Automate Browser‑Based MFA for AWS CLI with Cognito and Credential Process

Overview

This guide shows how to replace manual password and MFA entry for the AWS CLI with a fully automated browser‑based flow using Amazon Cognito Hosted UI, the OAuth2 Authorization Code Grant, and a small local helper tool. The helper runs a temporary web server, captures the authorization code, exchanges it for Cognito tokens, and finally writes temporary AWS STS credentials to ~/.aws/credentials, enabling a seamless single‑sign‑on experience.

Core Components

Cognito Hosted UI : Provides a fully managed login, registration, and password‑reset UI under the cognito-idp.amazonaws.com domain.

OAuth2 Authorization Code Grant : After the user authenticates in the browser, Cognito redirects a short‑lived code to a pre‑registered callback URL.

Local Helper Tool : A lightweight CLI application that (a) starts a temporary HTTP server (e.g., http://localhost:8080), (b) opens the generated Hosted UI URL in the default browser, (c) receives the authorization code, (d) exchanges the code for Cognito ID and access tokens, and (e) uses the Cognito Identity Pool to obtain temporary AWS STS credentials, which are written to ~/.aws/credentials.

Configure Cognito App Client

Adjust the Cognito user‑pool app client settings:

Navigate to App integration in the Cognito console.

Select the relevant app client and edit it.

Add http://localhost:8080 (or another chosen port) to Allowed callback URLs .

Enable the Authorization code grant under OAuth 2.0 grant types.

Save the changes.

Step 1 – Install a Helper Tool

Several open‑source tools implement the flow; a typical choice is a Node.js or Go binary. For illustration we use a hypothetical cognito-cli-login tool.

# Install via npm or Homebrew
npm install -g aws-cognito-cli-login
# or
brew install some-cognito-login-tool

Step 2 – Configure the Helper

Create a TOML configuration file in the home directory:

# ~/.cognito-login.toml
[default]
aws_region = "us-east-1"
cognito_user_pool_id = "us-east-1_xxxxxxxxx"
cognito_app_client_id = "xxxxxxxxxxxxxxxxxxxxxx"
cognito_identity_pool_id = "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# The tool automatically uses http://localhost:8080 as the callback URL

Step 3 – Perform the Login

Run the helper with the desired profile: cognito-cli-login --profile default The sequence is:

The default browser opens the Cognito Hosted UI login page.

The user enters credentials and MFA code.

After successful authentication, Cognito redirects to http://localhost:8080 and displays a short success message.

The helper writes the temporary credentials to ~/.aws/credentials and prints a confirmation.

Native AWS CLI Integration via credential_process

To make the flow completely transparent, configure a profile in ~/.aws/config that invokes the helper whenever credentials are needed:

[profile cognito]
region = us-east-1
credential_process = cognito-cli-login --json --profile default

The credential_process directive tells the AWS CLI to execute the helper, which must output a JSON object containing AccessKeyId, SecretAccessKey, and SessionToken. The CLI then uses these temporary credentials for the requested operation.

Usage Example

With the profile in place, any AWS CLI command works as if SSO were configured: aws s3 ls --profile cognito If the credentials have expired or are missing, the helper launches the browser for a fresh login before the command proceeds.

If the credentials are still valid, the command runs immediately without interruption.

Conclusion

Combining Cognito Hosted UI, the OAuth2 Authorization Code Grant, a local helper tool, and the AWS CLI credential_process feature provides an on‑demand, browser‑driven MFA login that matches the convenience of aws sso login while working in environments where IAM Identity Center is unavailable. The approach is secure, automatable, and valuable for cloud engineers seeking a smooth, enterprise‑grade authentication workflow.