来自 CognitoIdentityProviderClient::adminCreateUser() 的 MissingAuthenticationTokenException ("Missing Authentication Token")

Question

我有一个有效的 AWS PHP SDK 实现。 $client->getUser() 之类的操作有效，但 $client->adminCreateUser() 和其他操作无效。

当我调用 $client->adminCreateUser([...]) 时，结果是：

Error executing "AdminCreateUser" on "https://cognito-idp.ap-southeast-2.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.ap-southeast-2.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}
 MissingAuthenticationTokenException (client): Missing Authentication Token - {"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}

行 191 在 /var/www/project/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php

使用完全相同的凭据从 CLI（例如 cognito-idp admin-create-user）调用的类似服务正在运行。

这是什么原因造成的？

示例详细信息

我的环境：

Ubuntu 18.04
阿帕奇 2.4.29
PHP 7.3
aws/aws-sdk-php 3.92.3

.aws/credentials

[default]
aws_access_key_id=XXXX
aws_secret_access_key=XXXX

我正在使用我的开发者凭证

示例代码：

$client = new CognitoIdentityProviderClient([
    'version' => 'latest',
    'region' => 'ap-southeast-2',
    'credentials' => false, // Set to false to allow roles provisioned to our EC2 instances
]);

$result = $client->adminCreateUser([
    'DesiredDeliveryMediums' => ['Email'],
    'MessageAction' => 'RESEND',
    'TemporaryPassword' => 'TemporaryPassword1234',
    'UserAttributes' => [
        ['Name' => 'email', 'Value' => 'mailbox@domain.tld'],
    ],
    'UserPoolId' => 'ap-southeast-2_XXXX',
    'Username' => 'mailbox@domain.tld',
]);

Answer 1

您需要从 CognitoIdentityProviderClient 配置中删除 'credentials' => false。

adminCreateUser() 操作需要签名的请求（与 signUp() 等操作不同，这就是为什么 signUp() 可以使用未签名的请求，但 adminCreateUser() 和其他操作需要开发人员凭据不会）

来自 AWS 文档

https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#admincreateuser 说

AdminCreateUser requires developer credentials.

https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_configuration.html#credentials 说

Pass false to use null credentials and not sign requests.

需要签署请求以提供开发人员凭据。

来自 CognitoIdentityProviderClient::adminCreateUser() 的 MissingAuthenticationTokenException ("Missing Authentication Token")

MissingAuthenticationTokenException ("Missing Authentication Token") from CognitoIdentityProviderClient::adminCreateUser()

php

amazon-web-services

amazon-cognito

aws-sdk

示例详细信息