TL;DR - Verified Google tokens server-side, created Cognito users via admin APIs with email_verified: true , generated deterministic passwords from user IDs + a server secret, and bypassed Cognito's hosted UI entirely. Works for signup and sign-in. Not for everyone, but perfect when you can't use Cognito's standard federation. The Constraint: No Console Access, No Hosted UI I inherited a broken authentication system. No AWS console access. No ability to change the login UI. And a hard requirement: Google Sign-In had to work. Here's how I made Cognito do something it wasn't designed to do. The stack was NestJS on the backend with AWS Cognito as the user store. Straightforward enough — except for one constraint that made everything harder than it needed to be: I didn't have direct access to the AWS console. Every deployment, every config change, every "let me just quickly check this setting" moment required me to sit down with my manager and do it together. No flying solo.…