How to change password of AWS Cognito User?
The aws cognito-idp change-password
can only be used with a user who is able to sign in, because you need the Access token from aws cognito-idp admin-initiate-auth
.
But since the user has a temporary password, it will face the NEW_PASSWORD_REQUIRED
challenge when trying to sign in.
Here's how I did it:
$ aws cognito-idp admin-create-user --user-pool-id USERPOOLID --username me@example.com --desired-delivery-mediums EMAIL --user-attributes Name=email,Value=me@example.com$ aws cognito-idp initiate-auth --client-id CLIENTID --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=me@example.com.me,PASSWORD="tempPassword"
Now you get a NEW_PASSWORD_REQUIRED
challenge and a very long session token.Use that one to respond to the challenge:
$ aws cognito-idp admin-respond-to-auth-challenge --user-pool-id USERPOOLID --client-id CLIENTID --challenge-responses "NEW_PASSWORD=LaLaLaLa1234!!!!,USERNAME=me@example.com" --challenge-name NEW_PASSWORD_REQUIRED --session "YourLongSessionToken"
To change a user password :
With this aws cli :
$ aws --versionaws-cli/1.17.9 Python/3.6.10 Linux/5.3.0-26-generic botocore/1.14.9
You can do this this way :
aws cognito-idp admin-set-user-password --user-pool-id "eu-west-11111" --username "aaaaaa-aaaa-aaaa-aaaa" --password "a new password" --permanent
To have more information :
aws cognito-idp admin-set-user-password help
The access token is retrieved by logging the user in. You can get this token by running the aws cli command aws cognito-idp admin-initiate-auth
for the user (Found here).
This will require you to have root credentials for the cognito pool, which I assume you have. The command will return the access token which you can use for one hour (cognito tokens expire after 1 hour regardless of settings, look here).