CODEWITHSUNDEEP
aws-lambdapostmanaws-cliamazon-cognito
Dar
Dar

Reputation: 393

AWS CLI - how to generate security tokens for a cognito user

Ultimately, I need to generate an AccessKeyId, SecurityKey and SessionToken for a user in a Cognito User Pool so that I can test a lambda function as a cognito user using Postman. So far, I've spent 2 days trying to figure this out. It seems that this would work:

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/rolename--role-session-name "RoleSession1" --web-identity-token ??? --provider-id provideridvalue

I was able to get the provider-id value but I'm having trouble getting a valid value for the web-identity-token.

If I understand correctly this should get me the web-identity-token:

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id clientidvalue --auth-parameters USERNAME=usernamevalue,PASSWORD=passwordvalue

I obtained the clientidvalue from the Federated Identities pool.

The problem I have been unable to resolve is that the above command gives me this error:

Unknown options: PASSWORD=<password>

I've tried many different variations including json format but nothing works. What am I doing wrong?

Upvotes: 14

Views: 21310

Answers (3)

Gagan Tewari
Gagan Tewari

Reputation: 1

I was facing the same issue today, and the request was failing with an error

"Unknown options: PASSWORD=".

On closely looking at the request, I realized that i had a space between comma (,) and PASSWORD parameter. It was like below:

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=xxxxx, PASSWORD=yyyy --client-id my-app-client-id

I got it working after changing it as follows (after removing the space)

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=xxxxx,PASSWORD=yyyy --client-id my-app-client-id

Upvotes: 0

Can Sahin
Can Sahin

Reputation: 1166

It works for me. I can't see any difference with yours

Terminal Screenshot

Are you using the app client id that you created at User Pool 'App clients' sections (not at federated identity section) ? If so, is this option checked ?

Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)

I am using the token starting after 3600 till the next whitespace. Put it on postman header and call lambda behind Cognito Authorizer.

UPDATE

If anyone interested in single command shell script version of this -> Bash Script

I use it quite often

Upvotes: 7

Miguel
Miguel

Reputation: 20633

Here's the AWS CLI command to authenticate and receive an auth token:

aws cognito-idp initiate-auth --region YOU_REGION --auth-flow USER_PASSWORD_AUTH --client-id YOUR_CLIENT_ID --auth-parameters USERNAME=YOUR_EMAIL,PASSWORD=YOUR_PASSWORD

Example

aws cognito-idp initiate-auth --region us-west-2 --auth-flow USER_PASSWORD_AUTH --client-id 7f2spb636ptn074on1pdjgnk9l --auth-parameters [email protected],PASSWORD=Z3qj88WTJCi9DX6RRVFWtdv

Response

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "RefreshToken": "eyJjdH......89kXQjZ9thA",
        "AccessToken": "eyJra......xB9eQ",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "IdToken": "eyJraWQiOiJh....PfRUcDeEw"
    }
}

If you get the error {"__type":"InvalidParameterException","message":"USER_PASSWORD_AUTH flow not enabled for this client"}, you need to enable USER_PASSWORD_AUTH.

Go to your AWS Cognito dashboard -> "App Clients" -> "Show Details" -> check the box "Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)"

Upvotes: 21

Related Questions