Question:
I have been stuck on the following issue for quite some time now. Within Python I want users to retrieve a token based upon their username and password from the AWS cognito-identity-pool making use of srp authentication. With this token I want the users to upload data to s3.
This is part of the code I use (from the warrant library): https://github.com/capless/warrant
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
self.client = boto3.client('cognito-idp', region_name="us-east-1") response = boto_client.initiate_auth( AuthFlow='USER_SRP_AUTH', AuthParameters=auth_params, ClientId=self.client_id ) def get_auth_params(self): auth_params = {'USERNAME': self.username, 'SRP_A': long_to_hex(self.large_a_value)} if self.client_secret is not None: auth_params.update({ "SECRET_HASH": self.get_secret_hash(self.username,self.client_id, self.client_secret)}) return auth_params |
However, I keep on getting:
|
1 2 3 |
botocore\auth.py", line 352, in add_auth raise NoCredentialsError botocore.exceptions.NoCredentialsError: Unable to locate credentials |
I was able to get rid of this error by adding credentials in the .aws/credentials file. But this is not in line with the purpose of this program. It seems like there is a mistake in the warrant or botocore library and the it keeps on attempting to use the AWS Access Key ID and AWS Secret Access Key from the credentials file, rather than that the given credentials (username and password) are used.
Any help is appreciated
Answer:
I am on to Cognito team. initiate auth is an unauthenticated call so it shouldn’t require you to provide AWS credentials. The service endpoint will not validate the sigv4 signature for these calls.
That being said, some client libraries have certain peculiarities in the sense that you need to provide some dummy credentials otherwise the client library will throw an exception. However you can provide anything for the credentials.