| Name | aws-cognito-auth JSON |
| Version |
0.0.5
JSON |
| download |
| home_page | None |
| Summary | AWS Cognito authentication CLI tool for seamless AWS CLI integration with temporary credential management. |
| upload_time | 2025-08-14 08:25:38 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | <4.0,>=3.9 |
| license | None |
| keywords |
authentication
aws
cli
cognito
credentials
python
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# AWS Cognito Authoriser
[](https://img.shields.io/github/v/release/jiahao1553/aws-cognito-auth)
[](https://github.com/jiahao1553/aws-cognito-auth/actions/workflows/main.yml?query=branch%3Amain)
[](https://codecov.io/gh/jiahao1553/aws-cognito-auth)
[](https://img.shields.io/github/commit-activity/m/jiahao1553/aws-cognito-auth)
[](https://img.shields.io/github/license/jiahao1553/aws-cognito-auth)
A robust command-line tool that provides seamless authentication with AWS Cognito User Pool and Identity Pool, automatically obtaining temporary AWS credentials that work without requiring local AWS profile configuration.
## π Overview
The AWS Cognito Authoriser solves a critical problem in AWS authentication workflows: obtaining temporary AWS credentials for CLI and SDK usage without requiring pre-configured AWS profiles or permanent credentials. It leverages AWS Cognito's User Pool for authentication and Identity Pool for credential exchange, with an optional Lambda proxy for extended credential duration.
### Key Features
- π **Secure Authentication**: Authenticates users via AWS Cognito User Pool
- β±οΈ **Flexible Credential Duration**: 1-hour (Identity Pool) or up to 12-hour (Lambda proxy) credentials
- π‘οΈ **No AWS Profile Required**: Works in environments without pre-configured AWS credentials
- π¦ **Multiple Service Integration**: Supports S3, DynamoDB, Lambda, and other AWS services
- π§ **Automated Setup**: Helper scripts for complete AWS infrastructure deployment
- π **Role Management**: Built-in tools for managing IAM policies and permissions
- π― **Profile Management**: Updates standard AWS credentials and config files
- π **Graceful Fallback**: Always provides working credentials with intelligent upgrading
## ποΈ Architecture
The system consists of three main components:
```
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β CLI Tool βββββΆβ Cognito Identity βββββΆβ Lambda Proxy β
β β β Pool (1hr creds) β β (12hr creds) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β User Pool Auth β β IAM Role β β Long-lived Role β
β β β (Cognito Auth) β β (Extended) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
```
### Authentication Flow
1. **User Authentication**: Authenticate with Cognito User Pool using username/password
2. **Identity Pool Exchange**: Exchange ID token for 1-hour AWS credentials via Identity Pool
3. **Lambda Upgrade** (Optional): Attempt to upgrade to 12-hour credentials via Lambda proxy
4. **Credential Storage**: Update AWS credentials file for seamless CLI/SDK usage
## π¦ Installation
### Prerequisites
- Python 3.7+
- AWS account with Cognito services
- Basic understanding of AWS IAM roles and policies
### Quick Start
1. **Clone the repository:**
```bash
git clone <repository-url>
cd aws-cognito-auth
```
2. **Install the package:**
```bash
pip install -e .
```
3. **Configure the tool:**
```bash
cogauth configure
```
4. **Login and get credentials:**
```bash
cogauth login -u your-username
```
## βοΈ Configuration
### Method 1: Interactive Configuration
```bash
cogauth configure
```
### Method 2: Environment Variables
```bash
export COGNITO_USER_POOL_ID="us-east-1_xxxxxxxxx"
export COGNITO_CLIENT_ID="your-client-id"
export COGNITO_IDENTITY_POOL_ID="us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
export AWS_REGION="us-east-1"
```
### Method 3: Configuration File
Create `~/.cognito-cli-config.json`:
```json
{
"user_pool_id": "us-east-1_xxxxxxxxx",
"client_id": "your-client-id",
"identity_pool_id": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"region": "us-east-1"
}
```
## π― Usage
### Authentication Client Commands
```bash
# Check configuration status
cogauth status
# Configure authentication settings
cogauth configure
# Login with username prompt
cogauth login
# Login with specific username
cogauth login -u your-username
# Login and update specific AWS profile
cogauth login -u your-username --profile my-profile
# Skip Lambda proxy and use only Identity Pool credentials
cogauth login -u your-username --no-lambda-proxy
# Set credential duration (Lambda proxy only)
cogauth login -u your-username --duration 8
# Get help
cogauth --help
```
### Administrative Commands
```bash
# View Identity Pool role information
cogadmin role info
# Create S3 access policy for a bucket
cogadmin policy create-s3-policy --bucket-name my-bucket
# Create S3 policy with user isolation (Cognito identity-based)
cogadmin policy create-s3-policy --bucket-name my-bucket --user-specific
# Create DynamoDB access policy with user isolation
cogadmin policy create-dynamodb-policy --table-name my-table
# Apply custom policy from JSON file
cogadmin role apply-policy --policy-file custom-policy.json --policy-name MyPolicy
# Deploy Lambda credential proxy
cogadmin lambda deploy --access-key-id AKIA... --secret-access-key ...
