AWS Cognito - Possible to resend Signup Email with temporary password?

Question

After searching the official AWS CLI cognito-idp documentation, it seems there is no way to 'reset' a user back into a FORCE_CHANGE_PASSWORD state once that user has been confirmed at some point.

It seems the only way to achieve this is to copy the user's data, delete the user's account, and then re-create a new account for the user with the copied data, for example:

client = boto3.client("cognito-idp", AWS_REGION)

try: 
  user = client.admin_get_user(user_pool_id, user_id) # get user
  user_data = get_from(user) # copy user data
  client.admin_delete_user(user_pool_id, user_id) # delete user
  response = client.admin_create_user(**user_data) # create new user?
except Exception as e:
  handle(e)

This would place the user in FORCE_CHANGE_PASSWORD state, and re-trigger the signup email/message which is the desired outcome, however, this seems prone to all sorts of problems...

Note: I've already tried calling admin_create_user again with the message action set to 'resend', however, if the user has been in a CONFIRMED state at any point, the call will result in the following error message:

(UnsupportedUserStateException) when calling the AdminCreateUser operation: Resend not possible. XXXXXXXXXXXXXXX status is not FORCE_CHANGE_PASSWORD

The other option is to do a separate call to get the user's current status, and if they're in a confirmed state, call admin-reset-user-password instead, which would at least mitigate the data integrity issues raised by deleting the account...

surely there is a more elegant solution?

Answer 1

For anyone having a similar issue, it turns out to be related to having email verified as a requirement for the User Pool. I suspect if you don't require your user email addresses to be verified, you won't run into this issue.