feat(cognito): user pool: send emails using Amazon SES #17117
Conversation
add support for SES integration by introducing a new property for configuring email settings for a user pool. This feature supports both types of integration with SES. 1. Using the COGNITO_DEFAULT sending account, but providing a custom email address 2. Using the DEVELOPER sending account This feature does not automate any configuration on SES since that is not currently possible with CloudFormation and requires a manual verification step. To use the SES integration introduced in this feature the user will have had to already configured a verified email address in Amazon SES and followed the steps outlined here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html closes #6768
|
|
nija-at
changed the title
nija-at
changed the title
| this email must be a verified email address in Amazon SES, and that email address must have an authorization policy | ||
| that allows Cognito to send emails. See the section `Step 3: Grant Email Permissions to Amazon Cognito` of the |
There was a problem hiding this comment.
must have an authorization policy that allows Cognito to send emails
can we auto-configure this policy as part of the cognito module? What would that take?
There was a problem hiding this comment.
We would need to configure this policy by using a custom resource that calls put-identity-policy. A prerequisite would be creating the email in SES, but it wouldn't need to be verified or fully configured to attach this policy.
I wasn't sure about configuring this one piece in SES since it feels like SES should have it's own package that controls it's configuration. I think ideally the user experience would look like this, although I don't know if SES will get CloudFormation resources anytime soon.
const sesIdentity = new ses.Identity(this, 'Identity', {
email: 'user@example.com',
});
sesIdentity.addAuthorization(new authorizations.CognitoAuthorization(userpool));There was a problem hiding this comment.
Email verification is clearly an out-of-band process, and we cannot automate that in the cdk.
Calling put-identity-policy via a custom resource is something we can do, i.e., add it to the aws-ses module and use it from here.
If you're interested, you could consider something like this in a subsequent PR. I'm ok with shipping it without this feature available yet.
(before the '@') must only include ASCII characters, but the domain can be punycode encoded.
| ```ts | ||
| new cognito.UserPool(this, 'myuserpool', { | ||
| email: Email.withSES({ | ||
| sesRegion: SESRegion.US_EAST_1, |
There was a problem hiding this comment.
We don't need an enum for this. Region is just a string in the cdk. We can just add a validation for the list of valid regions.
There was a problem hiding this comment.
Still show as an enum. README needs to be updated.
There was a problem hiding this comment.
ah sorry, should be fixed now.
| * Required if the UserPool region is different than the SES region. | ||
| * | ||
| * If sending emails with a Amazon SES verified email address, | ||
| * and the region that SES is configured is different than the | ||
| * region in which the UserPool is deployed, you must specify that | ||
| * region here. | ||
| * | ||
| * @default - The same region as the Cognito UserPool | ||
| */ | ||
| readonly sesRegion?: SESRegion; |
There was a problem hiding this comment.
What happens if this property is not specified and the region is not the expected SES region?
There was a problem hiding this comment.
then it will throw an error telling the user to provide this property.
There was a problem hiding this comment.
"it" here being CloudFormation deployment?
There was a problem hiding this comment.
I have validation logic to validate that a correct region is is provided and the library will throw an error if it is not a valid region.
removing regions property in favor of a const switching sesRegions to take a string deprecating emailSettings property other small doc updates
| ```ts | ||
| new cognito.UserPool(this, 'myuserpool', { | ||
| email: Email.withSES({ | ||
| sesRegion: SESRegion.US_EAST_1, |
There was a problem hiding this comment.
Still show as an enum. README needs to be updated.
| /** | ||
| * Configuration for Cognito sending emails via Amazon SES | ||
| */ | ||
| export interface SESOptions { |
There was a problem hiding this comment.
Since this module contains both user pool and identity pool, perhaps rename this as UserPoolSESOptions.
Same for other names as well.
There was a problem hiding this comment.
Updated all the exported names.
| // if a custom email is provided that means that cognito is going to use an SES email | ||
| // and we need to provide the sourceArn which requires a valid region |
There was a problem hiding this comment.
I'm confused. Cognito email is not SES email right? Are we mixing these up?
There was a problem hiding this comment.
It is a little confusing, maybe I can add some more explanation to the README. There are technically two modes to Cognito default email.
-
Using the default
no-reply@verificationemail.com
In this case Cognito is handling sending the email because it is using an email address owned by AWS. -
Using a custom email address.
In this case even though it is still using the Cognito default email functionality, it is actually using SES to send the email, so it does require you to have the email configured in SES.
There was a problem hiding this comment.
Can we then roll #2 into Email.withSES() instead? That would keep this simpler/ easier to explain.
There was a problem hiding this comment.
hmm that is a good point. I can't think of a reason why you would want to use Cognito default through SES instead of just SES directly. I'll update.
There was a problem hiding this comment.
OK, I updated withCognito to only take the replyTo email address. You now how two options
- Cognito default with the default
no-reply@verificationemail.comemail and optionally areplyToemail address. - Sending emails through SES.
I completely removed option 2 from my previous response since you don't gain anything over just configuring Cognito to use SES.
nija-at
changed the title
| * Returns the email configuration for a Cognito UserPool | ||
| * that controls how Cognito will send emails | ||
| */ | ||
| public abstract bind(scope: Construct): UserPoolEmailConfig; |
There was a problem hiding this comment.
I like to use UserPoolEmailBindOptions as the parameter to bind().
This allows for more properties to be added, deprecated, etc. here without breaking changes.
The other option is to mark this API as @internal and not export UserPoolEmailConfig. Then changes to this API will not be considered breaking.
This option assumes that there aren't going to be many other ways in which customers will want to bind their own implementations here. Seems ok in this case since I don't expect Cognito to support other options than SES.
There was a problem hiding this comment.
Updated to be @internal
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
add support for SES integration by introducing a new property for configuring email settings for a user pool. This feature supports both types of integration with SES. 1. Using the COGNITO_DEFAULT sending account, but providing a custom email address 2. Using the DEVELOPER sending account This feature does not automate any configuration on SES since that is not currently possible with CloudFormation and requires a manual verification step. To use the SES integration introduced in this feature the user will have had to already configured a verified email address in Amazon SES and followed the steps outlined here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html closes aws#6768 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
add support for SES integration by introducing a new property for configuring email settings for a user pool. This feature supports both types of integration with SES. 1. Using the COGNITO_DEFAULT sending account, but providing a custom email address 2. Using the DEVELOPER sending account This feature does not automate any configuration on SES since that is not currently possible with CloudFormation and requires a manual verification step. To use the SES integration introduced in this feature the user will have had to already configured a verified email address in Amazon SES and followed the steps outlined here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html closes aws#6768 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
add support for SES integration by introducing a new property for
configuring email settings for a user pool. This feature supports both
types of integration with SES.
email address
This feature does not automate any configuration on SES since that is
not currently possible with CloudFormation and requires a manual
verification step. To use the SES integration introduced in this feature
the user will have had to already configured a verified email address in
Amazon SES and followed the steps outlined here:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html
closes #6768
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license