I'm testing/learning about Cognito before I implement it in my app. I have somewhat of a handle on the USER_PASSWORD_AUTH authorization flow, which seems to be the simplest, but I don't want to use that in my app, but rather the USER_SRP_AUTH flow. Before I start coding in the JavaScript SDK, which I'm not very experienced in, I'd like to use the cli in a shell script to demonstrate to myself that I understand how to use this flow. I currently have a shell script that implements the USER_PASSWORD_AUTH flow to set the AWS_* credential env vars using the cli on Linux, and now I'd like a similar script that uses the USER_SRP_AUTH flow. But, I'm not seeing any examples or tutorials that use the cli.
My current current script that uses USER_PASSWORD_AUTH is below, simplified to replace potentially sensitive values with "<my sensitive value ...>" placeholders. Can you advise on the changes that would be needed to implement USER_SRP_AUTH?
Thanks.
#!/bin/ksh93
## ----------------------------------------
## source this script to set the AWS*
## environment vars so the cli will operate
## as the specified Cognito user
## ----------------------------------------
if [[ $# -ne 1 ]] ; then
print -u2 "Usage: . $(basename ${.sh.file}) cognito_user"
return 1
fi
## ----------------------------------------
## args
## ----------------------------------------
cognito_user=$1
## ----------------------------------------
## initiate-auth
## ----------------------------------------
initiate_output=$(aws cognito-idp \
initiate-auth \
--auth-flow USER_PASSWORD_AUTH \
--auth-parameters USERNAME=$cognito_user,PASSWORD=<my secret password> \
--client-id <my user pool app client id> \
--region us-east-1)
if [[ $? -ne 0 ]] ; then
print -u2 "Failed to initiate auth."
return 1
fi
id_token=$(print "$initiate_output" |grep '"IdToken"' |awk '{print $2}' |tr -d '",')
## ----------------------------------------
## get-id
## ----------------------------------------
getid_output=$(aws cognito-identity \
get-id \
--identity-pool-id <my federated identity pool id> \
--region us-east-1 \
--logins cognito-idp.<us-east-1.amazonaws.com/<my user pool id>=$id_token)
if [[ $? -ne 0 ]] ; then
print -u2 "Failed to get identity."
return 1
fi
identity_id=$(print "$getid_output" |grep IdentityId |awk '{print $2}' |tr -d '"')
## ----------------------------------------
## get-credentials and set env
## ----------------------------------------
get_credentials_output=$(aws cognito-identity \
get-credentials-for-identity \
--region=us-east-1 \
--identity-id=$identity_id \
--logins cognito-idp.us-east-1.amazonaws.com/<my user pool id>=$id_token)
if [[ $? -ne 0 ]] ; then
print -u2 "Failed to get credentials for identity."
return 1
fi
export AWS_ACCESS_KEY_ID=$(print "$get_credentials_output" |grep AccessKeyId |awk '{print $2}' |tr -d '",')
export AWS_SECRET_ACCESS_KEY=$(print "$get_credentials_output" |grep SecretKey |awk '{print $2}' |tr -d '",')
export AWS_SESSION_TOKEN=$(print "$get_credentials_output" |grep SessionToken |awk '{print $2}' |tr -d '",')
## ----------------------------------------
## done (assume script is sourced)
## ----------------------------------------
return