How to Update Amazon Cognito Custom Attributes From Your .NET Applications

In a previous post, we explored Amazon Cognito custom attributes — how to set them up in your User Pool and update them manually through the AWS Console.

But what happens when a user upgrades their subscription, changes their profile settings, or triggers any event that should update their Cognito attributes?

Manually updating attributes in the AWS Console doesn't scale.

You might need to automatically keep user data in sync with real events happening inside your application.

In this post, let's explore how to:

• Update Cognito custom attributes programmatically from .NET
• Configure dependency injection for the Cognito SDK
• Handle mutable vs immutable attributes
• Add users to Cognito groups from code
• Keep user claims in sync with application events

Thanks to AWS for sponsoring this article in my Cognito Series.

Adding Custom Attributes to Amazon Cognito User Pools for .NET Applications

Learn how to add custom attributes like subscription tiers or organization IDs to Amazon Cognito user pools. We'll explore how to create custom attributes, make them available as token claims, and control access per app client in your .NET applications.

rahulpnath.com

Installing the AWS .NET SDK for Amazon Cognito

To interact with Amazon Cognito from .NET, we need the AWS SDK NuGet packages.

Open your project and add these two packages:

dotnet add package AWSSDK.CognitoIdentityProvider
dotnet add package AWSSDK.Extensions.NETCore.Setup

The package (AWSSDK.CognitoIdentityProvider) provides the API client to interact with Cognito User Pools.

Configuring Amazon Cognito Dependency Injection

The package (AWSSDK.Extensions.NETCore.Setup) sets up dependency injection for AWS services in ASP.NET Core applications.

AWS SDK Dependency Injection in .NET

Registering AWS SDK clients with dependency injection can be confusing with multiple manual approaches. Let's explore the built-in AddAWSService method and when you need to fall back to manual registration.

rahulpnath.com

With the NuGet packages installed, register the Cognito service in your application's dependency injection container.

In Program.cs, add the following line:

builder.Services.AddAWSService<IAmazonCognitoIdentityProvider>();

This registers the IAmazonCognitoIdentityProvider interface, which we'll inject into our endpoints to interact with Cognito.

The extension method automatically configures the service using your AWS credentials and region from the environment or configuration.

Updating Custom Attributes from .NET

Let's build a practical example.

Imagine a user subscribes to your premium tier—you take payment, activate their subscription, and now need to update their Cognito custom attributes.

Here's a minimal API endpoint that handles this:

app.MapPost("/user/subscribe", async (
    IAmazonCognitoIdentityProvider cognitoIdentityProvider,
    HttpContext httpContext) =>
{
    var username = httpContext.User.Claims
        .FirstOrDefault(c => c.Type == "username")?.Value;

    var updateRequest = new AdminUpdateUserAttributesRequest()
    {
        UserPoolId = "<user-pool-id-from-config>",
        Username = username,
        UserAttributes = new List<AttributeType>()
        {
            new AttributeType()
            {
                Name = "custom:subscription",
                Value = "Premium"
            }
        }
    };

    await cognitoIdentityProvider.AdminUpdateUserAttributesAsync(updateRequest);
})
.WithName("UserSubscribe")
.RequireAuthorization();

This endpoint does three things:

1. Extracts the username from the authenticated user's claims
2. Creates an update request specifying the user pool, username, and attributes to update
3. Calls Cognito to update the custom:subscription attribute to Premium

Understanding Mutable vs Immutable Cognito Attributes

When you create a custom attribute in Cognito, you specify whether it's mutable or immutable.

Mutable attributes can be updated throughout the user's lifetime.

Use mutable attributes for values that can change like Subscription tier (free → premium), Organization membership,Preferences or settings, Status flags etc.

The custom:subscription attribute in our example is mutable, which is why we can update it when users upgrade.

Immutable attributes can only be set when the user is created. They cannot be modified afterward. Use immutable attributes for values that should never change like Employee ID, Initial signup source, Original referral code, Permanent identifiers etc.

Updating Amazon Cognito Standard Attributes

Besides custom attributes, you can also update Cognito's standard attributes like locale, name, phone_number, etc.

Navigate to a user in the Cognito console and notice which attributes can be edited—those are mutable and can be updated from code.

However, some standard attributes like sub (the user ID) are immutable and cannot be changed.

Let's extend our example to also update the user's locale (a standard attribute).

var updateRequest = new AdminUpdateUserAttributesRequest()
{
    UserPoolId = "ap-southeast-2_TTjHrnktq",
    Username = username,
    UserAttributes = new List<AttributeType>()
    {
        new AttributeType()
        {
            Name = "custom:subscription",
            Value = "Premium"
        },
        new AttributeType()
        {
            Name = "locale",
            Value = "en-AU"
        }
    }
};

await cognitoIdentityProvider.AdminUpdateUserAttributesAsync(updateRequest);

This single request updates both the custom subscription attribute and the standard locale attribute.

You can update multiple attributes in a single API call, making it efficient to synchronize user data.

Adding Users to Cognito Groups via Code

Beyond updating attributes, you might also want to add users to Cognito groups when certain events occur.

For example, when users subscribe to the premium tier, add them to a PremiumUsers group.

Using Amazon Cognito Groups for Role-Based Access Control

Learn how to enforce access control using Amazon Cognito User Groups with ASP.NET API applications. We'll explore both role-based and policy-based authorization to protect your endpoints.

rahulpnath.com

Here's how to add a user to a group from code:

app.MapPost("/user/subscribe", async (
    IAmazonCognitoIdentityProvider cognitoIdentityProvider,
    HttpContext httpContext) =>
{
   ...

    var addUserToGroupRequest = new AdminAddUserToGroupRequest()
    {
        GroupName = "PremiumUsers",
        UserPoolId = "ap-southeast-2_TTjHrnktq",
        Username = username
    };

    await cognitoIdentityProvider.AdminAddUserToGroupAsync(addUserToGroupRequest);
})
.WithName("UserSubscribe")
.RequireAuthorization();

The AdminAddUserToGroupAsync method takes the group name, user pool ID, and username.

After calling this, navigate to the user in the AWS Console. You'll see they're now a member of the PremiumUsers group.

The next time they authenticate, their ID token will include the group membership in the cognito:groups claim.

Event-Driven Architecture Considerations

In the example above, we're updating Cognito directly from the API endpoint. While this works for demonstrations, real-world applications often benefit from an event-driven approach.

Instead of coupling the subscription logic directly to Cognito updates:

1. Raise a domain event when the user subscribes (e.g., UserSubscribedEvent)
2. Handle the event in a separate handler that updates Cognito

This makes your code more maintainable and testable.

For a deep dive into messaging patterns and event-driven architecture, check out my messaging series.

Most operations you can perform in the AWS Console have corresponding API methods in the SDK.

Explore the IAmazonCognitoIdentityProvider interface to see all available methods.

👉 Full source code available here