(aws_cognito): UserPool Lambda triggers do not allow specifying a function ALIAS.

[39otrebla]

Describe the feature

Lambda Provisioned Concurrency can be configured only against a function version or alias, so we wondered what alias/version gets invoked by Cognito for auth triggers. Quoting the AWS Doc:

You can't declare a function version in your Lambda trigger configuration. Amazon Cognito user pools invoke the latest version of your function by default. However, you can associate a function version with an alias and set your trigger LambdaArn to the alias ARN in a CreateUserPool or UpdateUserPool API request.

AWS CDK's .addTrigger currently does not support specifying a function ALIAS to invoke:

addTrigger(operation: UserPoolOperation, fn: lambda.IFunction, lambdaVersion?: LambdaVersion): void;

Use Case

The use case is being able to use Lambda Provisioned Concurrency for our triggers.

In particular, the PreTokenGeneration trigger is crucial. When the Lambda requires access to the VPC to handle requests, the cold-start takes 5-8 seconds. It is an unacceptable amount of time to wait for a sign-in or session renewal in 2025.

Proposed Solution

The UserPool's .addTrigger should support specifying a function ALIAS. It should not be mandatory, and could default to $LATEST (which would be the same than not specifying it at all, like I guess it is right now).

addTrigger(operation: UserPoolOperation, fn: lambda.IFunction, lambdaVersion?: LambdaVersion): void;

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.193.0

AWS CDK CLI version

2.1012.0

Environment details (OS name and version, etc.)

Mac OS 14.6.1

[ykethan]

Hey @39otrebla, thank you for reaching out and providing us this information. After examining the CDK source code at /packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts:
The addTrigger method only accepts a Lambda function object (lambda.IFunction) and uses its ARN directly:

aws-cdk/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts

Lines 1292 to 1325 in 190d033

	public addTrigger(operation: UserPoolOperation, fn: lambda.IFunction, lambdaVersion?: LambdaVersion): void {
	if (operation.operationName in this.triggers) {
	throw new ValidationError(`A trigger for the operation ${operation.operationName} already exists.`, this);
	}
	if (
	operation !== UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG &&
	lambdaVersion !== undefined &&
	[LambdaVersion.V2_0, LambdaVersion.V3_0].includes(lambdaVersion)
	) {
	throw new ValidationError('Only the `PRE_TOKEN_GENERATION_CONFIG` operation supports V2_0 and V3_0 lambda version.', this);
	}
	this.addLambdaPermission(fn, operation.operationName);
	switch (operation.operationName) {
	case 'customEmailSender':
	case 'customSmsSender':
	if (!this.triggers.kmsKeyId) {
	throw new ValidationError('you must specify a KMS key if you are using customSmsSender or customEmailSender.', this);
	}
	(this.triggers as any)[operation.operationName] = {
	lambdaArn: fn.functionArn,
	lambdaVersion: LambdaVersion.V1_0,
	};
	break;
	case 'preTokenGenerationConfig':
	(this.triggers as any)[operation.operationName] = {
	lambdaArn: fn.functionArn,
	lambdaVersion: lambdaVersion ?? LambdaVersion.V1_0,
	};
	break;
	default:
	(this.triggers as any)[operation.operationName] = fn.functionArn;
	}
	}

As workaround, it does appear we should be able to use the Function.fromFunctionArn() method to retrieve and pass the IFunction. As a quick test i was able to use the following

// Create your Lambda function and alias
const myFunction = new lambda.Function(this, 'MyFunction', { /* ... */ });
const alias = myFunction.addAlias('live');

// Create a reference to the alias as an IFunction
const aliasRef = lambda.Function.fromFunctionArn(
  this,
  'AliasRef',
  alias.functionArn
);

// Use the alias reference as the trigger
userPool.addTrigger(
  cognito.UserPoolOperation.PRE_TOKEN_GENERATION,
  aliasRef
);

Verified this by running

aws cognito-idp describe-user-pool --user-pool-id <id> --query 'UserPool.LambdaConfig'

Code suggestions

Off the top, the method could be maybe be modified to support IAlias which should have function arn as well

public addTrigger(operation: UserPoolOperation, fn: lambda.IFunction, options?: {
  lambdaVersion?: LambdaVersion;
  alias?: lambda.IAlias;
}): void {
  const lambdaArn = options?.alias ? options.alias.functionArn : fn.functionArn;
  const permissionTarget = options?.alias || fn;
  
  this.addLambdaPermission(permissionTarget, operation.operationName);
  
  switch (operation.operationName) {
    case 'customEmailSender':
    case 'customSmsSender':
      // Handle special cases...
      break;
    case 'preTokenGenerationConfig':
      (this.triggers as any)[operation.operationName] = {
        lambdaArn: lambdaArn,
        lambdaVersion: options?.lambdaVersion ?? LambdaVersion.V1_0,
      };
      break;
    default:
      (this.triggers as any)[operation.operationName] = lambdaArn;
  }
}

Marking this as P2 feature request.
We greatly appreciate community contributions! If you or someone else is interested in implementing this, we'd be happy to review a Pull Request. Please check our contribution guidelines. Meanwhile, welcome to add 👍 to help us prioritize.