14

Ultimately, I need to generate a AccessKeyId, SecirutyKey and SessionToken for a user in a Cognito User Pool so I can test a lambda function as a cognito user using Postman. So far, I've spent 2 days trying to figure this out. It seems that this would work:

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/rolename--role-session-name "RoleSession1" --web-identity-token ??? --provider-id provideridvalue

I was able to get the provider-id value but I'm having trouble getting a valid value for the web-identity-token.

If I understand correctly this should get me the web-identity-token:

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id clientidvalue --auth-parameters USERNAME=usernamevalue,PASSWORD=passwordvalue

I obtained the clientidvalue from the Federated Identities pool.

The problem I have been unable to resolve is that the above command gives me this error:

Unknown options: PASSWORD=<password>

I've tried many different variations including json format but nothing works. What am I doing wrong?

Maximilian Burszley
  • 18,243
  • 4
  • 34
  • 63
Dar
  • 383
  • 1
  • 5
  • 16
  • Are `--auth-parameters` supposed to be separated by a comma? – Maximilian Burszley Apr 11 '18 at 19:27
  • @TheIncorrigible1 I don't know. The documentation seems to indicate that but I tried it separated by spaces as well. Do you know what they are supposed to be separated with? – Dar Apr 11 '18 at 19:46

3 Answers3

20

Here's the AWS CLI command to authenticate and receive an auth token:

aws cognito-idp initiate-auth --region YOU_REGION --auth-flow USER_PASSWORD_AUTH --client-id YOUR_CLIENT_ID --auth-parameters USERNAME=YOUR_EMAIL,PASSWORD=YOUR_PASSWORD

Example

aws cognito-idp initiate-auth --region us-west-2 --auth-flow USER_PASSWORD_AUTH --client-id 7f2spb636ptn074on1pdjgnk9l --auth-parameters USERNAME=alice@example.com,PASSWORD=Z3qj88WTJCi9DX6RRVFWtdv

Response

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "RefreshToken": "eyJjdH......89kXQjZ9thA",
        "AccessToken": "eyJra......xB9eQ",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "IdToken": "eyJraWQiOiJh....PfRUcDeEw"
    }
}

If you get the error {"__type":"InvalidParameterException","message":"USER_PASSWORD_AUTH flow not enabled for this client"}, you need to enable USER_PASSWORD_AUTH.

Go to your AWS Cognito dashboard -> "App Clients" -> "Show Details" -> check the box "Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)"

Miguel Mota
  • 20,135
  • 5
  • 45
  • 64
7

It works for me. I can't see any difference with yours

Terminal Screenshot

Are you using the app client id that you created at User Pool 'App clients' sections (not at federated identity section) ? If so, is this option checked ?

Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)

I am using the token starting after 3600 till the next whitespace. Put it on postman header and call lambda behind Cognito Authorizer.

UPDATE

If anyone interested in single command shell script version of this -> Bash Script

I use it quite often

Community
  • 1
  • 1
Can Sahin
  • 1,156
  • 7
  • 12
  • Thanks again for the assistance. I checked the setting and the "Enable username-password (non-SRP) ..." was not checked. I checked the box and then tried again. I still get the same error. It seems I am using the correct syntax since it is working for you. Hmmm.... – Dar Apr 12 '18 at 13:25
  • Can you tell me where exactly you obtain clientid from ? – Can Sahin Apr 12 '18 at 14:13
  • Also can you try putting quotations like --auth-parameters 'USERNAME=usernamevalue,PASSWORD=passwordvalue' so that its a single string. Weird that you get incorrect syntax error – Can Sahin Apr 12 '18 at 14:16
  • I wasn't sure exactly what it meany by "Client Id" so I assumed it was referring to the App Client Id in the User Pool. There are two apps. I tried the id from both of them. Does it refer to something other than the App Client Id? Also, I tried it with quotes, creating one string with both username and password. I tried it with both initiate-auth and admin-initiate-auth. I got two different results. For initiate-auth, the response was "An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Unable to verify secret hash for client " – Dar Apr 12 '18 at 14:44
  • For admin-initiate-auth the result was: "An error occured (InvalidParameterException) when calling the AdminInitiateAuth operation: Initiate Auth method not supported." – Dar Apr 12 '18 at 14:45
  • 1
    Got it working! The last attempts I realized were using the ClientId for an app that had a App Client Secret value. I switched to the clientId for the other app that has no secret app key. – Dar Apr 12 '18 at 15:55
  • Did I do this all for nothing? I need a web-identity-token for the assume-role-with-web-identity command. Somehow, i had come to believe that the initiate-auth would give me a web-identity-token. Was I mistaken? – Dar Apr 12 '18 at 17:04
  • The saga continues. The User Pool user was new and required a password change so I then executed the respond-to-auth-challenge and then got a slew of tokens. IdToken, RefreshToken and AccessToken Is the IdToken the same as the Web-identity-token I am looking for? – Dar Apr 12 '18 at 17:27
  • I am not following you now :( I thought you wanna get a 'token' that you will put it in 'Authorization' header and send it to ApiGateway which then will invoke lambda by processing that token and giving you Cognito Credentials like 'sub', 'username', 'customSomething'... To do this you only need an IdToken. Is it only what you want? Or you wanna get `temporary` aws access credentials on behalf of a user to do a operation that requires accesing aws resources? – Can Sahin Apr 12 '18 at 19:41
  • Check this playground. You could play with it. Is this what you wanna do (step 1 - 2 - 3) https://web-identity-federation-playground.s3.amazonaws.com/index.html – Can Sahin Apr 12 '18 at 19:48
  • Yes. In short, I need to use aws-cli to generate an AccessKeyId, SecretAccessKy and SessionToken for a user in our User Pool. Am I making this too complicated? I did get an IdToken. When I used it with assume-role-with-web-identity, I got an error: An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity. – Dar Apr 12 '18 at 20:00
  • Then its your aws iam user doesnt have permissions to use Security Token Service. You are using aws cli with your aws profile whatever that is set in your computer. Adjust IAM policies for that account – Can Sahin Apr 12 '18 at 21:06
  • Hmm... I can execute "aws sts assume-role", I just can't execute "aws sts assume-role-with-web-token". If I didn't have permissions to use sts, wouldn't I have had trouble executing assume-role? – Dar Apr 13 '18 at 13:39
  • Actually right it says you dont even need aws profile or permission to do so. But I guess you are probably missing some steps in flow. I m not experience with federated identities. Here is the similar problem and some steps are provided check it out. https://stackoverflow.com/questions/37814997/accessdenied-not-authorized-to-perform-stsassumerolewithwebidentity and also this one https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html tells how to use AssumeRoleWithWebIdentity – Can Sahin Apr 13 '18 at 15:01
  • 1
    You've been exceptionally helpful. Thank you. – Dar Apr 13 '18 at 15:25
0

I was facing the same issue today, and the request was failing with an error

"Unknown options: PASSWORD=".

On closely looking at the request, I realized that i had a space between comma (,) and PASSWORD parameter. It was like below:

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=xxxxx, PASSWORD=yyyy --client-id my-app-client-id

I got it working after changing it as follows (after removing the space)

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=xxxxx,PASSWORD=yyyy --client-id my-app-client-id
Rajesh Pandya
  • 1,540
  • 4
  • 18
  • 31
Gagan Tewari
  • 1
  • 1