« Back to Index

[Python Warrant Cognito]

View original Gist on GitHub

Tags: #python #cognito

Admin create user and auto-confirm + change password.py

from warrant import Cognito, dict_to_cognito

user_pool_id = 'xxxx'
client_id = 'xxxx'
aws_application_access_key = 'xxxx'
aws_application_secret_key = 'xxxx'
cognito_user_pool_app_secret_key = 'xxxx'

username = 'foo'
email = 'foo@foo.com'
name = 'foo bar'

u = Cognito(user_pool_id,
            client_id,
            access_key=aws_application_access_key,
            secret_key=aws_application_secret_key,
            client_secret=cognito_user_pool_app_secret_key,
            username=username)

u.add_base_attributes(email=email, name=name)
u.add_custom_attributes(something='here if you like')

attributes = u.base_attributes.copy()
attributes.update(u.custom_attributes)
attributes.update({'email_verified': 'true'})

cognito_attributes = dict_to_cognito(attributes)

temp_password = "foo"

response = u.client.admin_create_user(**{'UserPoolId': u.user_pool_id,
                                         'UserAttributes': cognito_attributes,
                                         'Username': username,
                                         'TemporaryPassword': temp_password,
                                         'MessageAction': 'SUPPRESS'})

attributes.update(username=username, password=temp_password)
u._set_attributes(response, attributes)

auth_params = {'USERNAME': username, 'PASSWORD': temp_password}
u._add_secret_hash(auth_params, 'SECRET_HASH')

challenge = u.client.admin_initiate_auth(
    UserPoolId=u.user_pool_id,
    ClientId=u.client_id,
    AuthFlow='ADMIN_NO_SRP_AUTH',
    AuthParameters=auth_params,
)

tokens = u.client.admin_respond_to_auth_challenge(
    UserPoolId=u.user_pool_id,
    ClientId=u.client_id,
    ChallengeName=challenge['ChallengeName'],
    ChallengeResponses={
        'USERNAME': username,
        'NEW_PASSWORD': 'foobarbaz',
        'SECRET_HASH': auth_params['SECRET_HASH'],
    },
    Session=challenge['Session'],
)

u.verify_token(tokens['AuthenticationResult']['IdToken'], 'id_token','id')
u.refresh_token = tokens['AuthenticationResult']['RefreshToken']
u.verify_token(tokens['AuthenticationResult']['AccessToken'], 'access_token','access')
u.token_type = tokens['AuthenticationResult']['TokenType']

Python Warrant Cognito.py

user_pool_id = settings.get('cognito_user_pool_id')
client_id = settings.get('cognito_user_pool_app_client_id')

#####################################

# note: we need actual access keys, so I created a new IAM user
# the client application's secret key wasn't used

u = Cognito(user_pool_id, client_id,
            access_key=settings.get('aws_application_access_key'),
            secret_key=settings.get('aws_application_secret_key'))
            users = u.get_users(attr_map={"name": "full_name"})

if settings.get("debug"):
    for user in users:
        logging.info(user.__dict__)
        
#####################################
        
u = Cognito(user_pool_id, client_id,
            client_secret=settings.get('cognito_user_pool_app_secret_key'),
            access_key=settings.get('aws_application_access_key'),
            secret_key=settings.get('aws_application_secret_key'),
            username='...',
            id_token='...',
            access_token='...',
            refresh_token='...')

response = u.check_token(renew=False)  # leave off `renew` if you want Warrant to attempt to refresh expired tokens