Ultimately, I need to generate a AccessKeyId, SecirutyKey and SessionToken for a user in a Cognito User Pool so I can test a lambda function as a cognito user using Postman. So far, I've spent 2 days trying to figure this out. It seems that this would work:
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/rolename--role-session-name "RoleSession1" --web-identity-token ??? --provider-id provideridvalue
I was able to get the provider-id value but I'm having trouble getting a valid value for the web-identity-token.
If I understand correctly this should get me the web-identity-token:
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id clientidvalue --auth-parameters USERNAME=usernamevalue,PASSWORD=passwordvalue
I obtained the clientidvalue from the Federated Identities pool.
The problem I have been unable to resolve is that the above command gives me this error:
Unknown options: PASSWORD=<password>
I've tried many different variations including json format but nothing works. What am I doing wrong?
You can request an access token for a custom scope from the token endpoint when, in the app client, the requested scope is enabled, you have configured a client secret, and you have allowed client_credentials grants. Required. The ID of an app client in your user pool.
Amazon Cognito enables simple, secure user authentication, authorization and user management for web and mobile apps. With Cognito, a user or visitor can sign in with a username and password through Amazon, or through a third party like Facebook, Google or Apple.
Simply, You can request the id/access/refresh tokens using the code and the Cognito clientId+hostname, then use the id and access token to identify the user in your API calls.
Initiate new refresh tokens (API)Pass REFRESH_TOKEN_AUTH for the AuthFlow parameter. The authorization parameter, AuthParameters , is a key-value map where the key is "REFRESH_TOKEN" and the value is the actual refresh token. Amazon Cognito returns new ID and access tokens after your API request passes all challenges.
Here's the AWS CLI command to authenticate and receive an auth token:
aws cognito-idp initiate-auth --region YOU_REGION --auth-flow USER_PASSWORD_AUTH --client-id YOUR_CLIENT_ID --auth-parameters USERNAME=YOUR_EMAIL,PASSWORD=YOUR_PASSWORD
Example
aws cognito-idp initiate-auth --region us-west-2 --auth-flow USER_PASSWORD_AUTH --client-id 7f2spb636ptn074on1pdjgnk9l --auth-parameters [email protected],PASSWORD=Z3qj88WTJCi9DX6RRVFWtdv
Response
{
"ChallengeParameters": {},
"AuthenticationResult": {
"RefreshToken": "eyJjdH......89kXQjZ9thA",
"AccessToken": "eyJra......xB9eQ",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"IdToken": "eyJraWQiOiJh....PfRUcDeEw"
}
}
If you get the error {"__type":"InvalidParameterException","message":"USER_PASSWORD_AUTH flow not enabled for this client"}
, you need to enable USER_PASSWORD_AUTH.
Go to your AWS Cognito dashboard -> "App Clients" -> "Show Details" -> check the box "Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)"
It works for me. I can't see any difference with yours
Are you using the app client id that you created at User Pool 'App clients' sections (not at federated identity section) ? If so, is this option checked ?
Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)
I am using the token starting after 3600 till the next whitespace. Put it on postman header and call lambda behind Cognito Authorizer.
If anyone interested in single command shell script version of this -> Bash Script
I use it quite often
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With