Comments: Create a Cognito Test User

[jayair]

Link to chapter - http://serverless-stack.com/chapters/create-a-cognito-test-user.html

[Pancakerobot]

to create the user and confirm I had to add an extra parameter to both calls (--region us-east-1)

$ aws cognito-idp sign-up \
  --client-id YOUR_COGNITO_APP_CLIENT_ID \
  --username admin@example.com \
  --password Passw0rd! \
  --user-attributes Name=email,Value=admin@example.com \
  _**--region us-east-1**_

[jayair]

@Pancakerobot good tip, we've gotten some feedback from some people that have run into region related issues.

[geirman]

I had the same problem. You get the region from your Pool Id. Mine was us-east-2_dUMVe5SZr but it doesn't look like you need anything after the underscore. so tacking on --region us-east-2 worked for me

[jayair]

Added it to the chapter - 562b54b252423011d418e16aed20083d403c4b18

[zohaibshahzadTO]

I'm having trouble running

$ aws cognito-idp sign-up \ --region us-east-1 \ --client-id YOUR_COGNITO_APP_CLIENT_ID \ --username admin@example.com \ --password Passw0rd! \ --user-attributes Name=email,Value=admin@example.com

Actually when I even try running the first line "aws cognito-idp sign-up" into the command prompt (im using windows), it just gives me this error.

I'm pretty sure I configured it in the beginning. Any help would be greatly appreciated.

`

[jayair]

@Hollow27 When you try the full command (with the client-id passed in), what is the error you are seeing?

[zohaibshahzadTO]

This is what I'm getting (kind of a noob using the terminal):

Unknown output type: [None]

^thats what im getting when I try the full command with client-id passed in.

[jayair]

@Hollow27 Yeah I'm not too familiar with Windows. But @ryanjcruz is a Windows user. Maybe he can help you?

[ryanjcruz]

@jayair @Hollow27 you'd need to add \ at the end of the command per line i.e $ aws cognito-idp sign-up \ --region us-east-1 \ --client-id YOUR_COGNITO_APP_CLIENT_ID \ --username admin@example.com \ --password Passw0rd! \ --user-attributes Name=email,Value=admin@example.com

then the last line shouldn't have any as that should be the enter key needed to execute the command.

[jayair]

@ryanjcruz I'm thinking of adding instructions for Windows users soon. I can use your help with that. Do you mind if I ping you once I figure out the format for it?

[ryanjcruz]

@jayair no probs, happy to help out.

[wilsonmar]

@ryanjcruz It would help if the instructions show output from commands. Is "UserConfirmed": false, from the response I got expected?

{
    "UserConfirmed": false, 
    "CodeDeliveryDetails": {
        "AttributeName": "email", 
        "Destination": "a***@j***.com", 
        "DeliveryMedium": "EMAIL"
    }
}

Also, having common error responses would be helpful as well. I'm writing because I got this doing verification: An error occurred (UnrecognizedClientException) when calling the AdminConfirmSignUp operation: The security token included in the request is invalid.

The response is from this command:

aws cognito-idp admin-confirm-sign-up \
  --region us-west-2 \
  --user-pool-id us-west-2_bAEhmtfs7 \
  --username admin1@jetbloom.com

The user-pool-id value I got from Pool details: Pool Id, above the Pool ARN.

[jayair]

@wilsonmar That's a good idea. I'll be adding sections to chapters with common errors people are getting.

[wilsonmar]

Can you help me get un-stuck? If not, who can? I'll add to your tutorial is you help me.

On Mon, May 29, 2017 at 7:42 AM, Jay V notifications@github.com wrote:

@wilsonmar https://github.com/wilsonmar That's a good idea. I'll be adding sections to chapters with common errors people are getting.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AnomalyInnovations/serverless-stack-com/issues/18#issuecomment-304641293, or mute the thread https://github.com/notifications/unsubscribe-auth/AASUDo0eKEjL1QEHzr9m9Plf-YRKHxdIks5r-q8egaJpZM4M4OAz .

[fwang]

@wilsonmar The response you received for the sign-up step looks good. User will only be confirmed after the admin-confirm-sign-up step, which will succeed silently.

