CODEWITHSUNDEEP
shellamazon-web-servicespasswordsamazon-cognito
claudioz
claudioz

Reputation: 1231

How to change password of AWS Cognito User?

I'm developing a web application which uses the AWS services backend side. I'm using AWS Cognito to manage the users but I have a problem. When I create a new user (with a temporary password) it is required that I change this password manually to make it definitive. The only way I have to change the password is using AWS Cli, as explained here:

https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/change-password.html

I have to type in the shell the old password, the new password and the Access Token. The problem is: where I find this "Access token"? I don't know what to type in the shell! The AWS Cognito console doen't help.

Upvotes: 47

Views: 61286

Answers (4)

Hettomei
Hettomei

Reputation: 2233

To change a user password :

With this aws cli :

$ aws --version
aws-cli/1.17.9 Python/3.6.10 Linux/5.3.0-26-generic botocore/1.14.9

You can do this this way :

aws cognito-idp admin-set-user-password --user-pool-id 'eu-west-11111'  --username 'aaaaaa-aaaa-aaaa-aaaa' --password 'a new password' --permanent

To have more information :

 aws cognito-idp admin-set-user-password help

Upvotes: 62

Esben von Buchwald
Esben von Buchwald

Reputation: 3104

The aws cognito-idp change-password can only be used with a user who is able to sign in, because you need the Access token from aws cognito-idp admin-initiate-auth.

But since the user has a temporary password, it will face the NEW_PASSWORD_REQUIRED challenge when trying to sign in.

Here's how I did it:

$ aws cognito-idp admin-create-user  --user-pool-id USERPOOLID  --username [email protected] --desired-delivery-mediums EMAIL --user-attributes Name=email,[email protected]

$ aws cognito-idp initiate-auth --client-id CLIENTID --auth-flow USER_PASSWORD_AUTH --auth-parameters [email protected],PASSWORD="tempPassword"

Now you get a NEW_PASSWORD_REQUIRED challenge and a very long session token. Use that one to respond to the challenge:

$ aws cognito-idp admin-respond-to-auth-challenge --user-pool-id USERPOOLID --client-id CLIENTID   --challenge-responses "NEW_PASSWORD=LaLaLaLa1234!!!!,[email protected]" --challenge-name NEW_PASSWORD_REQUIRED --session "YourLongSessionToken"

Update:

Since the original answer, a new option, aws cognito-idp admin-set-user-password has been introduced.

Upvotes: 31

CptWasp
CptWasp

Reputation: 492

The right API is: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html

The syntax is:

{
   "Password": "string",
   "Permanent": true,
   "Username": "string",
   "UserPoolId": "string"
}

You can specify that the specified password is permanent, and you will have the user in the CONFIRMED status. It's correct that this API doesn't require the old password, because it wouldn't be safe. The admin doesn't need to know user passwords. So the API has been named "AdminSetUserPassword" and not "AdminChangeUserPassword".

Upvotes: 5

asdf
asdf

Reputation: 3067

The access token is retrieved by logging the user in. You can get this token by running the aws cli command aws cognito-idp admin-initiate-auth for the user (Found here).

This will require you to have root credentials for the cognito pool, which I assume you have. The command will return the access token which you can use for one hour (cognito tokens expire after 1 hour regardless of settings, look here).

Upvotes: 0

Related Questions