I'm developing a web application which uses the AWS services backend side. I'm using AWS Cognito to manage the users but I have a problem. When I create a new user (with a temporary password) it is required that I change this password manually to make it definitive. The only way I have to change the password is using AWS Cli, as explained here:
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/change-password.html
I have to type in the shell the old password, the new password and the Access Token. The problem is: where I find this "Access token"? I don't know what to type in the shell! The AWS Cognito console doen't help.
The aws cognito-idp change-password
can only be used with a user who is able to sign in, because you need the Access token from aws cognito-idp admin-initiate-auth
.
But since the user has a temporary password, it will face the NEW_PASSWORD_REQUIRED
challenge when trying to sign in.
Here's how I did it:
$ aws cognito-idp admin-create-user --user-pool-id USERPOOLID --username [email protected] --desired-delivery-mediums EMAIL --user-attributes Name=email,[email protected]
$ aws cognito-idp initiate-auth --client-id CLIENTID --auth-flow USER_PASSWORD_AUTH --auth-parameters [email protected],PASSWORD="tempPassword"
Now you get a NEW_PASSWORD_REQUIRED
challenge and a very long session token.
Use that one to respond to the challenge:
$ aws cognito-idp admin-respond-to-auth-challenge --user-pool-id USERPOOLID --client-id CLIENTID --challenge-responses "NEW_PASSWORD=LaLaLaLa1234!!!!,[email protected]" --challenge-name NEW_PASSWORD_REQUIRED --session "YourLongSessionToken"