Boto3 - Authenticating with Amazon Cognito without using access keys

Question

I'm developing a python script that interacts with a web service that uses Amazon Cognito (with which I'm unfamiliar) as the authentication backend and I'm having difficulties logging in.

My main issue is that boto3 requires both the AWS access key and secret key (without providing those I get the "NoCredentialsError"), but since this script will reside on multiple untrusted computers I don't want to store/embed those keys, for obvious security reasons.

The information that these untrusted computers will have access to are:

Username and Password for logging into the web service
Cognito Identity Pool ID
Cognito User Pool ID
Cognito Client ID

Is it possible, with the informations these clients have, to correctly authenticate with Cognito? If so, how?

Mangohero1 Mangohero1 · Accepted Answer · 2017-10-19T21:01:17

Yes. Call get_credentials_for_identity(). It does not require any credentials. Use this as follows:

import boto3
cognito = boto3.client('cognito-identity')
response = cognito.get_credentials_for_identity(IdentityId="id")

where "id" is the Cognito Identity Pool ID. response should return a dict including temporary Access Key, Secret Access Key, Session Token, and Expiration date.

Boto3 - Authenticating with Amazon Cognito without using access keys

1 Answers