Create Cognito User Pool

Your web application users will need to authenticate against some source of user information. Amazon Cognito was designed to make this easier. It comes with many important security features for managing user credentials securely, and follows authentication standards, such as OAuth. The following commands will create a Cognito user pool and add user records for your two workers. It will also create a web client that the frontend will use to connect to our API in the next module.

Execute the following commands in your Cloud9 terminal.

# create pool
export POOLID=$(aws cognito-idp create-user-pool --pool-name ambSupplyChainUsers --policies 'PasswordPolicy={MinimumLength=8,RequireUppercase=true,RequireLowercase=true,RequireNumbers=true,RequireSymbols=false,TemporaryPasswordValidityDays=7}' --mfa-configuration OFF --schema Name=permissions,AttributeDataType=String,DeveloperOnlyAttribute=false,Mutable=true,Required=false | jq -r .UserPool.Id)

# create user group
aws cognito-idp create-group --user-pool-id $POOLID --group-name default

# create worker 1
aws cognito-idp admin-create-user --user-pool-id $POOLID --username $WORKER1_NAME
aws cognito-idp admin-set-user-password --user-pool-id $POOLID --username $WORKER1_NAME --password Password123 --permanent
aws cognito-idp admin-update-user-attributes --user-pool-id $POOLID --username $WORKER1_NAME --user-attributes "Name=custom:permissions,Value=$WORKER1_PERMISSIONS"

# create worker 2
aws cognito-idp admin-create-user --user-pool-id $POOLID --username $WORKER2_NAME
aws cognito-idp admin-set-user-password --user-pool-id $POOLID --username $WORKER2_NAME --password Password123 --permanent
aws cognito-idp admin-update-user-attributes --user-pool-id $POOLID --username $WORKER2_NAME --user-attributes "Name=custom:permissions,Value=$WORKER2_PERMISSIONS"

# add users to group
aws cognito-idp admin-add-user-to-group --user-pool-id $POOLID --username $WORKER1_NAME --group-name default
aws cognito-idp admin-add-user-to-group --user-pool-id $POOLID --username $WORKER2_NAME --group-name default

# create app client
export CLIENTID=$(aws cognito-idp create-user-pool-client --user-pool-id $POOLID --client-name ambSupplyChainWeb --read-attributes "custom:permissions" --explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH | jq -r .UserPoolClient.ClientId)