Sign AWS requests using Cognito Your User Pool user using Postman

Question

I am trying to send an authenticated request to AWS API Gateway. The clients will authenticate against Cognito Your User Pools, and then obtain a token from an associated Cognito Identity Pool corresponding to the logged-in user in the user pool. I am trying to simulate such a request using Postman.

This post suggests that the command aws cognito-identity get-credentials-for-identity can be used to get the AccessKeyId and SecretKey needed for Postman to sign the request. However, when I try to run it with the sub attribute for a user from the Cognito User Pool console:

$ aws cognito-identity get-credentials-for-identity --identity-id aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

An error occurred (ValidationException) when calling the GetCredentialsForIdentity operation: 1 validation error detected: Value 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' at 'identityId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w-]+:[0-9a-f-]+

$ aws cognito-identity get-credentials-for-identity --identity-id us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

An error occurred (ResourceNotFoundException) when calling the GetCredentialsForIdentity operation: Identity 'us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' not found.

The same thing happens if I try to use an identity ID from the associated identity pool shown in the AWS Console (I selected one that has 2 "linked logins").

Answer 1

You need to pass along the login map :

--logins (map)
A  set  of  optional  name-value  pairs  that  map provider names to
provider tokens.

Shorthand Syntax:

    KeyName1=string,KeyName2=string

JSON Syntax:

    {"string": "string"
        ...}

This syntax worked for me:

aws cognito-identity get-credentials-for-identity \
    --identity-id us-east-1:aaaa-bbb-ccc-bc54-rrrrrrr \
    --logins graph.facebook.com=kdajbdjkabkjbkjbkdbsckslcjxb

Note: --identity-id is not the identity pool id, its the identity from the identity browser.