AWS CLI - how to generate security tokens for a cognito user

aws-cli aws-lambda aws-cognito postman

Ultimately, I need to generate a AccessKeyId, SecirutyKey and SessionToken for a user in a Cognito User Pool so I can test a lambda function as a cognito user using Postman. So far, I've spent 2 days trying to figure this out. It seems that this would work:

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/rolename--role-session-name "RoleSession1" --web-identity-token ??? --provider-id provideridvalue

I was able to get the provider-id value but I'm having trouble getting a valid value for the web-identity-token.

If I understand correctly this should get me the web-identity-token:

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id clientidvalue --auth-parameters USERNAME=usernamevalue,PASSWORD=passwordvalue

I obtained the clientidvalue from the Federated Identities pool.

The problem I have been unable to resolve is that the above command gives me this error:

Unknown options: PASSWORD=<password>

I've tried many different variations including json format but nothing works. What am I doing wrong?


Solution 1:

Here's the AWS CLI command to authenticate and receive an auth token:

aws cognito-idp initiate-auth --region YOU_REGION --auth-flow USER_PASSWORD_AUTH --client-id YOUR_CLIENT_ID --auth-parameters USERNAME=YOUR_EMAIL,PASSWORD=YOUR_PASSWORD

Example

aws cognito-idp initiate-auth --region us-west-2 --auth-flow USER_PASSWORD_AUTH --client-id 7f2spb636ptn074on1pdjgnk9l --auth-parameters [email protected],PASSWORD=Z3qj88WTJCi9DX6RRVFWtdv

Response

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "RefreshToken": "eyJjdH......89kXQjZ9thA",
        "AccessToken": "eyJra......xB9eQ",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "IdToken": "eyJraWQiOiJh....PfRUcDeEw"
    }
}

If you get the error {"__type":"InvalidParameterException","message":"USER_PASSWORD_AUTH flow not enabled for this client"}, you need to enable USER_PASSWORD_AUTH.

Go to your AWS Cognito dashboard -> "App Clients" -> "Show Details" -> check the box "Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)"

Solution 2:

It works for me. I can't see any difference with yours

Terminal Screenshot

Are you using the app client id that you created at User Pool 'App clients' sections (not at federated identity section) ? If so, is this option checked ?

Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)

I am using the token starting after 3600 till the next whitespace. Put it on postman header and call lambda behind Cognito Authorizer.

UPDATE

If anyone interested in single command shell script version of this -> Bash Script

I use it quite often

Related

How to count the number of files in a directory using Python
change css of cloned element
What is the Windows Projected File System?
Bye Windows Defender, I need to turn you back off again
Remotely run script on Unix, get output locally?
What does "LFF SATA" mean?
What is better for GPG keys - RSA or DSA?
Can I use another port other than 443 for SSL communication?
Closing GUI session while running a virtual machine - Virtual Box
What is command to see all java versions installed on linux?
Comparing two strings in Excel?
Disable screen orientation hot keys in windows 8 (ctrl alt arrow) [duplicate]