Boto3 - botocore.errorfactory.NotAuthorizedException

Question

Using boto3 and warrant in python3. Headless system. Trying to login using a python script using ASWSRP from warrant. With user pool there is the problem of changing the temporary password. So... I have the code trying the temp password first and when the fails it switches over to trying the permanent password. I am running into a couple different issues:

1) After I get the temporary password changed and I run the script again I get the exception:

botocore.errorfactory.NotAuthorizedException

I can't seem to import that exception from boto3 or botocore. How do I capture that exception?

2) I am sometimes getting a too many passwords attempted.

An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Password attempts exceeded

Obviously I need to wait a certain time period. Does anybody know what that is? Is that time period setable in my user pool or account?

Code:

import boto3
from warrant.aws_srp import AWSSRP
from warrant.exceptions import ForceChangePasswordException

userName = 'XXXXXXXX'
tempPassword = 'XXXXXXXX'
poolId = 'us-east-1_XXXXXXXX'
poolRegion = 'us-east-1'
clientId = 'XXXXXXXXXXXXXXXXXXXXXXXXXX'
#clientSecret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
client = None
finalPassword = "YYYYYYYYY"

try:
    client = boto3.client('cognito-idp')
    aws = AWSSRP(
        userName,
        tempPassword,
        poolId,
        clientId,
        client=None)
    tokens = aws.authenticate_user()
except ForceChangePasswordException:
    aws.set_new_password_challenge(finalPassword, client=None)
    aws = AWSSRP(
        userName,
        finalPassword,
        poolId,
        clientId,
        client=None)
    tokens = aws.authenticate_user()
except Exception as e: 
    print(str(e))

Also, i'd rather just try the final password first, if that does not work then use the temp password, change the password and then retry the final password. I'd still have to get past the:

botocore.errorfactory.NotAuthorizedException

Answer 1

To answer your first question (how to capture the boto3 exception), you have to call it via the CognitoIdentityProvider Client object:

import boto3
from warrant.aws_srp import AWSSRP

...

try:
    client = boto3.client('cognito-idp')
    aws = AWSSRP(
            userName,
            tempPassword,
            poolId,
            clientId,
            client=None)
    tokens = aws.authenticate_user()
except client.exceptions.NotAuthorizedException as e:
    print("error: {}".format(e))
    ...

For any method within boto3 that you call, you can find the full list of Exceptions in the Cognito Identity Provider API reference, under the 'Errors' section of the method you're using.

For example, NotAuthorizedException is only one of the several errors you could encounter when calling aws.authenticate_user, because warrant is making a call to Initiate_Auth, which has it's errors listed here.

Hope that helps.