AdminSetUserPassword
Sets the specified user's password in a user pool as an administrator. Works on any user.
The password can be temporary or permanent. If it is temporary, the user status enters
the FORCE_CHANGE_PASSWORD
state. When the user next tries to sign in, the
InitiateAuth/AdminInitiateAuth response will contain the
NEW_PASSWORD_REQUIRED
challenge. If the user doesn't sign in before it
expires, the user won't be able to sign in, and an administrator must reset their
password.
Once the user has set a new password, or the password is permanent, the user status is
set to Confirmed
.
AdminSetUserPassword
can set a password for the user profile that Amazon Cognito
creates for third-party federated users. When you set a password, the federated user's
status changes from EXTERNAL_PROVIDER
to CONFIRMED
. A user in
this state can sign in as a federated user, and initiate authentication flows in the API
like a linked native user. They can also modify their password and attributes in
token-authenticated API requests like ChangePassword
and
UpdateUserAttributes
. As a best security practice and to keep users in
sync with your external IdP, don't set passwords on federated user profiles. To set up a
federated user for native sign-in with a linked native user, refer to Linking federated users to an existing user
profile.
Note
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Request Syntax
{
"Password": "string
",
"Permanent": boolean
,
"Username": "string
",
"UserPoolId": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- Password
-
The password for the user.
Type: String
Length Constraints: Maximum length of 256.
Pattern:
[\S]+
Required: Yes
- Permanent
-
True
if the password is permanent,False
if it is temporary.Type: Boolean
Required: No
- Username
-
The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If
username
isn't an alias attribute in your user pool, you can also use theirsub
in this request.Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern:
[\p{L}\p{M}\p{S}\p{N}\p{P}]+
Required: Yes
- UserPoolId
-
The user pool ID for the user pool where you want to set the user's password.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 55.
Pattern:
[\w-]+_[0-9a-zA-Z]+
Required: Yes
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors
For information about the errors that are common to all actions, see Common Errors.
- InternalErrorException
-
This exception is thrown when Amazon Cognito encounters an internal error.
HTTP Status Code: 500
- InvalidParameterException
-
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.
HTTP Status Code: 400
- InvalidPasswordException
-
This exception is thrown when Amazon Cognito encounters an invalid password.
HTTP Status Code: 400
- NotAuthorizedException
-
This exception is thrown when a user isn't authorized.
HTTP Status Code: 400
- ResourceNotFoundException
-
This exception is thrown when the Amazon Cognito service can't find the requested resource.
HTTP Status Code: 400
- TooManyRequestsException
-
This exception is thrown when the user has made too many requests for a given operation.
HTTP Status Code: 400
- UserNotFoundException
-
This exception is thrown when a user isn't found.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: