Riaan's SysAdmin Blog

My tips, howtos, gotchas, snippets and stuff. Use at your own risk!


AWS Cognito and S3 Useful Commands

While I am delving into AWS Cognito and learning how it interacts with other services for example S3 object storage, I am jotting down some of the more useful CLI commands. This can be quite daunting to learn so it is very helpful to retain the commands for future reference. Of course this can all be done in the console also if that is your preference. I like the CLI (or even better would be Terraform or CloudFormation).

The examples may be useful when creating the authentication and authorization bits for a JavaScript SDK or Javascript framework (like Angular) application to upload files into a S3 bucket after being authenticated by the application. Note I use jq to filter output in many cases.

S3 Bucket

$ aws s3api create-bucket --bucket vault.mydomain.com --region us-east-1
$ aws s3api put-bucket-cors --bucket vault.mydomain.com --cors-configuration file://vault.mydomain.com-cors-policy.json
$ aws iam create-policy --policy-name vault.mydomain.com-admin-policy --policy-document file://vault.mydomain.com-admin-policy.json

Cognito User Pool

$ aws cognito-idp create-user-pool --pool-name mydomain-vault-user-pool   
$ aws cognito-idp list-user-pools --max-results 10 | jq -r '.UserPools[] | [.Id,.Name] | @csv' | grep vault  # get user-pool-id for create-user-pool-client step
$ aws cognito-idp create-user-pool-client --user-pool-id <your-userPoolId> --client-name mydomain-vault

Cognito Create an Admin User in the User Pool and do password reset flow

$ aws cognito-idp list-user-pool-clients –user-pool-id <your-userPoolId> --max-results 10 | jq -r '.UserPoolClients[] | [.ClientId,.ClientName] | @csv'  ## get client-id for next step
$ aws cognito-idp update-user-pool-client –user-pool-id <your-userPoolId> --client-id <your-clientId> --explicit-auth-flows ADMIN_NO_SRP_AUTH
$ aws cognito-idp admin-create-user –user-pool-id <your-userPoolId> --username admin --desired-delivery-mediums EMAIL --user-attributes Name=email,Value=admin@mydomain.com
## Check the above email address for temp password
$ aws cognito-idp admin-initiate-auth –user-pool-id <your-userPoolId> --client-id <your-clientId> --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=admin,PASSWORD="<temp password from email"
## Use Very Long Session String from above output to respond and Set admin user password to <new password and complying to password policy>
$ aws cognito-idp admin-respond-to-auth-challenge –user-pool-id <your-userPoolId> --client-id <your-clientId> --challenge-name NEW_PASSWORD_REQUIRED --challenge-responses NEW_PASSWORD="<your-new-password>",USERNAME=admin --session "<very long session string>"
$ aws cognito-idp update-user-pool-client –user-pool-id <your-userPoolId> --client-id <your-clientId> –explicit-auth-flows

Cognito Create Identity Pool

$ aws cognito-idp describe-user-pool –user-pool-id <your-userPoolId> | jq -r '.[] | [.Name,.Arn] | @csv' 	## get UserPool Arn
$ aws cognito-identity create-identity-pool --identity-pool-name "mydomain vault identity pool" --allow-unauthenticated-identities --cognito-identity-providers ProviderName="cognito-idp.us-east-1.amazonaws.com/<your-userPoolId>",ClientId="<your-clientId>"
$ aws iam create-role --role-name vault.mydomain.com-admin-role --assume-role-policy-document file://vault.mydomain.com-admin-trust-role.json
$ aws cognito-identity list-identity-pools --max-results 3 | jq -r '.IdentityPools[] | [.IdentityPoolId,.IdentityPoolName] | @csv' | grep vault ## get identity pool id
## use our new role for authenticated role. for unauthenticated I used an old one since I don't plan unauthenticated access here. If you do need unauthenticated create a role and use below.
$ aws cognito-identity set-identity-pool-roles --identity-pool-id <your-identityPoolId> --roles authenticated="<your-arn-authenticated-role>",unauthenticated="<your-arn-unauthenticated-role>"

In the console change Authenticated role selection to "Choose role from token" and Role resolution "Use default Authenticated role". See if this can be done from CLI.

IAM Attach Role to Policy

## get role names just for your verification
$ aws cognito-identity get-identity-pool-roles –identity-pool-id <your-identityPoolId> | jq -r '[.IdentityPoolId,.Roles.authenticated,.Roles.unauthenticated] | @csv' 
$ aws iam list-policies | jq -r '.Policies[] | [.PolicyName,.Arn] | @csv' | grep vault	## get policy Arn
$ aws iam attach-role-policy --policy-arn arn:aws:iam::660032875792:policy/vault.mydomain.com-admin-policy --role-name vault.mydomain.com-admin-role


Application need to use correct UserPoolId, App ClientId, identityPoolId, S3 bucket name, region. Very important is to understand "Integrating a User Pool with an Identity Pool". Example: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html

Appendix A: JSON Source used in above commands

$ cat mydomain-vault-s3-upload/vault.mydomain.com-admin-policy.json 
 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": [
 "Resource": [
$ cat mydomain-vault-s3-upload/vault.mydomain.com-admin-trust-role.json 
 "Version": "2012-10-17",
 "Statement": {
 "Effect": "Allow",
"Principal": {
 "Federated": "cognito-identity.amazonaws.com"
 "Action": "sts:AssumeRoleWithWebIdentity",
 "Condition": {
 "StringEquals": {
 "cognito-identity.amazonaws.com:aud": "<your-identityPoolId>"
$ cat mydomain-vault-s3-upload/vault.mydomain.com-cors-policy.json 
 "CORSRules": [
 "AllowedOrigins": ["*"],
 "AllowedHeaders": ["*"],
 "AllowedMethods": ["PUT", "GET", "POST", "DELETE"],
 "MaxAgeSeconds": 3000,
 "ExposeHeaders": ["ETag"]


Bio Info for Riaan