How do I reset a Cognito user's password that has expired?

Ryan Shillington picture Ryan Shillington · Jun 29, 2018 · Viewed 16.5k times · Source

We're using Cognito. All is well. I added a user using the AdminCreateUser API, and they received their temporary password. Unfortunately they waited over a month to login, and now when they try to login with their temporary password, Cognito returns this error:

User account has expired, it must be reset by an administrator.

How do I do that? I don't see any reset button in the Cognito UI. Is there a CLI or API that I can call?

Answer

Ryan Shillington picture Ryan Shillington · Jul 2, 2018

The commands admin-reset-user-password and admin-enable-user do not work for an expired user.

The way you reset an expired user is to call admin-create-user again with the parameter MessageAction value = 'RESEND'

For example via CLI command:

aws cognito-idp admin-create-user --region us-east-1 --user-pool-id us-east-1_youruserpoolid --username theusername --message-action RESEND

From the documentation:

"Set to 'RESEND' to resend the invitation message to a user that already exists and reset the expiration limit on the user's account."

Once you have reset the user, the user will need to change the temporary password otherwise they will be put back into this state again once they have exceeded the expiration time period (by default 7 days according to AWS documentation).