我有一个有效的AWS PHP SDK实现。 $client->getUser()之类的操作有效,但$client->adminCreateUser()及其他操作无效。
当我致电$client->adminCreateUser([...])时,结果为:
Error executing "AdminCreateUser" on "https://cognito-idp.ap-southeast-2.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.ap-southeast-2.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}
MissingAuthenticationTokenException (client): Missing Authentication Token - {"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}
/var/www/project/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php 中的第 191 行
使用完全相同的凭据从CLI(例如cognito-idp admin-create-user)调用的类似服务正在工作。
是什么原因造成的?
我的环境:
.aws /凭证
[default]
aws_access_key_id=XXXX
aws_secret_access_key=XXXX
我正在使用我的开发人员凭据
示例代码:
$client = new CognitoIdentityProviderClient([
'version' => 'latest',
'region' => 'ap-southeast-2',
'credentials' => false, // Set to false to allow roles provisioned to our EC2 instances
]);
$result = $client->adminCreateUser([
'DesiredDeliveryMediums' => ['Email'],
'MessageAction' => 'RESEND',
'TemporaryPassword' => 'TemporaryPassword1234',
'UserAttributes' => [
['Name' => 'email', 'Value' => 'mailbox@domain.tld'],
],
'UserPoolId' => 'ap-southeast-2_XXXX',
'Username' => 'mailbox@domain.tld',
]);
答案 0 :(得分:3)
您需要从'credentials' => false配置中删除CognitoIdentityProviderClient。
adminCreateUser()操作需要经过签名的请求(与signUp()之类的操作不同,这就是signUp()可以与未签名的请求一起使用,但是adminCreateUser()和其他需要开发人员的操作凭据不会)
从AWS文档中
https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#admincreateuser说
AdminCreateUser需要开发人员凭据。
https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_configuration.html#credentials说
传递false以使用空凭据而不签署请求。
需要签名请求以提供开发人员凭据。