# Create new IAM user for Lambda proxy (requires admin permissions)
cogadmin lambda deploy --create-user
# Set up new Cognito Identity Pool interactively
cogadmin setup-identity-pool
# Get help for admin commands
cogadmin --help
```
### Example Workflow
```bash
# 1. Configure once
cogauth configure
# 2. Login and get credentials
cogauth login -u myuser
# Sample output:
# π« Getting temporary credentials from Cognito Identity Pool...
# β
Successfully obtained Identity Pool credentials (expires at 2025-08-12 14:30:00 PST)
# π« Attempting to upgrade to longer-lived credentials via Lambda proxy...
# β
Successfully upgraded to longer-lived credentials (expires at 2025-08-13 01:30:00 PST)
# 3. Use AWS CLI commands
aws s3 ls
aws sts get-caller-identity
aws s3 sync s3://my-bucket/my-folder ./local-folder
```
## π IAM Setup for Longer-Lived Credentials
### Complete IAM Configuration Requirements
For the Lambda proxy to provide longer-lived credentials (up to 12 hours), you need to set up three key IAM components:
#### 1. IAM User for Lambda Proxy
Create an IAM user that the Lambda function will use to assume the long-lived role:
**User Name**: `cognito-proxy-user` (or your configured name)
**Inline Policy**: `CognitoCredentialProxyAccess`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/CognitoLongLivedRole"
}
]
}
```
**Important**: Generate access keys for this user and configure them in the Lambda function's environment variables.
#### 2. Long-Lived IAM Role
Create a role that users will assume for extended access:
**Role Name**: `CognitoLongLivedRole` (or your configured name)
**Trust Policy** (Critical - must include both AssumeRole and TagSession):
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/cognito-proxy-user"
},
"Action": ["sts:AssumeRole", "sts:TagSession"],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"ap-southeast-1",
"us-east-1",
"us-west-2"
]
}
}
}
]
}
```
**Permissions Policy**: Add policies based on what AWS services your users need access to (S3, DynamoDB, etc.) with Longer-Lived Credentials
#### 3. Lambda Execution Role
The Lambda function itself needs an execution role:
**Role Name**: `CognitoCredentialProxyRole` (or your configured name)
**Trust Policy**:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
**Managed Policies**:
- `arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole`
### Lambda Environment Variables
Configure these in your Lambda function:
| Variable | Description | Example Value |
|----------|-------------|---------------|
| `IAM_USER_ACCESS_KEY_ID` | Access key ID of the IAM user | `AKIA...` |
| `IAM_USER_SECRET_ACCESS_KEY` | Secret access key of the IAM user | `Ke8TqmD2wgL...` |
| `DEFAULT_ROLE_ARN` | ARN of the long-lived role | `arn:aws:iam::123456789012:role/CognitoLongLivedRole` |
### Identity Pool Configuration (Only setup for Cognito Identity Pool 1hr Credentials)
Your Cognito authenticated role (different from `Long-Lived IAM Role` and `Lambda Execution Role`) needs permission to invoke the Lambda function:
**Add to Identity Pool's authenticated role permission policy**:
```json
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:YOUR_REGION:YOUR_ACCOUNT:function:cognito-credential-proxy"
}
```
**Permissions Policy**: Add policies based on what AWS services your users need access to (S3, DynamoDB, etc.) with Cognito Identity Pool 1hr Credentials
## π Security Considerations
- **Credentials Storage**: Temporary credentials are stored in standard AWS credentials file
- **Password Handling**: Passwords are never logged or stored persistently
- **Network Security**: All communications use HTTPS/TLS
- **Access Control**: IAM policies enforce least-privilege access
- **Credential Expiration**: Automatic credential expiration (1-12 hours)
- **Audit Trail**: CloudTrail logs all AWS API calls made with temporary credentials
## π Additional Resources
### Project Files
- `src/aws_cognito_auth/client.py` - Main authentication client
- `src/aws_cognito_auth/admin.py` - Administrative tools for AWS infrastructure
- `src/aws_cognito_auth/lambda_function.py` - Lambda proxy function
- `policies/` - IAM policy templates (JSON files)
- `pyproject.toml` - Project configuration and dependencies
### AWS Services Used
- **AWS Cognito User Pool**: User authentication and management
- **AWS Cognito Identity Pool**: Temporary credential exchange
- **AWS Lambda**: Extended credential duration (optional)
- **AWS IAM**: Role and policy management
- **AWS STS**: Security Token Service for temporary credentials
## π License
This project is provided as-is for educational and development purposes. Please review and adapt the code according to your security requirements before using in production environments.
