Cognito User Management via AWS CLI

Create a New User

Basic User Creation

aws cognito-idp admin-create-user \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --user-attributes Name=email,Value=james.w.jager@gmail.com Name=email_verified,Value=true \
  --region us-east-2

Create User with Temporary Password

aws cognito-idp admin-create-user \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --user-attributes Name=email,Value=james.w.jager@gmail.com Name=email_verified,Value=true \
  --temporary-password 'TempPassword123!' \
  --message-action SUPPRESS \
  --region us-east-2

Parameters:

--username: Username (can be email)
--user-attributes: User attributes (email, name, etc.)
--temporary-password: Initial password (user must change on first login)
--message-action SUPPRESS: Don't send welcome email (optional)
--region: AWS region

⚠️ Important: Always use single quotes (') around passwords containing special characters like !, *, $, etc. to prevent shell expansion.

Set Permanent Password

After creating a user with a temporary password, set a permanent password:

aws cognito-idp admin-set-user-password \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --password 'YourPermanentPassword123!' \
  --permanent \
  --region us-east-2

⚠️ Important: Use single quotes (') around passwords with special characters to prevent zsh/bash from interpreting them as shell commands.

Note: --permanent flag means the user won't be forced to change password on next login.

Confirm User (Skip Email Verification)

aws cognito-idp admin-confirm-sign-up \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --region us-east-2

# Step 1: Create user with temporary password
aws cognito-idp admin-create-user \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --user-attributes Name=email,Value=james.w.jager@gmail.com Name=email_verified,Value=true \
  --temporary-password 'TempPassword123!' \
  --message-action SUPPRESS \
  --region us-east-2

# Step 2: Set permanent password (use single quotes for passwords with special characters!)
aws cognito-idp admin-set-user-password \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --password 'YourPermanentPassword123!' \
  --permanent \
  --region us-east-2

# Step 3: Confirm user (skip email verification)
aws cognito-idp admin-confirm-sign-up \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --region us-east-2

List Users

aws cognito-idp list-users \
  --user-pool-id us-east-2_TZtGx1T3X \
  --region us-east-2

Get User Details

aws cognito-idp admin-get-user \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --region us-east-2

Delete User

aws cognito-idp admin-delete-user \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --region us-east-2

Reset User Password

aws cognito-idp admin-reset-user-password \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --region us-east-2

This sends a password reset email to the user.

Enable/Disable User

# Disable user
aws cognito-idp admin-disable-user \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --region us-east-2

# Enable user
aws cognito-idp admin-enable-user \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --region us-east-2

Once you've created a user and set a permanent password, test the login endpoint:

curl -X POST https://api-staging.reelog.app/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "james.w.jager@gmail.com",
    "password": "YourPermanentPassword123!"
  }'

Note: For curl, the JSON body uses double quotes, which is fine since it's inside single quotes.

Or use Insomnia:

Use Login (Simple) request
Set username and password
Copy access_token from response
Add to environment variable access_token

Troubleshooting

Error: "The security token included in the request is invalid"

This means your AWS CLI credentials are expired, invalid, or not configured.

Solution 1: Check Current Credentials

aws sts get-caller-identity

If this fails, your credentials are invalid.

Solution 2: Reconfigure AWS CLI

aws configure

You'll need:

AWS Access Key ID: From IAM → Users → Your User → Security Credentials
AWS Secret Access Key: Same location (only shown once when created)
Default region: us-east-2
Default output format: json

Solution 3: Check Credential File

cat ~/.aws/credentials

Should contain:

[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY

Solution 4: Use a Different Profile

If you have multiple AWS accounts:

# List profiles
aws configure list-profiles

# Use specific profile
aws cognito-idp admin-set-user-password \
  --user-pool-id us-east-2_TZtGx1T3X \
  --username james.w.jager@gmail.com \
  --password 'your-password' \
  --permanent \
  --region us-east-2 \
  --profile your-profile-name

Solution 5: Create New Access Key

If credentials are lost or expired:

AWS Console → IAM → Users
Click your user (e.g., github-actions-user)
Security credentials tab
Access keys → Create access key
Choose Command Line Interface (CLI)
Copy Access key ID and Secret access key
Run aws configure and enter the new credentials

User Pool ID: us-east-2_TZtGx1T3X
Region: us-east-2
Last Updated: December 10, 2025

Create a New User​

Basic User Creation​

Create User with Temporary Password​

Set Permanent Password​

Confirm User (Skip Email Verification)​

Complete Example: Create User Ready to Login​

List Users​

Get User Details​

Delete User​

Reset User Password​

Enable/Disable User​

Test Login After Creating User​

Troubleshooting​

Error: "The security token included in the request is invalid"​