34

I' using Cognito user pool for securing my API gateway . Now I would like to make requests to my API using postman but I need to pass in Authorization token as the API is secured. Is there any AWS CLI command or REST API to generate auth tokens(by passing username/password)? I have searched documentation but couldn't find any examples. Thanks for your help.

geekprogrammer
  • 1,108
  • 1
  • 13
  • 39

3 Answers3

40

You can do this using the following CLI commands:

Register a user

aws cognito-idp sign-up --region {your-aws-region} --client-id {your-client-id} --username admin@example.com --password password123

Confirm user registration

aws cognito-idp admin-confirm-sign-up --region {your-aws-region} --user-pool-id {your-user-pool-id} --username admin@example.com

Authenticate (get tokens)

aws cognito-idp admin-initiate-auth --region {your-aws-region} --cli-input-json file://auth.json

Where auth.json is:

{
    "UserPoolId": "{your-user-pool-id}",
    "ClientId": "{your-client-id}",
    "AuthFlow": "ADMIN_NO_SRP_AUTH",
    "AuthParameters": {
        "USERNAME": "admin@example.com",
        "PASSWORD": "password123"
    }
}

You should get a response like this if everything is set up correctly:

{
    "AuthenticationResult": {
        "ExpiresIn": 3600,
        "IdToken": "{your-idtoken}",
        "RefreshToken": "{your-refresh-token}",
        "TokenType": "Bearer",
        "AccessToken": "{your-access-token}"
    },
    "ChallengeParameters": {}
}
shenku
  • 11,969
  • 12
  • 64
  • 118
  • Do we need AccessKeyId and SecretAccessKey if we want to get the token through REST API? – Harshith Reddy Feb 08 '19 at 05:37
  • 1
    Make sure you tick "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" before trying to authenticate. If you want to test your API Gateway and Cognito Authorization, then the "IdToken" attribute that is returned from the request, is the "authorization token" – Meir Gabay Oct 31 '19 at 08:42
  • 1
    The app client must be created without App client secret(uncheck this) otherwise you will keep getting below error error occurred (NotAuthorizedException) when calling the ForgotPassword operation: Unable to verify secret hash for client – Bingo Jul 30 '21 at 07:04
  • 1
    @Bingo If an app client secret is set, then the above CLI commands can be run with the additional `--secret-hash` option. Instructions for how to digest the ID + secret + options into the hash value are provided [here](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash) – changingrainbows Dec 15 '21 at 12:50
  • Here's the script version with a secret hash and SMS_MFA flow: https://gist.github.com/alarv/d84e5c468e0daf9d7cb5d28e7cef9073 – Alex Arvanitidis Jan 10 '23 at 11:38
5

Use the following command to generate the auth tokens, fill in the xxxx appropriately based on your cognito configuration,

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id xxxx --auth-parameters USERNAME=xx@xx.com,PASSWORD=xxxx

Note: You can use any one username or password under applicable cognito user pool. The client can be found under general settings--> app client

The AccessKeyId and SecretAccessKey is not required as it already defined while setting up the aws cli. If not done use the following link to set that up first https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html

Jacob Joy
  • 489
  • 6
  • 7
2

There is an AWS CLI command to generate Auth Tokens. You can use InitiateAuth CLI Command for this.

Note: Make sure you have done the UserPool configuration matching the expected tokens.

Ashan
  • 18,898
  • 4
  • 47
  • 67