I'm trying to use the AWS CLI to confirm Cognito users (to change their status from FORCE_CHANGE_PASSWORD to CONFIRMED). I had success doing this with an App client without and app secret, but I can't figure out how to do it in an App client that has one. According to the AWS CLI reference, here:
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-initiate-auth.html
I should be able to do it by passing the App secret, like this:
(broken up for formatting, I'm entering it as a full line)
aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_xxxxxxxx
--region=us-east-1
--client-id xxxxxxxxxxxxxxxxxxxxx
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters
USERNAME=TestUser
PASSWORD='Test_Password'
SECRET_HASH=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--profile AwsProfile
I took the secret value from the App client secret field on the web console, and I enabled "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" too.
However, I keep getting this response:
An error occurred (NotAuthorizedException) when calling the AdminInitiateAuth operation: Unable to verify secret hash for client xxxxxxxxxxxxxxxxxxxxxxx
What could I be doing wrong?