PasswordLess Authentication with AWS CDK





Mon Aug 30 2021

AWS CDK is a great framework to code the infrastructure on AWS, it is open-source, free, well documented and has a huge community. For a lot of years, I was working with CloudFormation and YAML files, I didn't like it, I was spending a lot of time deploying my stacks and figuring out the errors, especially errors related to roles and permissions.

A couple of years ago, I joined a company whose whole architecture was Serverless, it was great because I was working with the same services too. We had our IaC with the Serverless framework and was working well. However, still wasn't great especially for the devs, writing in YAML files and reviewing it on the PR is not the best experience honestly.

I was lucky that my boss that time introduced AWS CDK to me and at that time it was beta. I remember the first version of CDK that we tried and it was not mature, but, we liked it and we saw the future in it. So, we decided to write the new stacks with CDK and slowly catch up on the old YAML files.

We almost did after a year when CDK was released officially.

One of the great concepts about CDK is custom [constructs] ( You can write a block of your infra and then use it anywhere multiple times. There are great examples of these custom constructs in the documentation of CDK but also in Github you can find people building their own constructs and sharing them with others. This is a repo presenting some of those awesome CDK constructs.

In this post, I want to write about the construct that I implemented a couple of years ago and used in multiple projects.

AWS CDK PasswordLess Construct

As you know there's no built-in passwordless authentication in AWS. (Some services like Firebase offer that out of the box). So, I decided to build one and make it a custom construct so I can use it in any project that I want. This Construct creates these resources:

  • Cognito User Pool
  • Cognito Pool Client
  • Cognito Lambda Trigger


You can add this construct to your project and have it as part of your IaC

yarn add aws-cdk-passwordless
import { CdkPasswordless } from "aws-cdk-passwordless";

new CdkPasswordless(this, "myPasswordLess", {
  mailSubject: "myStack - signIn", // subject of the mail arriving with code to confirm
  userPoolClientName: "myClientName",
  verifiedDomains: [""], // emails with the domains that are allow to signup
  postConfirmationLambda: lambda.Function(...) // passing a lambda which will be triggered after code confirmation

I should just note that postConfirmationLamda would be the function that you would call after the user passes the code confirmation and sign-in to your website. You can have any logic in there, I usually store a user object in the database in that function.

I'm not gonna go into the details about the code here as you can find the [whole project in GitHub] (

© Copyright 2022 Farmin Farzin