## π€ Contributing
Contributions are welcome! Please ensure:
- Follow existing code style and patterns
- Add appropriate error handling
- Update documentation for new features
- Test thoroughly with different AWS configurations
---
**β‘ Quick Start Summary:**
1. `pip install -e .`
2. `cogauth configure`
3. `cogauth login -u username`
4. Use AWS CLI commands normally!
---
Repository initiated with [fpgmaas/cookiecutter-uv](https://github.com/fpgmaas/cookiecutter-uv).
Raw data
{
"_id": null,
"home_page": null,
"name": "aws-cognito-auth",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.9",
"maintainer_email": null,
"keywords": "authentication, aws, cli, cognito, credentials, python",
"author": null,
"author_email": "JiaHao Tan <jiahaotan@outlook.com>",
"download_url": "https://files.pythonhosted.org/packages/3a/1f/fe4e66ae591dafb352e272b93e18b959a6c994e05c78d206e45c1bf10dae/aws_cognito_auth-0.0.5.tar.gz",
"platform": null,
"description": "# AWS Cognito Authoriser\n\n[](https://img.shields.io/github/v/release/jiahao1553/aws-cognito-auth)\n[](https://github.com/jiahao1553/aws-cognito-auth/actions/workflows/main.yml?query=branch%3Amain)\n[](https://codecov.io/gh/jiahao1553/aws-cognito-auth)\n[](https://img.shields.io/github/commit-activity/m/jiahao1553/aws-cognito-auth)\n[](https://img.shields.io/github/license/jiahao1553/aws-cognito-auth)\n\nA robust command-line tool that provides seamless authentication with AWS Cognito User Pool and Identity Pool, automatically obtaining temporary AWS credentials that work without requiring local AWS profile configuration.\n\n## \ud83d\ude80 Overview\n\nThe AWS Cognito Authoriser solves a critical problem in AWS authentication workflows: obtaining temporary AWS credentials for CLI and SDK usage without requiring pre-configured AWS profiles or permanent credentials. It leverages AWS Cognito's User Pool for authentication and Identity Pool for credential exchange, with an optional Lambda proxy for extended credential duration.\n\n### Key Features\n\n- \ud83d\udd10 **Secure Authentication**: Authenticates users via AWS Cognito User Pool\n- \u23f1\ufe0f **Flexible Credential Duration**: 1-hour (Identity Pool) or up to 12-hour (Lambda proxy) credentials\n- \ud83d\udee1\ufe0f **No AWS Profile Required**: Works in environments without pre-configured AWS credentials\n- \ud83d\udce6 **Multiple Service Integration**: Supports S3, DynamoDB, Lambda, and other AWS services\n- \ud83d\udd27 **Automated Setup**: Helper scripts for complete AWS infrastructure deployment\n- \ud83d\udcca **Role Management**: Built-in tools for managing IAM policies and permissions\n- \ud83c\udfaf **Profile Management**: Updates standard AWS credentials and config files\n- \ud83d\udd04 **Graceful Fallback**: Always provides working credentials with intelligent upgrading\n\n## \ud83c\udfd7\ufe0f Architecture\n\nThe system consists of three main components:\n\n```\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 CLI Tool \u2502\u2500\u2500\u2500\u25b6\u2502 Cognito Identity \u2502\u2500\u2500\u2500\u25b6\u2502 Lambda Proxy \u2502\n\u2502 \u2502 \u2502 Pool (1hr creds) \u2502 \u2502 (12hr creds) \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502 \u2502 \u2502\n \u25bc \u25bc \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 User Pool Auth \u2502 \u2502 IAM Role \u2502 \u2502 Long-lived Role \u2502\n\u2502 \u2502 \u2502 (Cognito Auth) \u2502 \u2502 (Extended) \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n```\n\n### Authentication Flow\n\n1. **User Authentication**: