Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS CLI - how to generate security tokens for a cognito user

Ultimately, I need to generate a AccessKeyId, SecirutyKey and SessionToken for a user in a Cognito User Pool so I can test a lambda function as a cognito user using Postman. So far, I've spent 2 days trying to figure this out. It seems that this would work:

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/rolename--role-session-name "RoleSession1" --web-identity-token ??? --provider-id provideridvalue

I was able to get the provider-id value but I'm having trouble getting a valid value for the web-identity-token.

If I understand correctly this should get me the web-identity-token:

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id clientidvalue --auth-parameters USERNAME=usernamevalue,PASSWORD=passwordvalue

I obtained the clientidvalue from the Federated Identities pool.

The problem I have been unable to resolve is that the above command gives me this error:

Unknown options: PASSWORD=<password>

I've tried many different variations including json format but nothing works. What am I doing wrong?

like image 687
Dar Avatar asked Apr 11 '18 18:04

Dar


People also ask

How do I get my AWS Cognito access token?

You can request an access token for a custom scope from the token endpoint when, in the app client, the requested scope is enabled, you have configured a client secret, and you have allowed client_credentials grants. Required. The ID of an app client in your user pool.

How can you use Cognito to provide security to a user?

Amazon Cognito enables simple, secure user authentication, authorization and user management for web and mobile apps. With Cognito, a user or visitor can sign in with a username and password through Amazon, or through a third party like Facebook, Google or Apple.

How do I get my Cognito access token authorization code?

Simply, You can request the id/access/refresh tokens using the code and the Cognito clientId+hostname, then use the id and access token to identify the user in your API calls.

How do I get AWS Cognito refresh token?

Initiate new refresh tokens (API)Pass REFRESH_TOKEN_AUTH for the AuthFlow parameter. The authorization parameter, AuthParameters , is a key-value map where the key is "REFRESH_TOKEN" and the value is the actual refresh token. Amazon Cognito returns new ID and access tokens after your API request passes all challenges.


2 Answers

Here's the AWS CLI command to authenticate and receive an auth token:

aws cognito-idp initiate-auth --region YOU_REGION --auth-flow USER_PASSWORD_AUTH --client-id YOUR_CLIENT_ID --auth-parameters USERNAME=YOUR_EMAIL,PASSWORD=YOUR_PASSWORD

Example

aws cognito-idp initiate-auth --region us-west-2 --auth-flow USER_PASSWORD_AUTH --client-id 7f2spb636ptn074on1pdjgnk9l --auth-parameters [email protected],PASSWORD=Z3qj88WTJCi9DX6RRVFWtdv

Response

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "RefreshToken": "eyJjdH......89kXQjZ9thA",
        "AccessToken": "eyJra......xB9eQ",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "IdToken": "eyJraWQiOiJh....PfRUcDeEw"
    }
}

If you get the error {"__type":"InvalidParameterException","message":"USER_PASSWORD_AUTH flow not enabled for this client"}, you need to enable USER_PASSWORD_AUTH.

Go to your AWS Cognito dashboard -> "App Clients" -> "Show Details" -> check the box "Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)"

like image 144
Miguel Mota Avatar answered Oct 21 '22 09:10

Miguel Mota


It works for me. I can't see any difference with yours

Terminal Screenshot

Are you using the app client id that you created at User Pool 'App clients' sections (not at federated identity section) ? If so, is this option checked ?

Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)

I am using the token starting after 3600 till the next whitespace. Put it on postman header and call lambda behind Cognito Authorizer.

UPDATE

If anyone interested in single command shell script version of this -> Bash Script

I use it quite often

like image 33
Can Sahin Avatar answered Oct 21 '22 08:10

Can Sahin