How to change User Status FORCE_CHANGE_PASSWORD?

Question

Using AWS Cognito, I want to create dummy users for testing purposes.

I then use the AWS Console to create such a user, but the user has its status set to FORCE_CHANGE_PASSWORD. With that value, this user cannot be authenticated.

Is there a way to change this status?

UPDATE the Same behaviour when creating a user from CLI

Answer 1

This is a multi-step process, where you use AWS CLI to change users passwords:

Step 1: For the desired user, get a session token:

aws cognito-idp admin-initiate-auth --user-pool-id user pool id --client-id app client id --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=username,PASSWORD=current-password

If error occurs like this "Unable to verify secret hash for client", then create another client without a secret and use that client ID.

Step 2: If only step 1 is successful, you will be responded with a challenge  "NEW_PASSWORD_REQUIRED", other parameters and user’s session key. After this, run the second command to issue the challenge response:

aws cognito-idp admin-respond-to-auth-challenge --user-pool-id user pool id --client-id client id --challenge-name NEW_PASSWORD_REQUIRED --challenge-responses NEW_PASSWORD=desired-password,USERNAME=users username --session “session key from previous command”

If you receive an error stating "Invalid attributes given, XXX is missing" pass the attributes which are missing using this format - userAttributes.$FIELD_NAME=$VALUE

A valid Authentication Result and appropriate Tokens will be produced.

You can also visit the AWS tutorial which is meant for beginners to learn AWS.