src/cognito/add_users_and_groups.py

import boto3
import os
import getpass

cognito_client = boto3.client('cognito-idp')
user_pools = cognito_client.list_user_pools(MaxResults=60)['UserPools']
user_pool_id = [user_pool['Id'] for user_pool in user_pools if user_pool['Name']=='mlflow-user-pool'][0]
groups = ['admins', 'readers', 'model-approvers']
list_groups = cognito_client.list_groups(UserPoolId=user_pool_id)['Groups']
existing_group_names = [group['GroupName'] for group in list_groups]
users_groups = [
    {
        'username': 'mlflow-admin@example.com',
        'group': 'admins'
    },
    {
        'username': 'mlflow-reader@example.com',
        'group': 'readers',
    },
    {
        'username': 'mlflow-model-approver@example.com',
        'group': 'model-approvers'
    }
]
list_users = cognito_client.list_users(UserPoolId=user_pool_id)['Users']

existing_email_list = []
for user in list_users:
    attributes = user['Attributes']
    email = [attribute['Value'] for attribute in attributes if attribute['Name']=='email'][0]
    existing_email_list.append(email)

        
if __name__=="__main__":
    # Create groups
    for group in groups:
        if group in existing_group_names:
            print(f"group {group} already exists")
        else:
            print(f"create group {group} for cognito user pool {user_pool_id}")
            cognito_client.create_group(
                GroupName=group,
                UserPoolId=user_pool_id
            )
    # Create users and associate them with a group
    for user_group in users_groups:
        username = user_group['username']
        group = user_group['group']
        if username in existing_email_list:
            print(f"user {username} already exist. skip it")
        else:
            print(f"create user {username}")
            cognito_client.admin_create_user(
                UserPoolId=user_pool_id,
                Username=username,
                #TemporaryPassword=args.password
            )
            pwd = getpass.getpass(prompt = f"Enter the password for {username}: ")
            cognito_client.admin_set_user_password(
                UserPoolId=user_pool_id,
                Username=username,
                Password=pwd,
                Permanent=True # does not force a user to change the password
            )
            
            print(f"add user {username} to group {group}")
            cognito_client.admin_add_user_to_group(
                UserPoolId=user_pool_id,
                Username=username,
                GroupName=group
            )