Your error An error occurred (UnrecognizedClientException) when calling the AdminConfirmSignUp operation: The security token included in the request is invalid. sounds very much like AWS CLI credentials not specified correctly. Could do refer to these two chapters and double check the CLI configuration. http://serverless-stack.com/chapters/create-an-iam-user.html http://serverless-stack.com/chapters/configure-the-aws-cli.html

At the end of the day, you should have a file at ~/.aws/credentials look similar to

[default]
aws_access_key_id = AKXXXXXXXXXXXXXXXXMQ
aws_secret_access_key = JOsGrxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc132

[wilsonmar]

OK, I Googled around and found this explanation on May 25, 2016 by EdL@AWS: "Cognito User Pools are currently only available in US East (Virginia)." at https://forums.aws.amazon.com/thread.jspa?messageID=722312

Since the first mention of region is at http://serverless-stack.com/chapters/create-an-s3-bucket-for-file-uploads.html I've forked, created branch 'Cognito-User-Pools-only-avail-US-East-1, and updated file as https://github.com/AnomalyInnovations/serverless-stack-com/pull/93

[fwang]

Cognito User Pools were made available in us-west-2, US West (Oregon) later in 2016. https://aws.amazon.com/blogs/aws/amazon-cognito-your-user-pools-now-generally-available/

You shouldn't be able to create the pool in the first place if it were not available.

[wilsonmar]

I'll post the link where that AWS guy posted his fake news. Do you have a link I can go to for properly setting up the creditions file on my machine?

On Tue, May 30, 2017 at 8:06 PM, Frank notifications@github.com wrote:

Cognito User Pools were made available in us-west-2, US West (Oregon) later in 2016. https://aws.amazon.com/blogs/aws/amazon-cognito-your-user- pools-now-generally-available/

You shouldn't be able to create the pool in the first place if it were not available.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AnomalyInnovations/serverless-stack-com/issues/18#issuecomment-305043666, or mute the thread https://github.com/notifications/unsubscribe-auth/AASUDr2pQlurB5T7Wn1GGU6pgkzKI5ETks5r_K8QgaJpZM4M4OAz .

[fwang]

This should help - http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

[pjamieson]

I have multiple AWS profiles for different accounts. Since the one I'm using for this tutorial isn't my default, I needed to add the --profile [profile name from my ~/.aws/credentials file] flag to both CLI commands. Hope this helps!

[jayair]

Thanks for the tip @pjamieson. I'll add it to the tutorial when I get a chance.

[wellyal]

Nothing works I've ran into this problem while running the command

aws cognito-idp sign-up \
  --region us-east-1 \
  --client-id 4kjstkv1m9t0orh6n569jnhgt5 \
  --username admin@example.com \
  --password Passw0rd! \
  --user-attributes Name=email,Value=admin@example.com

An error occurred (ResourceNotFoundException) when calling the SignUp operation: User pool client 4kjstkv1m9t0orh6n569jnhgt5 does not exist.

[wellyal]

Problem solved. My problem was the region. My region pool was us-west-2 not 1.

[RaphaelMui]

Thanks @pjamieson. I have multiple profiles too. When the '--profile ' parameter was not specified, 'sign-up' succeed but 'admin-confirm-sign-up' failed. I seems that the --region parameter was ignored.

[quantuminformation]

I solved the OP issue, but this is what I got next: https://github.com/AnomalyInnovations/serverless-stack-com/issues/133

[KelpDuNord]

aws cognito-idp admin-confirm-sign-up --region us-east-1 --user-pool-id us-east-1_fdlHwCS7x --username admin@example.com just returns "User pool us-east-1_fdlHwCS7x does not exist." I can see the user created with aws cognito-idp sign-up in the user pool with a status of UNCONFIRMED. I've recreated the user pool three times with the same result.

[quantuminformation]

You probably created the pool in the wrong region.

[jayair]

@KelpDuNord Hmm that's really weird. So aws cognito-idp sign-up works but aws cognito-idp admin-confirm-sign-up does not work?

[HeyMarcy]

This is my second attempt and I get the same error: An error occurred (IncompleteSignatureException) when calling the AdminConfirmSignUp operation: 'key' not a valid key=value pair (missing equal-sign) in Authorization header...

[lucasgonze]

Thanks for this discussion. It led me to the solution. I looked up the correct region by going to the Cognito home page (e.g. at https://us-east-2.console.aws.amazon.com/cognito/home), clicking "Manage your user pools", selecting the user pool I created for the tutorial, and looking at the Pool ID.

[KelpDuNord]

I just tried again, and yes, the signup worked but confirm did not. After running aws configure (I may have missed this before?), the confirm was successful.

[jayair]

@KelpDuNord Thanks for reporting back. Can you tell me what you set in the aws configure command?

@lucasgonze Thanks for sharing your experience.

@HeyMarcy Can you show me the full command you used?

[toyeebgodo]

@Hollow27 , were you able to solve your issue? I had the same issue, however changing region to us-east-2 (--region us-east-2 )worked for me.

[Jaikant]

On running: aws cognito-idp sign-up --region ap-south-1 --client-id xxxxx --username admin@example.com --password Passw0rd!

