I am setting up TOTP-based MFA in Cognito according to the official documentation. The user pool is configured, the next step is to associate the token. Using boto3:
client = boto3.client('cognito-idp')
client.associate_software_token(access_token)
Which returns the error:
NotAuthorizedException when calling the AssociateSoftwareToken operation:
Access Token does not have required scopes
The token has the scopes email profile openid
. What am I missing, what other scopes does it expect?
You are missing the aws.cognito.signin.user.admin
scope that is required by pretty much all actions related to users account.
See this question for more details: What does the `aws.cognito.signin.user.admin` scope mean in Amazon Cognito?