Can you export/migrate users out of AWS cognito, does it cause vendor lock-in?

Question

This is a question about vendor lock in and AWS cognito. Can user data and encrypted/hashed passwords be exported out of cognito if we ever move off of AWS?

Can/does cog

Answer 1

Considering Amazon still haven't updated their answer, here's a workaround (to augment the accepted answer):

Try npmjs.com/package/cognito-backup-restore.

nb. I haven't tested this package.

Then:

1. Build your replacement auth system
2. At login, test authenticating with your new system
3. Try to authenticate with Cognito
4. If Cognito succeed, import user's details to your new system
5. Require a password update with your new system

source: forums.aws.amazon.com/thread.jspa?threadID=240242

Answer 2

At this point in time, Cognito does not allow a way to export users from a user pool. We have heard this request from other customers, though, and have prioritized it for future releases.

As far as passwords go, Cognito uses secure remote password protocol to do the actual authentications, so the metadata that could come out may not be particularly useful, if it was included at all.

Answer 3

Cognito actually has the capability to import users using CSV files, however no export functionality is available ( unless you List Users and write to a CSV )

Answer 4

This reference architecture might be of some use: https://aws.amazon.com/solutions/implementations/cognito-user-profiles-export-reference-architecture/

It uses the ListUsers API to export user profiles to a DynamoDB table. It is designed to run on a schedule (daily/weekly/etc.) to keep the DynamoDB table up to date with the profiles in the user pool. The source is on GitHub so it be possible to modify the solution to export to a CSV.

If the profiles are imported to a new user pool, user will still need to reset passwords. Other limitations listed in the deployment guide.