Menu
We're using Cognito. All is well. I added a user using the AdminCreateUser API, and they received their temporary password. Unfortunately they waited over a month to login, and now when they try to login with their temporary password, Cognito returns this error:
User account has expired, it must be reset by an administrator.
How do I do that? I don't see any reset button in the Cognito UI. Is there a CLI or API that I can call?
470
It doesn't look like expiration is built into the password policy. You could track password expiration by adding a passwordUpdatedAt field and manually updating that attribute on user sign up and on changePassword .
It is not possible to get a user password from AWS Cognito. Cognito just lets the user reset his password but it has got no API call to perform password retrieval and it's not meant to do that for security reasons.
The commands admin-reset-user-password and admin-enable-user do not work for an expired user.
The way you reset an expired user is to call admin-create-user again with the parameter MessageAction value = 'RESEND'
For example via CLI command:
aws cognito-idp admin-create-user --region us-east-1 --user-pool-id us-east-1_youruserpoolid --username theusername --message-action RESEND
From the documentation:
"Set to 'RESEND' to resend the invitation message to a user that already exists and reset the expiration limit on the user's account."
Once you have reset the user, the user will need to change the temporary password otherwise they will be put back into this state again once they have exceeded the expiration time period (by default 7 days according to AWS documentation).
129
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With