Menu
Amazon Cognito
Developer Guide

Pre Token Generation Lambda Parameters

This Lambda trigger allows you to customize an identity token before it is generated. You can use this trigger to add new claims, update claims, or suppress claims in the identity token. To use this feature, you can associate a Lambda function from the Amazon Cognito User Pools console or by updating your user pool through the AWS CLI.

While you can specify anything to override or suppress, there are some claims where no modification is allowed. These include acr, amr, aud, auth_time,azp, exp, iat, identities, iss, sub, token_use, and cognito:username.

"request": { "groupConfiguration": { "groupsToOverride": ["string", ....], "iamRolesToOverride": ["string", ....], "preferredRole": "string" } }
groupConfiguration

The input object containing the current group configuration. It includes groupsToOverride, iamRolesToOverride, and preferredRole.

groupsToOverride

A list of the group names that are associated with the user that the identity token is issued for.

iamRolesToOverride

A list of the current IAM roles associated with these groups.

preferredRole

A string indicating the preferred IAM role.

"response": { "claimsOverrideDetails": { "claimsToAddOrOverride": { "string": "string", .... }, "claimsToSuppress": ["string", ....], "groupOverrideDetails": { "groupsToOverride": ["string", ....], "iamRolesToOverride": ["string", ....], "preferredRole": "string" } } }
claimsToAddOrOverride

A map of one or more key-value pairs of claims to add or override. For group related claims, use groupOverrideDetails instead.

claimsToSuppress

A list that contains claims to be suppressed from the identity token.

Note

If a value is both suppressed and replaced, then it will be suppressed.

groupOverrideDetails

The output object containing the current group configuration. It includes groupsToOverride, iamRolesToOverride, and preferredRole.

The groupOverrideDetails object is replaced with the one you provide. If you provide an empty or null object in the response, then the groups are suppressed. To leave the existing group configuration as is, copy the value of the request's groupConfiguration object to the groupOverrideDetails object in the response, and pass it back to the service.