Authenticate with Cognito User Pool using username/password\n2. **Identity Pool Exchange**: Exchange ID token for 1-hour AWS credentials via Identity Pool\n3. **Lambda Upgrade** (Optional): Attempt to upgrade to 12-hour credentials via Lambda proxy\n4. **Credential Storage**: Update AWS credentials file for seamless CLI/SDK usage\n\n## \ud83d\udce6 Installation\n\n### Prerequisites\n\n- Python 3.7+\n- AWS account with Cognito services\n- Basic understanding of AWS IAM roles and policies\n\n### Quick Start\n\n1. **Clone the repository:**\n ```bash\n git clone <repository-url>\n cd aws-cognito-auth\n ```\n\n2. **Install the package:**\n ```bash\n pip install -e .\n ```\n\n3. **Configure the tool:**\n ```bash\n cogauth configure\n ```\n\n4. **Login and get credentials:**\n ```bash\n cogauth login -u your-username\n ```\n\n## \u2699\ufe0f Configuration\n\n### Method 1: Interactive Configuration\n```bash\ncogauth configure\n```\n\n### Method 2: Environment Variables\n```bash\nexport COGNITO_USER_POOL_ID=\"us-east-1_xxxxxxxxx\"\nexport COGNITO_CLIENT_ID=\"your-client-id\"\nexport COGNITO_IDENTITY_POOL_ID=\"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"\nexport AWS_REGION=\"us-east-1\"\n```\n\n### Method 3: Configuration File\nCreate `~/.cognito-cli-config.json`:\n```json\n{\n \"user_pool_id\": \"us-east-1_xxxxxxxxx\",\n \"client_id\": \"your-client-id\",\n \"identity_pool_id\": \"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\n \"region\": \"us-east-1\"\n}\n```\n\n## \ud83c\udfaf Usage\n\n### Authentication Client Commands\n\n```bash\n# Check configuration status\ncogauth status\n\n# Configure authentication settings\ncogauth configure\n\n# Login with username prompt\ncogauth login\n\n# Login with specific username\ncogauth login -u your-username\n\n# Login and update specific AWS profile\ncogauth login -u your-username --profile my-profile\n\n# Skip Lambda proxy and use only Identity Pool credentials\ncogauth login -u your-username --no-lambda-proxy\n\n# Set credential duration (Lambda proxy only)\ncogauth login -u your-username --duration 8\n\n# Get help\ncogauth --help\n```\n\n### Administrative Commands\n\n```bash\n# View Identity Pool role information\ncogadmin role info\n\n# Create S3 access policy for a bucket\ncogadmin policy create-s3-policy --bucket-name my-bucket\n\n# Create S3 policy with user isolation (Cognito identity-based)\ncogadmin policy create-s3-policy --bucket-name my-bucket --user-specific\n\n# Create DynamoDB access policy with user isolation\ncogadmin policy create-dynamodb-policy --table-name my-table\n\n# Apply custom policy from JSON file\ncogadmin role apply-policy --policy-file custom-policy.json --policy-name MyPolicy\n\n# Deploy Lambda credential proxy\ncogadmin lambda deploy --access-key-id AKIA... --secret-access-key ...\n\n# Create new IAM user for Lambda proxy (requires admin permissions)\ncogadmin lambda deploy --create-user\n\n# Set up new Cognito Identity Pool interactively\ncogadmin setup-identity-pool\n\n# Get help for admin commands\ncogadmin --help\n```\n\n### Example Workflow\n\n```bash\n# 1. Configure once\ncogauth configure\n\n# 2. Login and get credentials\ncogauth login -u myuser\n\n# Sample output:\n# \ud83c\udfab Getting temporary credentials from Cognito Identity Pool...\n# \u2705 Successfully obtained Identity Pool credentials (expires at 2025-08-12 14:30:00 PST)\n# \ud83c\udfab Attempting to upgrade to longer-lived credentials via Lambda proxy...