; keep those at your own data source.
I have to implement the password expiry policy in Amazon cognito. I have checked the documents but didn't find any solution for this.
Unfortunately AWS doesn't have any built in password expiration for congnito. You can however have your own implementation by creating a new custom field that tracks the timestamp when password was created/changed. You can then use AdminResetUserPassword when the timestamp is too old. You can have a lambda query all users and check this parameter daily. Update the timestamp and reset the password if it is too old.
I created a cognito user pool with some apps and attributes. All is empty, it has no user yet.
Now, I want to add some new attributes in "Atributes" tab, but all fields are disabled.
On the other hand, in Federated Policies, i was trying to change the "user pool id" and "client id", under tab "Authentication Provider" > "Cognito". All fine, I do my changes and I press "Save Changes", but when I refresh the page to see it, i see that my changes was lose.
My question is, is a bug of Cognito, or updating attributes/configuration is not supported?
EDIT 1: OK, it's not possible to update an attributes.
EDIT 2: I can't update configuration on Identity Pool. Here is my steps:
Go to federated identities
Press edit identity pool
In authentication provider, in cognito tab, unloock user pool id and app client id
Update values and press Save Changes
System show me that changes was successfully saved
Go to Authentication Provider, under Cognito, but still appears old values
Check if Pool Id and App Client Id was correct
Thanks
Part 2: Changing user pool id and the client id is somewhat confusing (some would say "inane" because it is non-standard and serves no purpose). Here is how it works, there is a little "UnLock" button next to each field, you must press this button to "unlock" the field, then you can enter the field and click Save. This is handled similarly on some of the other authentication providers (google/facebook). While the "Unlock" buttons sound like the do something undesirable (who wants to Unlock their own authentication provider?) they just unlock the text field.
Part 1, to expand on Rachit's answer: You can add custom attributes, but the standard attributes are "locked in" upon creating the pool (the Console has a note indicating that).
Updating the standard attributes is not supported in Cognito. You can add custom attributes if need be.
Updating the configuration should work in Federated Identities and I just tried to reproduce and was able to change the user pool id and the client id. Is there any error message displayed for you?
I was did exactly what you did and it worked. So maybe it is fixed, or maybe you have a browser incompatibility (I did it in safari).
You can also (alternatively) add another provider using the same user pool ID (that also works).
Lastly, and with caution...
there have been reports of where configurations have gotten messed up and deleting the identity pool and reconnecting the user pool improved things. I even experienced this personally. But I was never able to reproduce it and there are risks.
risks
(the identity pool keeps the identityID and if you delete it your devices will have old keychains with non-existant identityId's and you may have to wipe the keychain
Obviously if you have anything synced it will be lost, and if you have any data related to the identityId it will be lost (because everyone will get a new identity id).
But it is a step of last resort that is easy if you are still in development.
I was facing the exact problem described in the question but able to overcome it using AWS CLI, I could add the Cognito Authentication providers, the command is as follows:
aws cognito-identity update-identity-pool \
--identity-pool-id "<IDENTITY_POOL>" \
--identity-pool-name "<IDENTITY_POOL_NAME>" \
--no-allow-unauthenticated-identities \
--cognito-identity-providers \
ProviderName="cognito-idp.<USER_POOL_ID>",ClientId="<USER_POOL_APP_CLIENT_ID>",ServerSideTokenCheck=false
Caution:
This will overwrite the existing Cognito Identify Providers, if you don't want to overwrite but add a new one then list other Cognito Identity Providers as well in the above command like ProviderName="cognito-idp.<EXISTING_USER_POOL_ID>",ClientId="<EXISTING_USER_POOL_APP_CLIENT_ID>",ServerSideTokenCheck=false next to each other, in that case the command will look like below:
aws cognito-identity update-identity-pool \
--identity-pool-id "<IDENTITY_POOL>" \
--identity-pool-name "<IDENTITY_POOL_NAME>" \
--no-allow-unauthenticated-identities \
--cognito-identity-providers \
ProviderName="cognito-idp.<USER_POOL_ID>",ClientId="<USER_POOL_APP_CLIENT_ID>",ServerSideTokenCheck=false \
ProviderName="cognito-idp.<EXISTING_USER_POOL_ID>",ClientId="<EXISTING_USER_POOL_APP_CLIENT_ID>",ServerSideTokenCheck=false
Given a set of Amazon credentials (not the username and password, just the API credentials), is there a programmatic way of finding out when that account was created? I am guessing if the user has an EBS volume, S3 object, I could ask the date it was created. Is there a better way?
The easiest way is to check your registered email with subject "Welcome to Amazon Web Services" recieved from "no-reply-aws#amazon.com" email address. This will give the exact date when your account was created.
Similar to the previous comment but with an image. If you go to billing as follows:
Log into the aws console Open the services menu
Search for billing
Then on the right hand side, there is a billing details button
From there you can explore your bills, you can go as back as possible
(which will give you the date)
bill date picker
Yes there is! Open the billing console and then in Datepicker keep on going to the past, until AWS stops you from going. Then you will get the exact date of creation of account.
Login to your root account or any account that has access to billing.
Then go to https://us-east-1.console.aws.amazon.com/billing/rest/v1.0/account
You'll find the registrationDate in epoch format.
In the IAM service there a GetUser command.
That seems to be the most relevant. If that doesn't work, then it might not be possible.
Your AWS account gets activated with the creation of your root user account.
Hence to find out when was your root user created, follow along with the steps below:
Login to your AWS root or IAM account (with appropriate privileges)
Search for IAM service
On the IAM page, Click on the "Credential Report" link on the left hand side menu
Click the "Download Report" button
A CSV report gets downloaded onto your local machine. Open the report using an appropriate spreadsheet tool (like MS Excel, Numbers for mac, etc.) and
Locate the "root user" in the left most "user" column.
Now locate the third column named "user_creation_time" for the "root user" and voila -- there it is what you were looking for...
The easiest way to get this information from the command line would be to use the following command:
aws iam get-user --user-name <user> | grep -i createdate
Replace with the User Name.
Logon to your AWS Account # https://aws.amazon.com
Go to cloudshell prompt on right top or search for it in the seearch box
Excute the below at the prompt
aws iam get-user
Enjoy
Go to (replace /your-user-name):
https://console.aws.amazon.com/iam/home#/users/your-user-name
Look for "Creation time" field:
Screenshot