Cognito
Quick Reference
# List user pools
aws cognito-idp list-user-pools --max-results 10
# Describe user pool
aws cognito-idp describe-user-pool --user-pool-id us-east-1_0KxUx0aXg
# List users in pool
aws cognito-idp list-users --user-pool-id us-east-1_0KxUx0aXg --limit 10
# Find a user by email
aws cognito-idp list-users --user-pool-id us-east-1_0KxUx0aXg \
--filter "email = \"[email protected]\""
# Get user details
aws cognito-idp admin-get-user --user-pool-id us-east-1_0KxUx0aXg --username {username}
# List user pool clients
aws cognito-idp list-user-pool-clients --user-pool-id us-east-1_0KxUx0aXg
User Pools
There are two separate Cognito setups:
- Console (infra/aws) - For the web console at
console.control-plane.marqo-staging.com
- Controller (infra/controller) - For the cloud controller at
controller.marqo-staging.com
Controller Pool (Staging)
- Pool ID:
us-east-1_0KxUx0aXg (imported, not CDK-managed)
- Sign-in: Email-based
- MFA: Optional (OTP only)
- Google SSO: Enabled
- Custom domain:
auth.controller.marqo-staging.com
Custom Attributes
| Attribute |
Purpose |
sys_acc_id |
System account ID |
cus_vis_acc_id |
Customer-visible account ID |
cell_id |
Control plane cell ID |
stripe_id |
Stripe customer ID |
organization |
Organization name |
role |
User role |
Lambda Triggers
Cognito trigger Lambdas have CDK-generated names (not {env}- prefixed). Find them via the user pool config or by searching:
aws cognito-idp list-user-pools --max-results 10 --query "UserPools[?contains(Name, 'staging')].LambdaConfig"
| Trigger |
Name contains |
Purpose |
| Pre Sign-Up |
PreSignup |
Auto-confirm, link Google identity |
| Custom Message |
CustomMessage |
Customize invitation/verification emails |
| Post Confirmation |
PostConfirmation |
Slack notification on new signup |
| Define Auth Challenge |
DefineAuthChallenge |
Custom auth flow |
What to Look For
| Symptom |
Check |
| User can't sign in |
admin-get-user to check status, check trigger Lambda logs |
| Invitation email not sent |
Check CustomMessageLambda logs, verify SES config |
| Google SSO broken |
Check Google identity provider config, verify secrets in Secrets Manager |
| Account not created |
Check PostConfirmationLambda logs (may fail to notify Slack silently) |