Lambda triggers
Lambda triggers are useful for adding functionality during certain lifecycles of the user's journey. Amplify ships common trigger templates which you can enable and modify (if necessary) through a few simple questions.
Cognito Lambda Triggers
Certain AWS Services can invoke Lambda functions in response to lifecycle events. The Amplify CLI provides trigger templates for common use cases.
If you wish to modify the functionality of these templates, you are able to do so locally before pushing them. After selecting the templates via the CLI, your local copy of the templates are located in amplify/backend/function/<function-name>/src.
Amazon Cognito allows you to set up one Lambda trigger per event. In order to create additional flexibility when configuring Cognito triggers via the CLI, the CLI will create an index file which loops through JavaScript modules. Each template that you configure is its own JavaScript module. This allows you to attach multiple use cases and logical flows to a single lifecycle event.
You have the opportunity to edit both the index file as well as each module. For example, when creating a email deny list PreSignUp trigger, you will be asked
1$ Do you want to edit the local PreSignUp lambda function now? (Y/n)Selecting 'yes' will open the index file in your editor.
You will then be asked if you want to edit the individual JavaScript module for the email deny list functionality:
1$ Do you want to edit your email-filter-deny-list function now?Set up Lambda triggers
There are two ways to setup Lambda Triggers for your Cognito User Pool.
- In the default Auth CLI workflow, you will be presented with a list of Lambda Trigger templates if you opt to configure advanced settings:
1$ Do you want to enable any of the following capabilities?2 ❯ ◯ Add Google reCaptcha Challenge3 ◯ Email Verification Link with Redirect4 ◯ Add User to Group5 ◯ Email Domain Filtering (deny list)6 ◯ Email Domain Filtering (allow list)7 ◯ Custom Auth Challenge Flow (basic scaffolding - not for production)8 ◯ Override ID Token Claims- In the manual Auth CLI workflow, you will be given the chance to select the options above, but will also be able to manually configure Lambda Trigger templates:
1$ Do you want to configure Lambda Triggers for Cognito? Yes2
3$ Which triggers do you want to enable for Cognito?4◯ Learn More5 ──────────────6 ◯ Create Auth Challenge7❯◉ Custom Message8 ◯ Define Auth Challenge9 ◯ Post Authentication10 ◯ Post Confirmation11 ◯ Pre Sign-up12 ◯ Verify Auth Challenge Response13 ◯ Pre Token Generation14
15$ What functionality do you want to use for Custom Message16 ◯ Learn More17 ──────────────18❯◉ Send Account Confirmation Link w/ Redirect19 ◯ Create your own moduleIf your manually-configured Lambda Triggers require enhanced permissions, you can run amplify function update after they have been initially configured.
Auth Templates
The CLI Auth workflow provides the following Lambda trigger templates:
Custom Auth Challenge with Google reCaptcha
Captchas allow front end applications to guard against bots or other unwanted page interactions by presenting a challenge that is designed to require human intervention. The Google reCaptcha service is a popular implementation of captcha.
This template will configure three triggers: CreateAuthChallenge, DefineAuthChallenge, and VerifyAuthChallengeResponse.
The first two will essentially allow the standard username/password flow to execute unimpeded, while VerifyAuthChallengeResponse will run when the confirmSignIn() function is called with the data that is returned when the user interacts with the Google reCaptcha component. The VerifyAuthChallengeResponse Lambda function will subsequently execute a POST request to Google, and will pass the success or failure of the reCaptcha interaction back to Cognito. In order to trigger the custom authentication flow, you will pass an options to the signIn() method via options.authFlowType.
React Sample
The following code sample demonstrates how to create a custom CaptchaConfirmSignIn component in React using the react-google-recaptcha npm package.