I got the below error

An error occurred (InvalidParameterException) when calling the SignUp operation: Cannot perform specific action because there does not exist a valid use pool domain associated with the user pool

I added the domain name in: User Pool -> App Integration -> Domain Name and then it seemed to work:

epiphany-consulting jai$ aws cognito-idp sign-up --region ap-south-1 --client-id xxxxyyyy --username admin@example.com --password Passw0rd! { "UserConfirmed": false, "CodeDeliveryDetails": { "AttributeName": "email", "Destination": "a@e.com", "DeliveryMedium": "EMAIL" } }

[saurabh-vyas]

I am getting error as cognito-idp sub-cmd itself is not recognised.

vyas@gladiator:~$ aws cognito-idp sign-up --client-id $my-client-id --username admin@example.com --password Passw0rd! --user-attributes Name=email,Value=admin@example.com --region us-east-1
usage: aws [options] <command> <subcommand> [parameters]
aws: error: argument command: Invalid choice, valid choices are:

autoscaling                              | cloudformation                          
cloudfront                               | cloudsearch                             
cloudsearchdomain                        | cloudtrail                              
cloudwatch                               | cognito-identity                        
cognito-sync                             | datapipeline                            
directconnect                            | dynamodb                                
ec2                                      | elasticache                             
elasticbeanstalk                         | elastictranscoder                       
elb                                      | emr                                     
iam                                      | importexport                            
kinesis                                  | kms                                     
lambda                                   | logs                                    
opsworks                                 | rds                                     
redshift                                 | route53                                 
route53domains                           | sdb                                     
ses                                      | sns                                     
sqs                                      | storagegateway                          
sts                                      | support                                 
swf                                      | s3api                                   
s3                                       | configure                               
deploy                                   | configservice                           
help                                    

Not sure if need something else to aws cli to look for cognito-idp

(using Ubuntu 17.0.4)
vyas@gladiator:~$ aws --version
aws-cli/1.6.6 Python/2.7.13 Linux/4.10.0-38-generic

Thoughts / comments ..... please.

[jayair]

@saurabh-vyas That's really weird. Are you using the latest AWS CLI?

This is my version.

$ aws --version
aws-cli/1.11.189 Python/2.7.10 Darwin/16.7.0 botocore/1.7.47

[saurabh-vyas]

@jayair : seems like the older version did not had this sub-cmd. I uninstalled awscli & re-installed that ... and with version 1.11.189 .... I was able to run this succesfully

vyas@gladiator:~/Learning/Serverless/notes-app-api$ aws cognito-idp sign-up --client-id $my-client-id --username admin@example.com --password Passw0rd! --user-attributes Name=email,Value=admin@example.com --region us-east-1
{
    "UserConfirmed": false, 
    "UserSub": "938c49aa-344e-4c89-9dfe-4c25ad9a2afc", 
    "CodeDeliveryDetails": {
        "AttributeName": "email", 
        "Destination": "a***@e***.com", 
        "DeliveryMedium": "EMAIL"
    }
}

[jayair]

@saurabh-vyas Great! Thanks for reporting back.

[svj13]

Hello I am getting an error others haven't seemed to have run into. I'm very new to AWS, and Serverless is my first go at using it. I'm running into issues with verifying the account

In windows powershell: aws cognito-idp admin-confirm-sign-up \ --region us-east-2 \ --user-pool-id us-east-2** \ --username admin@example.com \

I get the following error: An error occurred (InvalidSignatureException) when calling the AdminConfirmSignUp operation: Signature expired: 20171204T063700Z is now earlier than 20171204T193202Z (20171204T193702Z - 5 min.)

Advice would be greatly appreciated so I can keep chugging through this tutorial :) i have changed it all to be the correct region as well. I don't really understand what my error means

I have discovered that I can verify manually though the AWS platform, but I would prefer things ran as they should through the terminal

[Jaikant]

The time on your system is off by more than 5 minutes, which is flagging this has an error. You can use ntp to keep the time in sync.

On 05-Dec-2017, at 1:19 AM, Sarah Jackson notifications@github.com wrote:

Hello I am getting an error others haven't seemed to have run into. I'm very new to AWS, and Serverless is my first go at using it.

In windows powershell: aws cognito-idp admin-confirm-sign-up --region us-east-2 --user-pool-id us-east-2** --username admin@example.com mailto:admin@example.com \

I get the following error: An error occurred (InvalidSignatureException) when calling the AdminConfirmSignUp operation: Signature expired: 20171204T063700Z is now earlier than 20171204T193202Z (20171204T193702Z - 5 min.)

