How to change password of AWS Cognito User?

Question

I'm developing a web application which uses the AWS services backend side. I'm using AWS Cognito to manage the users but I have a problem. When I create a new user (with a temporary password) it is required that I change this password manually to make it definitive. The only way I have to change the password is using AWS Cli, as explained here:

https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/change-password.html

I have to type in the shell the old password, the new password and the Access Token. The problem is: where I find this "Access token"? I don't know what to type in the shell! The AWS Cognito console doen't help.

Answer 1

The aws cognito-idp change-password can only be used with a user who is able to sign in, because you need the Access token from aws cognito-idp admin-initiate-auth .

But since the user has a temporary password, it will face the NEW_PASSWORD_REQUIRED challenge when trying to sign in.

Here's how I did it:

$ aws cognito-idp admin-create-user  --user-pool-id USERPOOLID  --username me@example.com --desired-delivery-mediums EMAIL --user-attributes Name=email,Value=me@example.com

$ aws cognito-idp initiate-auth --client-id CLIENTID --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=me@example.com.me,PASSWORD="tempPassword"

Now you get a NEW_PASSWORD_REQUIRED challenge and a very long session token. Use that one to respond to the challenge:

$ aws cognito-idp admin-respond-to-auth-challenge --user-pool-id USERPOOLID --client-id CLIENTID   --challenge-responses "NEW_PASSWORD=LaLaLaLa1234!!!!,USERNAME=me@example.com" --challenge-name NEW_PASSWORD_REQUIRED --session "YourLongSessionToken"

Answer 2

To change a user password :

With this aws cli :

$ aws --version
aws-cli/1.17.9 Python/3.6.10 Linux/5.3.0-26-generic botocore/1.14.9

You can do this this way :

aws cognito-idp admin-set-user-password --user-pool-id "eu-west-11111"  --username "aaaaaa-aaaa-aaaa-aaaa" --password "a new password" --permanent

To have more information :

 aws cognito-idp admin-set-user-password help

Answer 3

The access token is retrieved by logging the user in. You can get this token by running the aws cli command aws cognito-idp admin-initiate-auth for the user (Found here ).

This will require you to have root credentials for the cognito pool, which I assume you have. The command will return the access token which you can use for one hour (cognito tokens expire after 1 hour regardless of settings, look here ).

Answer 4

The right API is: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html

The syntax is:

{
   "Password": "string",
   "Permanent": true,
   "Username": "string",
   "UserPoolId": "string"
}

You can specify that the specified password is permanent, and you will have the user in the CONFIRMED status. It's correct that this API doesn't require the old password, because it wouldn't be safe. The admin doesn't need to know user passwords. So the API has been named "AdminSetUserPassword" and not "AdminChangeUserPassword".