Skip to content

Aws cognito and s3 useful commands

wordpress meta

title: 'AWS Cognito and S3 Useful Commands'
date: '2019-01-10T12:48:37-06:00'
status: publish
permalink: /aws-cognito-and-s3-useful-commands
author: admin
excerpt: ''
type: post
id: 1307
category:
    - Uncategorized
tag: []
post_format: []

While I am delving into AWS Cognito and learning how it interacts with other services for example S3 object storage, I am jotting down some of the more useful CLI commands. This can be quite daunting to learn so it is very helpful to retain the commands for future reference. Of course this can all be done in the console also if that is your preference. I like the CLI (or even better would be Terraform or CloudFormation).

The examples may be useful when creating the authentication and authorization bits for a JavaScript SDK or Javascript framework (like Angular) application to upload files into a S3 bucket after being authenticated by the application. Note I use jq to filter output in many cases.

S3 Bucket

``` $ aws s3api create-bucket --bucket vault.mydomain.com --region us-east-1 $ aws s3api put-bucket-cors --bucket vault.mydomain.com --cors-configuration file://vault.mydomain.com-cors-policy.json $ aws iam create-policy --policy-name vault.mydomain.com-admin-policy --policy-document file://vault.mydomain.com-admin-policy.json
</div>Cognito User Pool

<div class="wp-block-syntaxhighlighter-code ">```

$ aws cognito-idp create-user-pool --pool-name mydomain-vault-user-pool   
$ aws cognito-idp list-user-pools --max-results 10 | jq -r '.UserPools[] | [.Id,.Name] | @csv' | grep vault  # get user-pool-id for create-user-pool-client step
$ aws cognito-idp create-user-pool-client --user-pool-id <your-userPoolId> --client-name mydomain-vault

Cognito Create an Admin User in the User Pool and do password reset flow

``` $ aws cognito-idp list-user-pool-clients –user-pool-id --max-results 10 | jq -r '.UserPoolClients[] | [.ClientId,.ClientName] | @csv' ## get client-id for next step $ aws cognito-idp update-user-pool-client –user-pool-id --client-id --explicit-auth-flows ADMIN_NO_SRP_AUTH $ aws cognito-idp admin-create-user –user-pool-id --username admin --desired-delivery-mediums EMAIL --user-attributes Name=email,Value=admin@mydomain.com ## Check the above email address for temp password $ aws cognito-idp admin-initiate-auth –user-pool-id --client-id --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=admin,PASSWORD=" $ aws cognito-idp admin-respond-to-auth-challenge –user-pool-id --client-id --challenge-name NEW_PASSWORD_REQUIRED --challenge-responses NEW_PASSWORD="",USERNAME=admin --session "" $ aws cognito-idp update-user-pool-client –user-pool-id --client-id –explicit-auth-flows
</div>Cognito Create Identity Pool

<div class="wp-block-syntaxhighlighter-code ">```

$ aws cognito-idp describe-user-pool –user-pool-id <your-userPoolId> | jq -r '.[] | [.Name,.Arn] | @csv'    ## get UserPool Arn
$ aws cognito-identity create-identity-pool --identity-pool-name "mydomain vault identity pool" --allow-unauthenticated-identities --cognito-identity-providers ProviderName="cognito-idp.us-east-1.amazonaws.com/<your-userPoolId>",ClientId="<your-clientId>"
$ aws iam create-role --role-name vault.mydomain.com-admin-role --assume-role-policy-document file://vault.mydomain.com-admin-trust-role.json
$ aws cognito-identity list-identity-pools --max-results 3 | jq -r '.IdentityPools[] | [.IdentityPoolId,.IdentityPoolName] | @csv' | grep vault ## get identity pool id
## use our new role for authenticated role. for unauthenticated I used an old one since I don't plan unauthenticated access here. If you do need unauthenticated create a role and use below.
$ aws cognito-identity set-identity-pool-roles --identity-pool-id <your-identityPoolId> --roles authenticated="<your-arn-authenticated-role>",unauthenticated="<your-arn-unauthenticated-role>"

In the console change Authenticated role selection to "Choose role from token" and Role resolution "Use default Authenticated role". See if this can be done from CLI.

IAM Attach Role to Policy

``` ## get role names just for your verification $ aws cognito-identity get-identity-pool-roles –identity-pool-id | jq -r '[.IdentityPoolId,.Roles.authenticated,.Roles.unauthenticated] | @csv' $ aws iam list-policies | jq -r '.Policies[] | [.PolicyName,.Arn] | @csv' | grep vault ## get policy Arn $ aws iam attach-role-policy --policy-arn arn:aws:iam::660032875792:policy/vault.mydomain.com-admin-policy --role-name vault.mydomain.com-admin-role
</div>Application

Application need to use correct ***UserPoolId, App ClientId, identityPoolId, S3 bucket name, region***. Very important is to understand "*Integrating a User Pool with an Identity Pool*". Example: <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html>

Appendix A: JSON Source used in above commands

<div class="wp-block-syntaxhighlighter-code ">```

$ cat mydomain-vault-s3-upload/vault.mydomain.com-admin-policy.json 
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:*"
 ],
 "Resource": [
        "arn:aws:s3:::vault.mydomain.com",
 "arn:aws:s3:::vault.mydomain.com/*"
 ]
 }
 ]
}
$ cat mydomain-vault-s3-upload/vault.mydomain.com-admin-trust-role.json 
{
 "Version": "2012-10-17",
 "Statement": {
 "Effect": "Allow",
"Principal": {
 "Federated": "cognito-identity.amazonaws.com"
 },
 "Action": "sts:AssumeRoleWithWebIdentity",
 "Condition": {
 "StringEquals": {
 "cognito-identity.amazonaws.com:aud": "<your-identityPoolId>"
 }
 }
 }
}
$ cat mydomain-vault-s3-upload/vault.mydomain.com-cors-policy.json 
{
 "CORSRules": [
 {
 "AllowedOrigins": ["*"],
 "AllowedHeaders": ["*"],
 "AllowedMethods": ["PUT", "GET", "POST", "DELETE"],
 "MaxAgeSeconds": 3000,
 "ExposeHeaders": ["ETag"]
 }