Updated Cognito Identity CLI Command Format

afaq1337 · web-flow · commit 0484df9baf31 · 2025-08-04T23:56:55.000+05:00
Replaced outdated key=value syntax with JSON-based in "--logins" format, keeping the old format for preserved legacy.
diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
@@ -167,22 +167,36 @@ For this you might need to have access to the **identity provider**. If that is
 
 Anyway, the **following example** expects that you have already logged in inside a **Cognito User Pool** used to access the Identity Pool (don't forget that other types of identity providers could also be configured).
 
-<pre class="language-bash"><code class="lang-bash">aws cognito-identity get-id \
-    --identity-pool-id <identity_pool_id> \
-    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+<pre class="language-bash"><code class="lang-bash">
+# Updated format
+aws cognito-identity get-id \
+  --identity-pool-id <identity_pool_id> \
+  --logins '{"cognito-idp.<region>.amazonaws.com/<user_pool_id>": "<ID_TOKEN>"}'
 
-# Get the identity_id from the previous commnad response
 aws cognito-identity get-credentials-for-identity \
-    --identity-id <identity_id> \
-    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+  --identity-id <identity_id> \
+  --logins '{"cognito-idp.<region>.amazonaws.com/<user_pool_id>": "<ID_TOKEN>"}'
 
+aws cognito-identity get-credentials-for-identity \
+  --identity-id <identity_id> \
+  --custom-role-arn <role_arn> \
+  --logins '{"cognito-idp.<region>.amazonaws.com/<user_pool_id>": "<ID_TOKEN>"}'
+</code></pre>
+
+> **Deprecated format** — these may no longer work with current AWS CLI:
+<pre class="language-bash"><code class="lang-bash">
+aws cognito-identity get-id \
+  --identity-pool-id <identity_pool_id> \
+  --logins cognito-idp.<region>.amazonaws.com/<user_pool_id>=<ID_TOKEN>
+
+aws cognito-identity get-credentials-for-identity \
+  --identity-id <identity_id> \
+  --logins cognito-idp.<region>.amazonaws.com/<user_pool_id>=<ID_TOKEN>
 
-# In the IdToken you can find roles a user has access because of User Pool Groups
-# User the --custom-role-arn to get credentials to a specific role
 aws cognito-identity get-credentials-for-identity \
-    --identity-id <identity_id> \
-<strong>    --custom-role-arn <role_arn> \
-</strong>    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+  --identity-id <identity_id> \
+  --custom-role-arn <role_arn> \
+  --logins cognito-idp.<region>.amazonaws.com/<user_pool_id>=<ID_TOKEN>
 </code></pre>
 
 > [!WARNING]