1import React from 'react';2import './App.css';3import { Amplify } from 'aws-amplify';4import { signIn, confirmSignIn } from 'aws-amplify/auth';5import amplifyconfig from './amplifyconfiguration.json';6import ReCAPTCHA from 'react-google-recaptcha';7
8Amplify.configure(amplifyconfig);9
10const CaptchaConfirmSignIn = (props) => {11 const handleConfirmSignIn = async (value) => {12 try {13 const res = await confirmSignIn({ challengeResponse: value });14 console.log('User has signed in.', res);15 } catch (e) {16 console.log('Sign in failed', e);17 }18 };19
20 return (21 <div>22 <ReCAPTCHA23 sitekey="your-client-side-google-recaptcha-key"24 onChange={handleConfirmSignIn}25 />26 </div>27 );28};29
30function App() {31 const [showCaptcha, setShowCaptcha] = useState(false);32
33 const handleSignIn = async () => {34 try {35 const response = await signIn({36 username,37 password,38 options: {39 authFlowType: 'CUSTOM_WITH_SRP'40 }41 });42 } catch (e) {43 console.log(e);44 }45 };46 return (47 <div className="App">48 <button onClick={handleSignIn}>Sign In</button>49 {showCaptcha && <CaptchaConfirmation />}50 </div>51 );52}53
54export default App;Angular Sample
The following code sample demonstrates how to create a custom ConfirmSignIn component in Angular using the ng-recaptcha npm package.
1// app.module.ts2
3import { BrowserModule } from '@angular/platform-browser';4import { NgModule } from '@angular/core';5import { AppComponent } from './app.component';6import { RecaptchaModule } from 'ng-recaptcha';7import { FormsModule } from '@angular/forms';8
9import { Amplify } from 'aws-amplify';10import amplifyconfig from '../amplifyconfiguration.json';11
12Amplify.configure(amplifyconfig);13
14@NgModule({15 declarations: [AppComponent],16 imports: [BrowserModule, FormsModule, RecaptchaModule],17 providers: [],18 bootstrap: [AppComponent]19})20export class AppModule {}1// app.component.ts2
3import { Component } from '@angular/core';4import { signIn, confirmSignIn } from 'aws-amplify/auth';5@Component({6 selector: 'app-root',7 templateUrl: './app.component.html',8 styleUrls: ['./app.component.scss']9})10export class AppComponent {11 title = 'cli-lambda-sample';12 displayCaptcha = false;13
14 async handleSignIn() {15 try {16 const { nextStep } = await signIn({17 username,18 password,19 options: {20 authFlowType: 'CUSTOM_WITH_SRP'21 }22 });23 displayCaptcha = nextStep === 'CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE';24 } catch (e) {25 console.log('Sign In Failed', e);26 }27 }28
29 async handleConfirmSignIn(e) {30 try {31 await confirmSignIn({ challengeResponse: e });32 } catch (e) {33 console.log('Failed to confirm sign in', e);34 }35 }36}1<!-- app.component.html -->2
3<button (click)="handleSignIn()">Sign In</button>4<div *ngIf="displayCaptcha">5 <re-captcha6 (resolved)="handleConfirmSignIn($event)"7 siteKey="your-client-side-google-recaptcha-key"8 ></re-captcha>9</div>Basic Scaffolding for a Custom Auth Challenge
This template will configure three triggers: CreateAuthChallenge, DefineAuthChallenge, and VerifyAuthChallengeResponse.
It will not, however, provide a fully-formed custom authentication flow. Instead, it will create a 'hello world' custom auth flow skeleton that you can manually edit. The intent of this template is to give you a starting place for building out your own custom auth flow.
Add User to Group
This trigger allows you to define a Cognito group to which a user will be added upon registration.
The trigger will check for the existence of the group in your User Pool, and will create the group if it is not present.
Email Domain Filtering (deny list) and Email Domain Filtering (allow list)
These two templates allow you to define email domains which are allowed or disallowed (respectively). They can be used in tandem or individually.
Override ID Token Claims
This template uses the Pre Token Generation trigger and allows you to add, override or remove claims from the ID token that is returned by Cognito.
You will need to manually edit the template to define the claims that you wish to manipulate. The template currently contains dummy values as examples.
S3 Lambda Triggers
You can associate a trigger to an S3 bucket managed by the Amplify CLI, by following the amplify add/update storage flows. When attempting to add/update an S3 storage resource, you would get the following CLI prompts to add a trigger for it.
1? Do you want to add a Lambda Trigger for your S3 Bucket? Yes2? Select from the following options3❯ Choose an existing function from the project4 Create a new functionAs you can see in the prompt above, you can either choose to use an existing Lambda function created using the CLI as a part of this project using amplify add function or create a new function with a base Lambda function to handle S3 events. We also auto-populate the IAM policies required by the Lambda execution role of the newly created function to access the S3 bucket.
Note: You can associate only one Lambda Function trigger to an S3 bucket.
