Open
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Hello,
during user registration in our application, LocalStack is sending a "create account" email with a temporary password instead of the expected "confirm account" email with a verification code.
When a user registers for a new account:
- User submits registration form with email and password
- Cognito creates the user account in UNCONFIRMED status
- System sends an incorrect "create account" email with:
- Subject: "Your temporary password"
- Message: "Your username is {uuid} and temporary password is None."
- No verification code provided
- User cannot proceed with account confirmation
These are the localstack logs:
2025-06-07T11:58:44.478 DEBUG --- [et.reactor-7] l.p.c.s.c.cognito_triggers : No Lambda trigger found for PreSignUp_SignUp in pool eu-central-1_b6c8dad408fd47a5bc1480129789dfa4
2025-06-07T11:58:44.480 DEBUG --- [et.reactor-7] l.p.c.s.c.provider : Sending email to '[email protected]' via SES
2025-06-07T11:58:44.490 DEBUG --- [et.reactor-3] l.services.ses.provider : Email saved at: /tmp/localstack/state/ses/ykrpbmvezdycvlgw-puntecqt-ujiu-axwv-bipc-zurlkfrkrglu-wsekny.json
2025-06-07T11:58:44.499 INFO --- [et.reactor-7] localstack.request.aws : AWS cognito-idp.SignUp => 200
This is the saved email:
# cat /tmp/localstack/state/ses/ykrpbmvezdycvlgw-puntecqt-ujiu-axwv-bipc-zurlkfrkrglu-wsekny.json
{"Id": "ykrpbmvezdycvlgw-puntecqt-ujiu-axwv-bipc-zurlkfrkrglu-wsekny", "Region": "eu-central-1", "Destination": {"ToAddresses": ["[email protected]"]}, "Source": "[email protected]", "Subject": "Your temporary password", "Body": {"text_part": "Your username is ac24d746-91ca-46b8-b190-e2e6d607a0fe and temporary password is None.", "html_part": null}, "Timestamp": "2025-06-07T11:58:44"}
This is the awslocal congito-idp list-users output:
{
"Username": "ac24d746-91ca-46b8-b190-e2e6d607a0fe",
"Attributes": [
{
"Name": "email",
"Value": "[email protected]"
},
{
"Name": "sub",
"Value": "ac24d746-91ca-46b8-b190-e2e6d607a0fe"
},
{
"Name": "email_verified",
"Value": "false"
}
],
"UserCreateDate": 1749297524.479596,
"UserLastModifiedDate": 1749297524.479596,
"Enabled": true,
"UserStatus": "UNCONFIRMED"
}
For my terraform configuration look below.
Expected Behavior
When a user registers for a new account:
- User submits registration form with email and password
- Cognito creates the user account in UNCONFIRMED status
- System sends a confirmation email with:
- Subject: "Account Confirmation"
- Message: "Thank you for your registration. Your confirmation code is {####}"
- Contains a 6-digit verification code
- User enters the verification code to confirm their account
- Account status changes to CONFIRMED and user can log in
How are you starting LocalStack?
With a docker-compose file
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
docker compose up -d
version: '3.8'
services:
localstack:
image:localstack-pro:latest
ports:
- "4566:4566"
- "4510-4559:4510-4559"
environment:
- SERVICES=ec2,lambda,s3,apigateway,apigatewaymanagementapi,cognito-idp,secretsmanager,lambda,acm,iam,route53,route53resolver,ses,ssm,ce,cloudfront,cognito-identity,rds-data,rds,events,logs,wafv2,sns,cloudwatch,xray
- DISABLE_CORS_CHECKS=1
- DEBUG=1
- CLOUDFRONT_STATIC_PORTS=1
- LOCALSTACK_API=true
- PERSISTENCE=/tmp/localstack/data
- DOCKER_HOST=unix:///var/run/docker.sock
- AWS_DEFAULT_REGION=eu-central-1
- GATEWAY_LISTEN=0.0.0.0:4566
- EXTERNAL_SERVICE_PORTS_START=4510
- EXTERNAL_SERVICE_PORTS_END=4559
- LAMBDA_RUNTIME_ENVIRONMENT_TIMEOUT=60
- LOCALSTACK_AUTH_TOKEN="<token>"
- MAIN_CONTAINER_NAME=localstack-main-1
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./.volume/localstack:/var/lib/localstack"
Terraform cognito configuration
# /-- Cognito User Pool
resource "aws_cognito_user_pool" "user_pool" {
name = "${var.namespace}-user-pool"
username_attributes = ["email"]
auto_verified_attributes = ["email"]
password_policy {
minimum_length = 8
require_lowercase = true
require_numbers = true
require_symbols = true
require_uppercase = true
}
email_configuration {
email_sending_account = "DEVELOPER"
source_arn = module.ses.ses_domain_identity_arn
from_email_address = "noreply@${var.domain}"
}
verification_message_template {
default_email_option = "CONFIRM_WITH_CODE"
email_subject = "Account Confirmation"
email_message = "Thank you for your registration. Your confirmation code is {####}"
}
lambda_config {
post_confirmation = module.lambda_function_post_sign_up_confirmation.lambda_function_arn
}
account_recovery_setting {
recovery_mechanism {
name = "verified_email"
priority = 1
}
}
schema {
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "email"
required = true
string_attribute_constraints {
min_length = 1
max_length = 256
}
}
tags = {
Name = "${var.namespace}-user-pool"
}
depends_on = [module.lambda_function_post_sign_up_confirmation]
}
resource "aws_cognito_user_pool_client" "client" {
name = "${var.namespace}-cognito-client"
user_pool_id = aws_cognito_user_pool.user_pool.id
generate_secret = true
access_token_validity = 8
id_token_validity = 8
refresh_token_validity = 12
token_validity_units {
access_token = "hours"
id_token = "hours"
refresh_token = "hours"
}
prevent_user_existence_errors = "ENABLED"
explicit_auth_flows = [
"ALLOW_REFRESH_TOKEN_AUTH",
"ALLOW_USER_SRP_AUTH"
]
}
# --/
Environment
- OS: 15.3.1 (24D70)
- LocalStack:
LocalStack version: 4.5.1.dev13
LocalStack Docker image sha: 3ee97b460fd395e4d3f437766bfb739255d93feb1944de84b35ac8c79dfe6f9f
LocalStack build date: 2025-06-06
LocalStack build git hash: 5cfec717cAnything else?
The LocalStack Docker image sha, is maybe different because I build my own docker image like:
FROM localstack/localstack-pro:latest
# Install jq and iputils-ping
RUN apt-get update && \
apt-get install -y jq && \
apt-get install -y iputils-ping && \
rm -rf /var/lib/apt/lists/*