Cognito
Quick Reference
# List user pools
aws cognito-idp list-user-pools --max-results 10
# Describe user pool
aws cognito-idp describe-user-pool --user-pool-id us-east-1_0KxUx0aXg
# List users in pool
aws cognito-idp list-users --user-pool-id us-east-1_0KxUx0aXg --limit 10
# Find a user by email
aws cognito-idp list-users --user-pool-id us-east-1_0KxUx0aXg \
--filter "email = \"user@example.com\""
# Get user details
aws cognito-idp admin-get-user --user-pool-id us-east-1_0KxUx0aXg --username {username}
# List user pool clients
aws cognito-idp list-user-pool-clients --user-pool-id us-east-1_0KxUx0aXg
User Pools
There are two separate Cognito setups:
- Console (infra/aws) - For the web console at
console.control-plane.marqo-staging.com - Controller (infra/controller) - For the cloud controller at
controller.marqo-staging.com
Controller Pool (Staging)
- Pool ID:
us-east-1_0KxUx0aXg(imported, not CDK-managed) - Sign-in: Email-based
- MFA: Optional (OTP only)
- Google SSO: Enabled
- Custom domain:
auth.controller.marqo-staging.com
Custom Attributes
| Attribute | Purpose |
|---|---|
sys_acc_id | System account ID |
cus_vis_acc_id | Customer-visible account ID |
cell_id | Control plane cell ID |
stripe_id | Stripe customer ID |
organization | Organization name |
role | User role |
Lambda Triggers
Cognito trigger Lambdas have CDK-generated names (not {env}- prefixed). Find them via the user pool config or by searching:
aws cognito-idp list-user-pools --max-results 10 --query "UserPools[?contains(Name, 'staging')].LambdaConfig"
| Trigger | Name contains | Purpose |
|---|---|---|
| Pre Sign-Up | PreSignup | Auto-confirm, link Google identity |
| Custom Message | CustomMessage | Customize invitation/verification emails |
| Post Confirmation | PostConfirmation | Slack notification on new signup |
| Define Auth Challenge | DefineAuthChallenge | Custom auth flow |
What to Look For
| Symptom | Check |
|---|---|
| User can't sign in | admin-get-user to check status, check trigger Lambda logs |
| Invitation email not sent | Check CustomMessageLambda logs, verify SES config |
| Google SSO broken | Check Google identity provider config, verify secrets in Secrets Manager |
| Account not created | Check PostConfirmationLambda logs (may fail to notify Slack silently) |