If you're working to Control user access using AWS Cognito in your apps, that can be greatly facilitated by utilizing the relatively new functionality to Call Apps Script from an automation, as well as the even newer functionality to Use return values from Apps Script tasks.
Here's some basic raw material for scripts to help you get up and running, with huge thanks for the heavy lifting by @Jonathon and much credit to Neil C. Obremski and the additional predecessor contributors that Neil credits.
function callCognito(action, payload) {
AWS.init('my-access-key-id', 'my-secret-key'); // AWS IAM Cognito user's 'access key ID' and 'secret key'
let service = 'cognito-idp';
action = 'AWSCognitoIdentityProviderService.' + action;
let params = {};
let region; // Defaults to AWS_DEFAULT_REGION set in GasAWS.gs
let method = 'POST';
payload['UserPoolId'] = 'my-user-pool-id';
let headers = {'Content-Type': 'application/x-amz-json-1.1'};
let response = AWS.request(service, action, params, region, method, payload, headers);
Logger.log(response);
// Parse response
const responseJSON = response.getContentText();
const responseData = JSON.parse(responseJSON);
return responseData;
}
function adminGetUser(email) {
const action = 'AdminGetUser';
const payload = {'Username': email};
const responseData = callCognito(action, payload);
return responseData;
}
function adminCreateUser(email, lastName, firstName) {
const action = 'AdminCreateUser';
const payload = {'DesiredDeliveryMediums': [ 'EMAIL' ], 'UserAttributes': [ {'Name': 'email', 'Value': email}, {'Name': 'email_verified', 'Value': 'True'}, {'Name': 'family_name', 'Value': lastName}, {'Name': 'given_name', 'Value': firstName}], 'Username': email};
callCognito(action, payload);
}
function adminCreateUserResend(email) {
const action = 'AdminCreateUser';
const payload = {'MessageAction': 'RESEND', 'Username': email};
callCognito(action, payload);
}
function adminEnableUser(email) {
const action = 'AdminEnableUser';
const payload = {'Username': email};
callCognito(action, payload);
}
function adminDisableUser(email) {
const action = 'AdminDisableUser';
const payload = {'Username': email};
callCognito(action, payload);
}
function describeUserPool() {
const action = 'DescribeUserPool';
const payload = {};
callCognito(action, payload);
}
Are there any examples of step 4 anywhere?
We're a Workspace environment just wanting to create/enable/disable/delete users already having domain accounts. If it's doable in apps script that would be infinitely better than the manual process, which is absolutely unsustainable in some environments (such as ours).