IAM策略变量无法识别 - $ {cognito-identity.amazonaws.com:sub}

我正在尝试创建一个解决方案，其中每个将使用我的服务的客户都将有一个sqs（在我的AWS账户中）。因此，为了使客户端能够从队列中发送消息和读取消息，我想将cognito与具有变量的单个角色一起使用，因为单个帐户可以拥有的角色数量有限制。我已经使用应用程序创建了cognito用户池，还创建了联合身份，角色，策略并将所有内容链接在一起。

政策是

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "sqs:DeleteMessage",
            "sqs:GetQueueUrl",
            "sqs:DeleteMessageBatch",
            "sqs:SendMessageBatch"
        ],
        "Resource": [
            "arn:aws:sqs:us-east-1:XXXX:test-${cognito-identity.amazonaws.com:sub}",
            "arn:aws:sqs:us-east-1:XXXX:test"
        ]
    }
]

}

测试客户端代码是

const cognitoUser = userPool.getCurrentUser();
cognitoUser.getSession((err, session) => {
  console.log(`session token: ${session.getIdToken().getJwtToken()}`);
  const paramsCredentials = {
    IdentityPoolId: 'XXXX',
    Logins: {}
  };

  AWS.config.region = 'XXXX';
  paramsCredentials.Logins[
    `cognito-idp.${AWS.config.region}.amazonaws.com/XXXX`
  ] = session.getIdToken().getJwtToken();

  AWS.config.credentials = new AWS.CognitoIdentityCredentials(
    paramsCredentials
  );

  AWS.config.credentials.get(err => {
    if (err) {
      console.log(`got error - getting credentials. error: ${err}`);
    }

    const id = AWS.config.credentials.identityId;
    console.log('Cognito Identity ID ' + id);

    const sqs = new AWS.SQS({
      region: AWS.config.region
    });
    const params = {
      QueueName: 'test-9ea2b895-2971-4ee2-b372-451bf2b19731'
    };
    sqs.getQueueUrl(params, (err, data) => {
      if (err) {
        console.log(`got error getting url for queue, error: ${err}`);
      } else {
        console.log(`SQS url = ${data.QueueUrl}`);
      }
    });
  });
});

我收到了一个错误

AWS.SimpleQueueService.NonExistentQueue：指定的队列不存在，或者您无权访问它。大段引用

但是当我将队列更改为测试队列时，一切正常。我已经仔细检查了sub，它是正确的id

我做错了什么？