This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Manage app user access with AWS Cognito and Google Apps Script

Posted on 08-13-2022 04:33 PM
dbaum
Gold 4
Gold 4
Reply posted on --/--/---- --:-- AM

If you're working to Control user access using AWS Cognito in your apps, that can be greatly facilitated by utilizing the relatively new functionality to Call Apps Script from an automation, as well as the even newer functionality to Use return values from Apps Script tasks.

Here's some basic raw material for scripts to help you get up and running, with huge thanks for the heavy lifting  by @Jonathon and much credit to Neil C. Obremski and the additional predecessor contributors that Neil credits.

Overview of steps

  1. Add Neil's GasAWS.js script to your GAS project.
  2. Create a genericized function to call the Cognito API based on the example that Jonathon documented.
  3. Create functions for each specific Cognito API action that you need.
  4. Create any combining functions you need for app user flows, such as a flow to:
    1. Check if user exists
    2. If not, create user
    3. If so, enable user

Step 2 script: Generic function to call the Cognito API

 

function callCognito(action, payload) {
  AWS.init('my-access-key-id', 'my-secret-key'); // AWS IAM Cognito user's 'access key ID' and 'secret key'
  let service = 'cognito-idp';
  action = 'AWSCognitoIdentityProviderService.' + action;
  let params = {};
  let region; // Defaults to AWS_DEFAULT_REGION set in GasAWS.gs
  let method = 'POST';
  payload['UserPoolId'] = 'my-user-pool-id';
  let headers = {'Content-Type': 'application/x-amz-json-1.1'};
  let response = AWS.request(service, action, params, region, method, payload, headers);
  Logger.log(response);

  // Parse response
  const responseJSON = response.getContentText();
  const responseData = JSON.parse(responseJSON);

  return responseData;

}

 

Step 3: Sample action-specific functions

 

function adminGetUser(email) {
  const action = 'AdminGetUser';
  const payload = {'Username': email};
  const responseData = callCognito(action, payload);
  return responseData;
}

function adminCreateUser(email, lastName, firstName) {
  const action = 'AdminCreateUser';
  const payload = {'DesiredDeliveryMediums': [ 'EMAIL' ], 'UserAttributes': [ {'Name': 'email', 'Value': email}, {'Name': 'email_verified', 'Value': 'True'}, {'Name': 'family_name', 'Value': lastName}, {'Name': 'given_name', 'Value': firstName}], 'Username': email};
  callCognito(action, payload);
}

function adminCreateUserResend(email) {
  const action = 'AdminCreateUser';
  const payload = {'MessageAction': 'RESEND', 'Username': email};
  callCognito(action, payload);
}

function adminEnableUser(email) {
  const action = 'AdminEnableUser';
  const payload = {'Username': email};
  callCognito(action, payload);
}

function adminDisableUser(email) {
  const action = 'AdminDisableUser';
  const payload = {'Username': email};
  callCognito(action, payload);
}

function describeUserPool() {
  const action = 'DescribeUserPool';
  const payload = {};
  callCognito(action, payload);
}

 

 

5 1 709
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
scott_marquardt
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Are there any examples of step 4 anywhere?

We're a Workspace environment just wanting to create/enable/disable/delete users already having domain accounts. If it's doable in apps script that would be infinitely better than the manual process, which is absolutely unsustainable in some environments (such as ours). 

0 Likes
Top Labels in this Space