Advice would be greatly appreciated so I can keep chugging through this tutorial :) i have changed it all to be the correct region as well. I don't really understand what my error means

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/AnomalyInnovations/serverless-stack-com/issues/18#issuecomment-349084105, or mute the thread https://github.com/notifications/unsubscribe-auth/ADT8tdsA00tC6c6yMO8mZSlofNaqO1xkks5s9EzmgaJpZM4M4OAz.

[jayair]

@Jaikant Oh that's a good catch.

[johanseland]

I also got the InvalidSignatureExceptionError when trying to run admin-confirm-sign-up step. Strangely the sign-up step worked as expected, so there must be a difference in how these two commands escapes the secret key.

I am adding this here in case someone else runs into problems, as this issue pops up on top of the Google search.

The error:

An error occurred (InvalidSignatureException) when calling the AdminConfirmSignUp operation: The request signature we calculated does not match the signature you provided. Check your AWS Secretr Access Key and signing method. Consult the service documentation for details.

This was caused by my secret key containing a plus '+' sign. This happened on a Windows 10 installation with the following awscli version.

C:\WINDOWS\system32>aws --version
aws-cli/1.14.9 Python/3.4.3 Windows/8 botocore/1.8.13

Once I regenerated an ID/Key-pair without a plus sign, the error disappeared.

[jayair]

@johanseland Thanks for the comment and the context.

[spencerattick]

@svj13 I'm having the same problem you had and can't figure it out. How did you verify the test user through AWS rather than through the command line?

[karthickng]

I had the InvalidSignatureException issue, and it was resolved once I added a new access key for the admin user! I don't know the reason why, but this worked for me.

Note that something similar has been pointed out by @bedney in the discussion at https://github.com/aws/aws-sdk-js/issues/86

[pflugs30]

I'm having the same issue as @KelpDuNord above where the sign-up command worked, but the admin-confirm-sign-up command does not work.

I run: aws cognito-idp admin-confirm-sign-up --region us-east-1 --user-pool-id us-east-1_mV4oIXtXy --username admin@example.com

I receive: An error occurred (ResourceNotFoundException) when calling the AdminConfirmSignUp operation: User pool us-east-1_mV4oIXtXy does not exist.

I've done the following:

• Generated a new Access ID and Secret Key for my serverless system account (since mine had a '+' in it and I'm on Windows)
• Delete the user pool and start over
• Confirm the user pool id is correct and in the same region as the command
• Use the ARN instead of user pool id
• Tried running the describe-user-pool command with the user pool id and having the same error
• Confirmed my AWS configure was correct and that the serverless account has admin access

I will confirm the user manually through the console, but I want to know why this is happening. Any ideas? Thanks.

Update

I figured it out. My AWS credentials file was corrupt, if you can call it that. It had two credentials under the [default] name. I'm not sure how that happened. I discovered this problem by running aws configure again and seeing that my new keys weren't being persisted. On Windows, I navigated to %USER_PROFILE%\.aws and edited the credentials file in a text editor as opposed to through the command window. Then, when I ran my command to confirm the user, it worked as expected.

[jayair]

@pflugs30 Flag you figured it out. Thanks for following up.

[codywr]

I started the tutorial a couple months ago and ran into some problems. I only just recently picked it back up trying to double check each step and noticed an error on this one.

Doing this on a Raspberry Pi (running Raspbian) and have noticed that some of the libraries are quite old. That said, here is my aws version:

pi@raspberrypi:~ $ aws --version
aws-cli/1.14.28 Python/2.7.13 Linux/4.9.59-v7+ botocore/1.8.32

I believe I was able to create a test user just fine with:

pi@raspberrypi:~/sandbox $ aws cognito-idp sign-up --region us-east-1 --client-id $my_client_id --username admin@example.com --password Passw0rd!

but when I go to confirm the creation, I get an error:

pi@raspberrypi:~/sandbox $ aws cognito-idp admin-confirm-sign-up --region us-east-1 --user-pool-id $my_client_id --username admin@example.com

An error occurred (NotAuthorizedException) when calling the AdminConfirmSignUp operation: User cannot be confirm. Current status is CONFIRMED

Checking the aws console shows successful creation and confirmation (I think):

Is this all expected behavior? I have double checked the region (a frequent problem it appears) and created a new IAM (Access key ID , Secret access key) pair (and re-running aws configure) to no avail.

I would like to echo what others have said about including expected output in this section of the tutorial and/or some common problems and how to resolve them.

[jayair]

@codywr From the Created and Last Modified date, it seems like the user was created a while ago? Maybe you had it confirmed back then?

[codywr]

@jayair Can it only be confirmed once? I was expecting a confirmation each time I asked for one. From the look of the error (NotAuthorizedException), I was thinking this was some sort of permissions problem.