Question 300906 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – AWS Cognito masking data in lambda

I have a very weird behavior in some feature I am building.

I use aws Cognito for user management on a system I am building. On account creation cognito sends an email (via Custome Sender Lambda) to invite to the user with a one time user code.
I want to encode this code with base64.

here’s a sample block

    #get the value from the event Cognito sends
    value = event["request"]["codeParameter"]
    #encode it with base64
    value_bytes = value.encode('ascii')
    base64_bytes = base64.b64encode(value_bytes)
    base64_string = base64_bytes.decode('ascii')
    logging.info = ("base 64 string : %s", base64_string)

What happens next is – this value is written in HTML and sent as an email.
If I skip the base64 encoding – everything works well.
However if I do base 64 encoding the decoded value is ALWAYS {####} – I assume masked by cognito / aws.
This block of code works perfectly fine on a local machine outside of the bounds of aws-lambda, but never works on aws and whichever code receives (randomly generated) I get the same output after base 64 decoding which is – {####}

Same thing happends if I try :

  • to change the algorithm – base32, urlencode
  • copy the string in a new property by value (as opposed to by reference)

Any ideas what causes this behavior ?

Tags:

2

Answers


  1. 0

    Seems that, when encoding the Cognito user invite code with base64 in an AWS Lambda environment, the decoded value is consistently {####}. This issue doesn’t occur locally.

    To troubleshoot:

    1. Check Cognito user pool settings for character restrictions.
    2. Add detailed logging to trace values at different stages.
    3. Ensure Lambda execution role has the necessary Cognito permissions.
    4. Check for any Cognito triggers that might modify the value.
    5. Verify compatibility of external dependencies with the Lambda environment.

    Did you try? Wrapping the code in try-except blocks for error handling and examine any exceptions. This should help identify the source of the issue.

    Login or Signup to reply.
  2. 0

    You are using the CustomMessage Cognito Lambda trigger. The custom message Cognito Lambda trigger does not get the actual code passed into it, instead it just gets a code placeholder which is always going to be the literal string "####". The point of this trigger is not to modify the code being sent to the user, but to modify the rest of the message, and place the #### placeholder in your custom message where you want Cognito to place the actual security code value. Please review the documentation which explains this.

    If you want to get the actual security code in your Lambda function, modify it in some way, and then send a custom message with that modified security code, you will have to implement a CustomSender Lambda function. Lambda functions called via the CustomSender trigger will receive the security code, encrypted by a KMS key, and will have to decrypt the code using KMS before sending the message. Amazon provides an Encryption SDK for certain programming languages that you will need to include in your Lambda function to perform this decryption step.

    Note that the CustomSender Lambda function completely bypasses Cognito’s integration with SES sending for emails, and SNS for sending text messages. You will have to implement your own SES/SNS integration, or integrate with other email/text messaging services.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search