Unfortunately, we aren't able to read users' passwords from Cognito user pools, so they do have to reset them in the recovery environment. We'd love to see an AWS API for exporting user secrets from user pools. We'd add support for that really quick.
The experience is better for user pools that integrate with external identity providers, like SAML, since the IdP metadata can be fully replicated into the other region ahead of time.
At this point I regret using it and while I have some limited experience with both Ping and Okta I think I'm ready to move us to Auth0.
AWS makes a simple move between user pools inexplicably difficult. They don't even offer an export and import in the same file format as far as I know (bulk export is all JSON via the CLI and import is CSV, but maybe I missed something).
This is ridiculous in my opinion given that once a pool is configured you cannot change attributes (say, turning on a middle name field).
We were just discussing Cognito being a pretty significant single point of failure in our current setup (any vendor would be, though). I wish they would offer replication as the other commenter mentioned.
That’s good. I’m wondering how you support cognito though?
Do you just run custom ETLs in customer lambdas?
And wouldn’t this cause all users to have to reset their passwords in the new pool?
Looks really interesting and definitely does things different than “run terraform with a different region”.