我正在尝试向AWS API Gateway发送经过身份验证的请求。客户端将针对Cognito您的用户池进行身份验证,然后从与用户池中已登录用户对应的关联Cognito Identity Pool中获取令牌。我试图使用Postman模拟这样的请求。
This post建议命令aws cognito-identity get-credentials-for-identity可用于获取Postman签署请求所需的AccessKeyId和SecretKey。但是,当我尝试使用Cognito User Pool控制台中的用户使用sub属性运行它时:
$ aws cognito-identity get-credentials-for-identity --identity-id aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
An error occurred (ValidationException) when calling the GetCredentialsForIdentity operation: 1 validation error detected: Value 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' at 'identityId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w-]+:[0-9a-f-]+
$ aws cognito-identity get-credentials-for-identity --identity-id us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
An error occurred (ResourceNotFoundException) when calling the GetCredentialsForIdentity operation: Identity 'us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' not found.
如果我尝试使用AWS控制台中显示的关联标识池中的标识ID(我选择了具有2个“链接登录”的标识),则会发生同样的情况。
您需要传递登录地图:
--logins (map)
A set of optional name-value pairs that map provider names to
provider tokens.
Shorthand Syntax:
KeyName1=string,KeyName2=string
JSON Syntax:
{"string": "string"
...}
这个语法对我有用:
aws cognito-identity get-credentials-for-identity \
--identity-id us-east-1:aaaa-bbb-ccc-bc54-rrrrrrr \
--logins graph.facebook.com=kdajbdjkabkjbkjbkdbsckslcjxb
注意:--identity-id不是身份池ID,它的身份来自身份浏览器。
API网关现在与“Cognito Your User Pool”进行本机集成,因此您可以直接传递身份令牌 - api gateway docs。您链接的帖子已过时