amazon-cognito multi-factor-authentication

Cognito AssociateSoftwareToken: token does not have required scopes

I am setting up TOTP-based MFA in Cognito according to the official documentation. The user pool is configured, the next step is to associate the token. Using boto3:

client = boto3.client('cognito-idp')
client.associate_software_token(access_token)

Which returns the error:

NotAuthorizedException when calling the AssociateSoftwareToken operation: 
Access Token does not have required scopes

The token has the scopes email profile openid. What am I missing, what other scopes does it expect?

Solution

You are missing the aws.cognito.signin.user.admin scope that is required by pretty much all actions related to users account.

See this question for more details: What does the `aws.cognito.signin.user.admin` scope mean in Amazon Cognito?

aws-encryption-sdk-python decrypt error: '65 is not a valid SerializationVersion'
Simple way to put AWS Lambda app behind SAML authentication
Cognito "Authorizer" element not appearing in RequestContext in a Lambda triggered via API Gateway
SSO not working in iOS when using AWS Cognito and Azure AD
AWS Lambda Custom JWT Validation
Is it possible to filter metrics of AWS Cognito by user group?
Amplify Gen 2 Users List
Is this auth flow possible with Amazon Cognito Identity and User Pool
Why won't Cognito send custom email message templates in the AdminCreateUser case?
Cognito User migration trigger not firing
Allowing Cognito non verified users to sign in?
Cognito sending forget password confirmation to incorrect address
How to modify expiry time of the access and identity tokens for AWS Cognito User Pools
How to Implement OTP-Passwordless Login Using Either Email or Phone Number in Amazon Cognito?
DIfferent Cognito Pool Authorizer by Api Gateway Stages
Amplify gen 2, amplify-authenticator "There is already a signed in user."
How to mock AWS Cognito CognitoIdentityServiceProvider with Jest?
Is it possible to revoke AWS Cognito IdToken?
Cognito - Client is not enabled for OAuth2.0 flows
Acessing user identity in AWS Lambda
Authentication with Lambda and AWS Cognito
How can I remove empty client_secret from request body for OAuth 2.0 token requests in Postman?
AWS Cognito Auth JSON request isn't Deserializing with nested classes in Unity
How to confirm Cognito User after it was created with adminCreateUser command
Serverless Framework v3 custom-resource-existing-cup function Node16 is deprecated
AWS Cognito; unauthorized_client error when hitting /oauth2/token
Integrating Amazon API Gateway with Amazon Cognito for use in a .Net Framework Desktop Application
Serverless - Adding trigger to Using existing pools fails deployment - CREATE_FAILED: CustomDashresourceDashexistingDashcupLambdaFunction
Cognito CreateAuthChallenge InvalidLambdaResponseException
Getting aws cognito token in aws-amplify ui-react