Wocha Docs

Migrate from AWS Cognito

Step-by-step guide to migrating users and groups from Amazon Cognito to Wocha

This guide covers migrating from an AWS Cognito User Pool to Wocha, including group mapping and password migration strategies.

Prerequisites

RequirementDetails
Cognito User Pool IDe.g. eu-west-1_XXXXXXXXX
AWS credentialsConfigured via aws configure or environment variables
AWS CLIRequired for live export (aws cognito-idp list-users)
Wocha tenantnpx @wocha/cli init --cloud
Management API keyWOCHA_MANAGEMENT_API_KEY with users:write, organisations:write

Concept mapping

CognitoWocha
User PoolTenant (single pool → single Wocha tenant)
User (sub)User
GroupOrganisation
Custom attributesUser traits / metadata
Identity provider (Google, SAML)Social or enterprise connection
Lambda migration triggerPassword migration on first login

Data mapping

Cognito fieldWocha field
Attributes.submetadata_admin.cognito_id
Attributes.emailtraits.email
Attributes.given_name + family_nametraits.name
Attributes.email_verifiedEmail verification status
Custom attributesmetadata_admin.cognito_attributes
Group GroupNameOrganisation slug / display_name
Group membershipOrganisation member role

Step 1 — Export users

Cognito does not export password hashes. Export user attributes only.

aws cognito-idp list-users \
  --user-pool-id eu-west-1_XXXXXXXXX \
  --region eu-west-1 \
  --output json > cognito-users.json
 
aws cognito-idp list-groups \
  --user-pool-id eu-west-1_XXXXXXXXX \
  --region eu-west-1 \
  --output json > cognito-groups.json

Merge into a single JSON file or import users and groups separately.

Option B: Live export via CLI

wocha migrate cognito
# Select "Live export via AWS CLI"

Requires AWS CLI configured with permissions: cognito-idp:ListUsers, cognito-idp:ListGroups.

Step 2 — Dry run

export WOCHA_MANAGEMENT_API_KEY=wocha_mgmt_...
export WOCHA_TENANT=your-tenant
 
wocha migrate cognito --dry-run

Review:

  • User and group counts
  • Missing email attributes
  • Custom attributes that need manual mapping

Step 3 — Import users

wocha migrate cognito

Groups are mapped to Wocha organisations. Add group membership after import via the Customer API.

Handling passwords

Cognito never exports password hashes. Use one of these strategies:

Option 1: Migration trigger pattern (seamless)

Before cutover, implement a Cognito User Migration Lambda trigger that validates credentials against Cognito on first login, then creates the user in Wocha. This is the AWS-recommended approach for zero-downtime password migration.

After importing users without passwords:

for (const user of importedUsers) {
  await wocha.users.sendRecovery(user.id);
}

Option 3: Force password reset

Send a branded email campaign asking users to set a new password via Wocha hosted login.

Option 4: SSO/federated only

If users authenticate via SAML or social IdPs configured in Cognito, recreate those connections in Wocha first.

Step 4 — Map identity providers

Cognito IdP typeWocha connection
Google, Facebook, etc.Social connection
SAMLEnterprise SSO connection
OIDCEnterprise SSO connection

Configure in the Wocha Console under Connections.

Step 5 — Validate migration

wocha migrate cognito --validate

Verifies user counts, group/organisation alignment, and connection configuration.

Post-migration checklist

  • All users imported with correct attributes
  • Cognito groups mapped to Wocha organisations
  • Identity providers recreated in Wocha
  • Password strategy implemented (migration trigger or recovery emails)
  • Application SDK updated (Amplify/Cognito → Wocha SDK)
  • JWT validation updated in backend APIs
  • Cognito User Pool decommissioned after validation period

Rollback considerations

  • Keep the Cognito User Pool active until --validate passes and password migration is complete
  • User metadata preserves cognito_id for lookup
  • Lambda migration triggers can be disabled to revert to Cognito-only auth
  • DNS and OAuth redirect URI changes require coordinated cutover