What is the correct AWS policy in order for my app allow users to login at AWS COGNITO?

I am using Django Warrant for IAM:

from rest_framework.response import Response
from rest_framework.exceptions import AuthenticationFailed
from rest_framework.decorators import api_view
from django.apps import apps

@api_view(['POST'])
def login(request):
    username = request.data.get('email')
    password = request.data.get('password')

    if not username or not password:
        raise AuthenticationFailed('Username and password are required.', code=401)

    pool_id = getattr(settings, 'COGNITO_USER_POOL_ID', None)
    app_id = getattr(settings, 'COGNITO_APP_ID', None)
    region = getattr(settings, 'COGNITO_REGION', None)

    key = getattr(settings,'COGNITO_AWS_KEY',None)
    secret = getattr(settings,'COGNITO_AWS_SECRET',None)

    cognito = Cognito(
            user_pool_id=pool_id,
            client_id=app_id,
            user_pool_region=region,
            access_key=key,
            secret_key=secret,
            username=username
        )

    try:
        cognito.authenticate(password=password)
    except Exception as e:
        print(e)
        raise AuthenticationFailed(str(e), code=401)

    # Return tokens
    return Response({
        "access_token": cognito.access_token,
        "refresh_token": cognito.refresh_token,
    }, status=201)

But despite my authentication being sucessfull:

aws cognito-idp admin-initiate-auth --user-pool-id eu-west-1_XXXXXX --client-id XXXXXXXX --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=YTYY,PASSWORD=YYYY

Return The nessesary credentials:

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "XXXXXXXXXX...XXXXXX",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "XXXDDDXXXX",
        "IdToken": "XXXSSSXXX"
    }
}

But the view above return:

{
    "detail": "An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Password attempts exceeded"
}

Responding with a 401, My IAM permissions are:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAdminUserPoolActions",
            "Effect": "Allow",
            "Action": [
                "cognito-idp:AdminInitiateAuth",
                "cognito-idp:AdminRespondToAuthChallenge",
                "cognito-idp:AdminGetUser",
                "cognito-idp:AdminSetUserPassword",
                "cognito-idp:ListUserPools",
                "cognito-idp:GetUser",
                "cognito-idp:ListGroups",
                "cognito-idp:AdminAddUserToGroup"
            ],
            "Resource": "arn:aws:cognito-idp:eu-west-1:962331388720:userpool/eu-west-1_XXXXXX"
        }
    ]
}

What I am missing I suspect my policy is wrong. But which one is the correct one? I define my credentials into settings.py as:

COGNITO_USER_POOL_ID = os.getenv("COGNITO_USER_POOL_ID")
COGNITO_APP_ID = os.getenv("COGNITO_APP_ID")
COGNITO_REGION = AWS_REGION
COGNITO_AWS_KEY = os.getenv("COGNITO_AWS_KEY",None)
COGNITO_AWS_SECRET = os.getenv("COGNITO_AWS_SECRET",None)

if COGNITO_AWS_KEY is None:
    raise RuntimeError("AWS Cognito Key is not Defined")

if COGNITO_AWS_SECRET is None:
    raise RuntimeError("AWS Cognito Secret is not Defined")


Can you help me?

Back to Top