DynamoDB Lambda Triggers
You can associate a Lambda trigger with a DynamoDB table, managed by the Amplify CLI. There are two ways by which DynamoDB is provisioned by the Amplify CLI
- As a part of the Storage category
- As a part of the GraphQL API (types with @model annotation)
As a part of the Storage category
You can add and manage a DynamoDB table to your Amplify project using the amplify add/update storage flows. When attempting to add/update a DynamoDB storage resource, you would get the following CLI prompts to add a trigger for it.
1? Do you want to add a Lambda Trigger for your Table? Yes2? Select from the following options (Use arrow keys)3❯ Choose an existing function from the project4 Create a new functionAs you can see in the prompt above, you can either choose to use an already existing Lambda function created using the CLI as a part of this project using amplify add function or create a new function with a base Lambda function handle DynamoDB events.
Note: You can associate more than one Lambda Function trigger to a DynamoDB table.
As a part of the GraphQL API (types with @model annotation)
You can also associate a Lambda trigger with any of the GraphQL transformer schema's DynamoDB backed @models which you can add via amplify add api. GraphQL mutations that result in DynamoDB item changes will in turn result in change records published to DynamoDB streams that can trigger a Lambda function. To create such a function, start with adding a new lambda function with:
1amplify add functionProceed by providing a name and selecting a Lambda Trigger template:
1? Provide a friendly name for your resource to be used as a label for this category in the project: testtrigger2? Provide the AWS Lambda function name: mytrigger3? Choose the function template that you want to use:4 Hello world function5 CRUD function for Amazon DynamoDB table (Integration with Amazon API Gateway and Amazon DynamoDB)6 Serverless express function (Integration with Amazon API Gateway)7❯ Lambda TriggerThen select Amazon DynamoDB Stream when prompted with event source question.
1? What event source do you want to associate with Lambda trigger (Use arrow keys)2❯ Amazon DynamoDB Stream3 Amazon Kinesis StreamNow select API category graphql @model backed DynamoDB table.
1?2> Use API category graphql @model backed DynamoDB table(s) in the current Amplify project3 Use storage category DynamoDB table configured in the current Amplify project4 Provide the ARN of DynamoDB stream directlyAfter the above question, you can select one of the types annotated by @model for which you want to add a trigger for.
On completion of the above mentioned flow, a boilerplate lambda function trigger will be created in your amplify/backend/function directory with the following template:
1exports.handler = function (event, context) {2 console.log(JSON.stringify(event, null, 2));3 event.Records.forEach((record) => {4 console.log(record.eventID);5 console.log(record.eventName);6 console.log('DynamoDB Record: %j', record.dynamodb);7 });8 context.done(null, 'Successfully processed DynamoDB record');9};record.dynamodb will contain a DynamoDB change json describing the item changed in DynamoDB table. Please note that it does not represent an original and new item as stored in DynamoDB table. To retrieve a original and new item you need to convert a DynamoDB json to original form:
1const AWS = require('aws-sdk');2const records = event.Records.map((record) => ({3 new: AWS.DynamoDB.Converter.unmarshall(record.dynamodb.NewImage),4 old: AWS.DynamoDB.Converter.unmarshall(record.dynamodb.OldImage)5}));Kinesis Stream Trigger
Amplify Analytics category Kinesis stream resource can be also used as an event source for Lambda triggers. Event published to Kinesis stream will trigger a lambda function. You can add a Kinesis stream to your Amplify project by going through the amplify add analytics flow. To create a Lambda trigger for the Kinesis Stream, start with adding a new lambda function:
1amplify add functionProceed by providing a name and selecting a Lambda Trigger template:
1? Provide a friendly name for your resource to be used as a label for this category in the project: testtrigger2? Provide the AWS Lambda function name: mytrigger3? Choose the function template that you want to use:4 Hello world function5 CRUD function for Amazon DynamoDB table (Integration with Amazon API Gateway and Amazon DynamoDB)6 Serverless express function (Integration with Amazon API Gateway)7❯ Lambda TriggerThen select Amazon Kinesis Stream when prompted with event source question and select the resource.
1? What event source do you want to associate with Lambda trigger (Use arrow keys)2 Amazon DynamoDB Stream3❯ Amazon Kinesis Stream4? Choose a Kinesis event source option (Use arrow keys)5❯ Use Analytics category kinesis stream in the current Amplify project6 Provide the ARN of Kinesis stream directlyAfter the completion of the above flow, a Lambda function will be created in your amplify/backend/function directory and will be invoked when a new event is pushed to a Kinesis stream. Please refer to Working with the API to learn more about publishing your events to Kinesis stream.