By default the auth in `~/.aws` is loaded

[balloob]

Warrant will use the default boto configuration which is to load credentials from ~/.aws. Not all requests to Cognito require requests to be signed in. Examples of these are register, authenticate, forgot password, confirm forgot password.

Botocore will blow up with a NoCredentialsError exception if ~/.aws doesn't exist:

  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/warrant/__init__.py", line 289, in authenticate
    tokens = aws.authenticate_user()
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/warrant/aws_srp.py", line 187, in authenticate_user
    ClientId=self.client_id
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/client.py", line 251, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/client.py", line 526, in _make_api_call
    operation_model, request_dict)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/endpoint.py", line 141, in make_request
    return self._send_request(request_dict, operation_model)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/endpoint.py", line 166, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/endpoint.py", line 150, in create_request
    operation_name=operation_model.name)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/hooks.py", line 227, in emit
    return self._emit(event_name, kwargs)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/hooks.py", line 210, in _emit
    response = handler(**kwargs)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/signers.py", line 147, in sign
    auth.add_auth(request)
  File "/Users/paulus/dev/python/home-assistant/lib/python3.6/site-packages/botocore/auth.py", line 316, in add_auth
    raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

We can set the cognito client to use unsigned requests for the user facing APIs (make account, reset password). I tried adding this in https://github.com/capless/warrant/pull/59 however ran into a problem where the admin tests actually rely on this.

I can't run the tests locally and the PR has since been reverted 😞

[rileypeterson]

What is the solution for this?

[balloob]

Since the PR got reverted and I am unable to fix the code myself without being able to run the tests, I can't open a PR that would be ok to merge. You will have to patch the used client yourself. This is how Home Assistant does it

[kyhau]

We experienced this issue with the authenticate call. For workaround,

(1) Put [default] in .aws/credentials with empty access key values to avoid the exception.

[default]
aws_access_key_id=
aws_secret_access_key=

(2) Or, passing dummy access_key and secret_key when calling Cognito()

user = Cognito(
            userpool,
            userpool_appclientid,
            user_pool_region="xxx",
            username="xxx",
            access_key="dummy_not_used",
            secret_key="dummy_not_used",
        )

It would be great to have this fixed :)

[dwright213]

Khau's post would be a really nice addition to the docs, under "authentication", I think.