Change User Status from FORCE_CHANGE_PASSWORD in Cognito


Borislav Hadzhiev

Last updated: Sep 24, 2021


Check out my new book

Change User Status from FORCE_CHANGE_PASSWORD in Cognito #

In order to change a Cognito user's status from FORCE_CHANGE_PASSWORD to CONFIRMED, we have to change their password. To change a cognito user's password, use the admin-set-password command, setting the --permanent parameter.

aws cognito-idp admin-set-user-password --user-pool-id YOUR_USER_POOL_ID --username --password "cats-and-dogs-123" --permanent

change user password

The admin-set-user-password command allows us to set a user's password as an administrator.

We can set the user's password to be a temporary or permanent one. If we set a temporary password, the user's status is set to FORCE_CHANGE_PASSWORD, which means that the next time they try to log in, they will be required to change their password.

In case a user whose account is in the FORCE_CHANGE_PASSWORD gets prompted to update their password on sign in and they don't, the challenge expires and only an admin can update their password.

By setting the --permanent parameter in the command, we've updated the user's status from FORCE_CHANGE_PASSWORD to CONFIRMED.

To verify that the user's status has been changed to CONFIRMED, run the admin-get-user command.

aws cognito-idp admin-get-user --user-pool-id YOUR_USER_POOL_ID --username --query "UserStatus"

verify user status confirmed

The admin-get-user command returns information about the cognito user, however we're only interested in the user's status so we've used the --query parameter to filter the output to only the UserStatus.

Further Reading #

Use the search field on my Home Page to filter through my more than 3,000 articles.