\n# \u2705 Successfully upgraded to longer-lived credentials (expires at 2025-08-13 01:30:00 PST)\n\n# 3. Use AWS CLI commands\naws s3 ls\naws sts get-caller-identity\naws s3 sync s3://my-bucket/my-folder ./local-folder\n```\n\n## \ud83d\udd11 IAM Setup for Longer-Lived Credentials\n\n### Complete IAM Configuration Requirements\n\nFor the Lambda proxy to provide longer-lived credentials (up to 12 hours), you need to set up three key IAM components:\n\n#### 1. IAM User for Lambda Proxy\n\nCreate an IAM user that the Lambda function will use to assume the long-lived role:\n\n**User Name**: `cognito-proxy-user` (or your configured name)\n\n**Inline Policy**: `CognitoCredentialProxyAccess`\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sts:AssumeRole\",\n \"sts:TagSession\"\n ],\n \"Resource\": \"arn:aws:iam::YOUR_ACCOUNT_ID:role/CognitoLongLivedRole\"\n }\n ]\n}\n```\n\n**Important**: Generate access keys for this user and configure them in the Lambda function's environment variables.\n\n#### 2. Long-Lived IAM Role\n\nCreate a role that users will assume for extended access:\n\n**Role Name**: `CognitoLongLivedRole` (or your configured name)\n\n**Trust Policy** (Critical - must include both AssumeRole and TagSession):\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::YOUR_ACCOUNT_ID:user/cognito-proxy-user\"\n },\n \"Action\": [\"sts:AssumeRole\", \"sts:TagSession\"],\n \"Condition\": {\n \"StringEquals\": {\n \"aws:RequestedRegion\": [\n \"ap-southeast-1\",\n \"us-east-1\",\n \"us-west-2\"\n ]\n }\n }\n }\n ]\n}\n```\n\n**Permissions Policy**: Add policies based on what AWS services your users need access to (S3, DynamoDB, etc.) with Longer-Lived Credentials\n\n#### 3. Lambda Execution Role\n\nThe Lambda function itself needs an execution role:\n\n**Role Name**: `CognitoCredentialProxyRole` (or your configured name)\n\n**Trust Policy**:\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"lambda.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\n```\n\n**Managed Policies**:\n- `arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole`\n\n### Lambda Environment Variables\n\nConfigure these in your Lambda function:\n\n| Variable | Description | Example Value |\n|----------|-------------|---------------|\n| `IAM_USER_ACCESS_KEY_ID` | Access key ID of the IAM user | `AKIA...` |\n| `IAM_USER_SECRET_ACCESS_KEY` | Secret access key of the IAM user | `Ke8TqmD2wgL...` |\n| `DEFAULT_ROLE_ARN` | ARN of the long-lived role | `arn:aws:iam::123456789012:role/CognitoLongLivedRole` |\n\n### Identity Pool Configuration (Only setup for Cognito Identity Pool 1hr Credentials)\n\nYour Cognito authenticated role (different from `Long-Lived IAM Role` and `Lambda Execution Role`) needs permission to invoke the Lambda function:\n\n**Add to Identity Pool's authenticated role permission policy**:\n```json\n{\n \"Effect\": \"Allow\",\n \"Action\": \"lambda:InvokeFunction\",\n \"Resource\": \"arn:aws:lambda:YOUR_REGION:YOUR_ACCOUNT:function:cognito-credential-proxy\"\n}\n```\n**Permissions Policy**: Add policies based on what AWS services your users need access to (S3, DynamoDB, etc.) with Cognito Identity Pool 1hr Credentials\n\n## \ud83d\udd12 Security Considerations\n\n- **Credentials Storage**: Temporary credentials are stored in standard AWS credentials file\n- **Password Handling**: Passwords are never logged or stored persistently\n- **Network Security**: All communications use HTTPS/TLS\n- **Access Control**: IAM policies enforce least-privilege access\n- **Credential Expiration**: Automatic credential expiration (1-12 hours)\n- **Audit Trail**: CloudTrail logs all AWS API calls made with temporary credentials\n\n## \ud83d\udcda Additional Resources\n\n### Project Files\n\n- `src/aws_cognito_auth/client.py` - Main authentication client\n- `src/aws_cognito_auth/admin.py` - Administrative tools for AWS infrastructure\n- `src/aws_cognito_auth/lambda_function.py` - Lambda proxy function\n- `policies/` - IAM policy templates (JSON files)\n- `pyproject.toml` - Project configuration and dependencies\n\n### AWS Services Used\n\n- **AWS Cognito User Pool**: User authentication and management\n- **AWS Cognito Identity Pool**: Temporary credential exchange\n- **AWS Lambda**: Extended credential duration (optional)\n- **AWS IAM**: Role and policy management\n- **AWS STS**: Security Token Service for temporary credentials\n\n## \ud83d\udcc4 License\n\nThis project is provided as-is for educational and development purposes. Please review and adapt the code according to your security requirements before using in production environments.\n\n## \ud83e\udd1d Contributing\n\nContributions are welcome! Please ensure:\n- Follow existing code style and patterns\n- Add appropriate error handling\n- Update documentation for new features\n- Test thoroughly with different AWS configurations\n\n---\n\n**\u26a1 Quick Start Summary:**\n1. `pip install -e .`\n2. `cogauth configure`\n3. `cogauth login -u username`\n4. Use AWS CLI commands normally!\n\n---\n\nRepository initiated with [fpgmaas/cookiecutter-uv](https://github.com/fpgmaas/cookiecutter-uv).\n",
"bugtrack_url": null,
"license": null,
"summary": "AWS Cognito authentication CLI tool for seamless AWS CLI integration with temporary credential management.",
"version": "0.0.5",
"project_urls": {
"Documentation": "https://jiahao1553.github.io/aws-cognito-auth/",
"Homepage": "https://jiahao1553.github.io/aws-cognito-auth/",
"Repository": "https://github.com/jiahao1553/aws-cognito-auth"
},
"split_keywords": [
"authentication",
" aws",
" cli",
" cognito",
" credentials",
" python"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "a59d6bd14ab7ee1e185da2913198e51cb91dcb48cd697e1ce7d27c1d6b3674a8",
"md5": "ea0d8b5e21f45bce88f93cfe888123e4",
"sha256": "ce1b04224d3552bc8eb75517facf7b1cf38309b4a9a486a06de90d5455dfce20"
},
"downloads": -1,
"filename": "aws_cognito_auth-0.0.5-py3-none-any.whl",
"has_sig": false,
"md5_digest": "ea0d8b5e21f45bce88f93cfe888123e4",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.9",
"size": 28131,
"upload_time": "2025-08-14T08:25:37",
"upload_time_iso_8601": "2025-08-14T08:25:37.659614Z",
"url": "https://files.pythonhosted.org/packages/a5/9d/6bd14ab7ee1e185da2913198e51cb91dcb48cd697e1ce7d27c1d6b3674a8/aws_cognito_auth-0.0.5-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "3a1ffe4e66ae591dafb352e272b93e18b959a6c994e05c78d206e45c1bf10dae",
"md5": "89c0d1d08a39f2dbc059c0c9eb25b66b",
"sha256": "48edd59d9b69d0caedc66e71a87c2771d16a8681909a4955870000771f830392"
},
"downloads": -1,
"filename": "aws_cognito_auth-0.0.5.tar.gz",
"has_sig": false,
"md5_digest": "89c0d1d08a39f2dbc059c0c9eb25b66b",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.9",
"size": 23746,
"upload_time": "2025-08-14T08:25:38",
"upload_time_iso_8601": "2025-08-14T08:25:38.638274Z",
"url": "https://files.pythonhosted.org/packages/3a/1f/fe4e66ae591dafb352e272b93e18b959a6c994e05c78d206e45c1bf10dae/aws_cognito_auth-0.0.5.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-14 08:25:38",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "jiahao1553",
"github_project": "aws-cognito-auth",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "aws-cognito-auth"
}
