How to change password of AWS Cognito User?

Question

I'm developing a web application which uses the AWS services backend side. I'm using AWS Cognito to manage the users but I have a problem. When I create a new user (with a temporary password) it is required that I change this password manually to make it definitive. The only way I have to change the password is using AWS Cli, as explained here:

https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/change-password.html

I have to type in the shell the old password, the new password and the Access Token. The problem is: where I find this "Access token"? I don't know what to type in the shell! The AWS Cognito console doen't help.

On a related note - there is now the ability for admin to set a permanent password. Yay! https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html — cyberwombat, Feb 26 '20 at 15:45

score 48 · Answer 1 · answered Jan 28 '20 at 13:09

48

To change a user password :

With this aws cli :

$ aws --version
aws-cli/1.17.9 Python/3.6.10 Linux/5.3.0-26-generic botocore/1.14.9

You can do this this way :

aws cognito-idp admin-set-user-password --user-pool-id "eu-west-11111"  --username "aaaaaa-aaaa-aaaa-aaaa" --password "a new password" --permanent

To have more information :

 aws cognito-idp admin-set-user-password help

answered Jan 28 '20 at 13:09

Hettomei

1,934
1
16
14

There is NO admin-set-user-password. As per the documentation, there is admin-reset-user-password and that will send a verification code to the mail id specified – coderHASH64codingHASH46code Apr 17 '20 at 22:32
6

As at May 2020, there is an admin-set-user-password: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/admin-set-user-password.html – Benno May 29 '20 at 06:08
3

This should be the accepted answer. Thanks! – tiagolisalves Aug 11 '21 at 15:16
1

Thanks @Hettomei. I was able to execute this command from the CloudShell successfully. – Karthik Vasishta Ramesh Mar 27 '23 at 22:23
1

You may need to add the region flag `--region xx-xxxx-xx` if you're targeting a user pool that's not on the set default region. – Brhaka Apr 10 '23 at 17:49

Esben von Buchwald · Answer 2 · 2022-10-15T18:36:54.683

30

The aws cognito-idp change-password can only be used with a user who is able to sign in, because you need the Access token from aws cognito-idp admin-initiate-auth.

But since the user has a temporary password, it will face the NEW_PASSWORD_REQUIRED challenge when trying to sign in.

Here's how I did it:

$ aws cognito-idp admin-create-user  --user-pool-id USERPOOLID  --username me@example.com --desired-delivery-mediums EMAIL --user-attributes Name=email,Value=me@example.com

$ aws cognito-idp initiate-auth --client-id CLIENTID --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=me@example.com.me,PASSWORD="tempPassword"

Now you get a NEW_PASSWORD_REQUIRED challenge and a very long session token. Use that one to respond to the challenge:

$ aws cognito-idp admin-respond-to-auth-challenge --user-pool-id USERPOOLID --client-id CLIENTID   --challenge-responses "NEW_PASSWORD=LaLaLaLa1234!!!!,USERNAME=me@example.com" --challenge-name NEW_PASSWORD_REQUIRED --session "YourLongSessionToken"

Update:

Since the original answer, a new option, aws cognito-idp admin-set-user-password has been introduced.

edited Oct 15 '22 at 18:36

answered Jul 29 '18 at 00:27

Esben von Buchwald

2,772
1
29
37

Where do you get the CLIENTID value when executing the `aws cognito-idp initiate-auth ...`? – barracuda Aug 18 '19 at 04:07
2

You simply create a client in the AWS Cognito configuration (either using console, CLI or CloudFormation). That client ID is also used as a configuration variable in the app/website that's logging in to Cognito. – Esben von Buchwald Aug 19 '19 at 05:59
I don't see USER_PASSWORD_AUTH as an option for --auth-flow when I type in ```aws cognito-idp initiate-user help```. I'm unsure of what the alternative would be or if I have my setup improperly configured. – Matthew Zackschewski Nov 16 '19 at 21:42
1

@MatthewZackschewski Looks like you are calling `initiate-user`, not `initiate-auth` :) – Esben von Buchwald Nov 17 '19 at 21:49
@EsbenvonBuchwald Duh... thanks. Been a long day :) – Matthew Zackschewski Nov 18 '19 at 12:50

score 4 · Answer 3 · answered Apr 19 '21 at 12:51

The right API is: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html

The syntax is:

{
   "Password": "string",
   "Permanent": true,
   "Username": "string",
   "UserPoolId": "string"
}

You can specify that the specified password is permanent, and you will have the user in the CONFIRMED status. It's correct that this API doesn't require the old password, because it wouldn't be safe. The admin doesn't need to know user passwords. So the API has been named "AdminSetUserPassword" and not "AdminChangeUserPassword".

score 0 · Answer 4 · answered Sep 20 '17 at 19:37

0

The access token is retrieved by logging the user in. You can get this token by running the aws cli command aws cognito-idp admin-initiate-auth for the user (Found here).

This will require you to have root credentials for the cognito pool, which I assume you have. The command will return the access token which you can use for one hour (cognito tokens expire after 1 hour regardless of settings, look here).

answered Sep 20 '17 at 19:37

asdf

2,927
2
21
42

You only get the access token afte a successful login, not when you hit a challenge. – Esben von Buchwald Jul 29 '18 at 00:20

How to change password of AWS Cognito User?

4 Answers4