awscli can't access cognito


I launch an instance with

  • The latest AL2023 image
  • SG with all open outbound traffic
  • Using IAM role with policy that has 2 actions: "s3:ListAllMyBuckets" and "cognito-idp:ListUserPools"
  • Default VPC created in my account

When I connect to the instance and run aws s3api list-buckets --region eu-central-1 works fine. However, when I run aws cognito-idp list-user-pools --max-results 1--region eu-central-1 it never returns.

Note: I have also tried with sqs list-queues, sns list-topics, they all work fine (adding the permissions to the pokicy), its just cognito.

Running with --debug I see it gets stuck at

MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1):

But if I grab all the headers that the debug option is exposing and build the corresponding curl command (below) and run it within the instance it does work.

curl -X POST -d '{"MaxResults": 1}' \
-H 'X-Amz-Target: x' -H 'Content-Type: x' -H 'User-Agent: x' -H 'X-Amz-Date: x' -H 'X-Amz-Security-Token: x' -H 'Authorization: x' -H 'Content-Length: x'

Please, I'm turning crazy, what is going on? The instance has access to cognito since the curl command works but the cli gets stucked calling the endpoint. Why is the cli not able to do the request?

aws --version
aws-cli/2.9.19 Python/3.9.16 Linux/6.1.19-30.43.amzn2023.x86_64 source/x86_64.amzn.2023 prompt/off
1 Answer

Hi there,

I just tried the same command and the cognito-idp command returns fine for me.

By "it never returns", could you please clarify how long you wait? ultimately, I am expecting a timeout with eventually a specific error message.

Here are some exploratory questions...:

  1. Can you access this information from the console? I believe yes.
  2. Can you try in another region, say us-east-1?
  3. Can you re-run aws configure and set a default region? Also check environment variable if any are defined.
  4. Can you try from another host in a public subnet?
  5. Can you try without specifying a region in the CLI?
  6. Can you try to query a specific user pool clients for instance: aws cognito-idp list-user-pool-clients --user-pool-id "<pool_id>" --region eu-central-1
  7. Is there any way to capture the network traffic to do a packet capture (tcpdump for example)?
  8. Is there a HTTP proxy for outbound 443 access?
  9. Can you do a nslookup ?

My CLI version for reference:

aws --version
aws-cli/2.9.20 Python/3.11.1 Darwin/22.3.0 source/x86_64 prompt/off
profile pictureAWS
answered a year ago
  • While going through all your steps I figured out that the cli was trying to connect via ipv6, thats why it was working for curl but not the cli. I added the igw to the route table with for ipv6 addresses and it works now. Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions