AWS Boto / Warrant library: SRP authentication and credentials error

Question

I have been stuck on the following issue for quite some time now. Within Python I want users to retrieve a token based upon their username and password from the AWS cognito-identity-pool making use of srp authentication. With this token I want the users to upload data to s3.

This is part of the code I use (from the warrant library): https://github.com/capless/warrant

    self.client = boto3.client('cognito-idp', region_name="us-east-1")
    response = boto_client.initiate_auth(
        AuthFlow='USER_SRP_AUTH',
        AuthParameters=auth_params,
        ClientId=self.client_id
    )


def get_auth_params(self):
    auth_params = {'USERNAME': self.username,
                   'SRP_A': long_to_hex(self.large_a_value)}
    if self.client_secret is not None:
        auth_params.update({
            "SECRET_HASH":
            self.get_secret_hash(self.username,self.client_id, self.client_secret)})
    return auth_params

However, I keep on getting:

botocore\auth.py", line 352, in add_auth raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

I was able to get rid of this error by adding credentials in the .aws/credentials file. But this is not in line with the purpose of this program. It seems like there is a mistake in the warrant or botocore library and the it keeps on attempting to use the AWS Access Key ID and AWS Secret Access Key from the credentials file, rather than that the given credentials (username and password) are used.

Any help is appreciated

Answer 1

I am on to Cognito team. initiate auth is an unauthenticated call so it shouldn't require you to provide AWS credentials. The service endpoint will not validate the sigv4 signature for these calls.

That being said, some client libraries have certain peculiarities in the sense that you need to provide some dummy credentials otherwise the client library will throw an exception. However you can provide anything for the credentials.

Answer 2

I too ran into this, using warrant.

The problem is that the boto3 libraries are trying to sign the request to aws, but this request is not supposed to be signed. To prevent that, create the identity pool client with a config that specifies no signing.

import boto3
from botocore import UNSIGNED
from botocore.config import Config

client = boto3.client('cognito-idp', region_name='us-east-1', config=Config(signature_version=UNSIGNED))