AWS Cognito開發者認證在PHP

Question

我試圖使用PHP SDK來實現開發者的認證，但不斷收到此錯誤：

Fatal error: Uncaught Aws\CognitoIdentity\Exception\CognitoIdentityException: AWS Error Code: AccessDeniedException, Status Code: 400, AWS Request ID: da162f98-fb50-11e4-937e-0bf2642a4752, AWS Error Type: client, AWS Error Message: User: arn:aws:iam::256661818246:user/tester is not authorized to perform: cognito-identity:GetOpenIdTokenForDeveloperIdentity on resource: arn:aws:cognito-identity:us-east-1:256661818246:identitypool/us-east-1:69767873-2de2-4cc7-a78f-3d18b5e9bf71, User-Agent: aws-sdk-php2/2.8.3 Guzzle/3.9.3 curl/7.20.0 PHP/5.3.6 thrown in /var/www/html/aws/Aws/Common/Exception/NamespaceExceptionFactory.php on line 91

這是我的示例代碼：

<?php 
session_start(); 

//Include AWS client libs 
require (dirname(__DIR__).'/aws/aws-autoloader.php'); 
use Aws\CognitoIdentity\CognitoIdentityClient; 
use Aws\Sts\StsClient; 

/* Global Vars */ 
$aws_region = 'us-east-1'; 
$aws_key = '<AWS_KEY>'; 
$aws_secret = '<AWS_SECRET>'; 
$aws_account_id = '<AWS_ACCOUNT_ID>'; 
$identity_pool_id = 'us-east-1:xxxx-xxxx-xxxx-xxxx'; 

//Initialize a Cognito Identity Client using the Factory 
$client = CognitoIdentityClient::factory(array('region' => $aws_region, 'key' => $aws_key, 'secret' => $aws_secret)); 

/* Acquire new Identity */ 
$identity = $client->getOpenIdTokenForDeveloperIdentity(array('IdentityPoolId' => $identity_pool_id, 'Logins' => array('login.custom.traffic' => 'jkljkasdjk'))); 

//Obtain Identity from response data structure 
$id = $identity->get('IdentityId'); 
echo "IdentityId: ".$id; 
?> 

我懷疑發生錯誤同時試圖獲得開發者身份。我錯過了什麼？

Answer 1

此錯誤背後的原因是可能沒有將策略附加到IAM用戶'測試人員'。 您可以附加IAM控制檯中已有的策略'AmazonCognitoDeveloperAuthenticatedIdentities'，該策略允許此用戶訪問Cognito API，包括'getOpenIdTokenForDeveloperIdentity'。