Resetting password and resending initial password with AWS CLI and Amazon Cognito



Amazon Cognito

Amazon Cognito allows for authorization, authentication and management of users in your web and mobile applications. Users can authenticate with username and password or third party authentication methods like Facebook, Google etc. There are multiple tools for managing passwords like resetting and resending forgotten passwords. We will take a look at resetting password and how to resend the temporary password that is sent to user after registration.

Reset password

Unless you have impeccable login information managing habits you have forgotten you password at least once. A properly designed service would have an option to recover or reset forgotten password. For that case AWS cli has admin-reset-user-password method which looks like this

aws cognito-idp admin-reset-user-password --user-pool-id us-west-2_aaaaaaaaa --username

Required parameters are user pool id and the username. When API is called, the old password is invalidated and new one is sent to the user.

Resending initial password

To create user in Amazon Cognito you need to use admin-create-user which has an optional parameter --temporary-password. This sets a time limit in which user must login for the first time with the password provided to him/her. If user fails to do that on time, the password expires and must be reset. Despite admin-reset-user-password action, it cannot be used in this case. it's the admin-create-user with RESEND flag for that purpose.

The temporary password can only be used until the user account expiration limit that you specified when you created the user pool. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter.

Example API call for resending temporary password.

aws cognito-idp admin-create-user --region us-west-2 --user-pool-id us-west-2_aaaaaaaaa --username John --message-action RESEND

Required parameters are region with user pool and username. Adding RESEND triggers a new temporary password to be sent to the user.


Amazon Cognito brings multiple ways to manage users in web and mobile applications. It covers most of possible scenarios from forgotten password, reset password and resend temporary password. It is the create user action that is required to that last case which can bring some confusion at first.