3

I'm developing a python script that interacts with a web service that uses Amazon Cognito (with which I'm unfamiliar) as the authentication backend and I'm having difficulties logging in.

My main issue is that boto3 requires both the AWS access key and secret key (without providing those I get the "NoCredentialsError"), but since this script will reside on multiple untrusted computers I don't want to store/embed those keys, for obvious security reasons.

The information that these untrusted computers will have access to are:

  • Username and Password for logging into the web service
  • Cognito Identity Pool ID
  • Cognito User Pool ID
  • Cognito Client ID

Is it possible, with the informations these clients have, to correctly authenticate with Cognito? If so, how?

smnz
  • 53
  • 1
  • 5

1 Answers1

1

Yes. Call get_credentials_for_identity(). It does not require any credentials. Use this as follows:

import boto3
cognito = boto3.client('cognito-identity')
response = cognito.get_credentials_for_identity(IdentityId="id")

where "id" is the Cognito Identity Pool ID. response should return a dict including temporary Access Key, Secret Access Key, Session Token, and Expiration date.

Mangohero1
  • 1,832
  • 2
  • 12
  • 20
  • 1
    Just to add to that. The user pools operations that you are trying to call are unauthenticated which means they don't require credentials. However, some generated clients have a peculiarities in the fact that you need to populate the credentials object with placeholders. You can obviously use unauthenticated identity credentials for this. – Ionut Trestian Oct 20 '17 at 17:57
  • "id" isn't the Cognito Identity Pool ID. It's get response from GetId. More details here: https://stackoverflow.com/a/62789387/109102 – russau Feb 25 '21 at 07:37