HACKER Q&A
📣 mooreds

How do you migrate off of Cognito?


I was looking at writing a guide to migrate to another identity provider from AWS Cognito and was surprised to learn that there is no bulk export functionality containing passwords.

I found this doc, which might be helpful for a user by user migration: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html You could run this and create users in the new IdP.

I found this: https://docs.aws.amazon.com/solutions/latest/cognito-user-profiles-export-reference-architecture/cognito-user-profiles-export-reference-architecture.pdf which is good for profile data, but explicitly excludes passwords. I suppose you could bulk migrate everyone using this approach and then require everyone to reset their password?

How do people migrate their user data off of AWS Cognito?

Full disclosure, I work for a Cognito competitor (link in my profile) and the doc I'm working on will be published on their site.

  👤 theamk Accepted Answer ✓
In the modern systems, it is considered a bad idea to keep plaintext passwords anywhere. If Cognito is even a bit competent, they won't have the passwords to export. AWS official docs [0] confirm this: they use SRP [1] which has the property that "The password never leaves the client and is unknown to the server."

You said that you are working on Cognito competitor -- are you storing plaintext passwords in database? Is your service going to have user export containing passwords?

[0] https://docs.aws.amazon.com/cognito/latest/developerguide/am...

[1] https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...