3
votes

Am trying to implement developer authentication using the PHP SDK but keep getting this error:

Fatal error: Uncaught Aws\CognitoIdentity\Exception\CognitoIdentityException: AWS Error Code: AccessDeniedException, Status Code: 400, AWS Request ID: da162f98-fb50-11e4-937e-0bf2642a4752, AWS Error Type: client, AWS Error Message: User: arn:aws:iam::256661818246:user/tester is not authorized to perform: cognito-identity:GetOpenIdTokenForDeveloperIdentity on resource: arn:aws:cognito-identity:us-east-1:256661818246:identitypool/us-east-1:69767873-2de2-4cc7-a78f-3d18b5e9bf71, User-Agent: aws-sdk-php2/2.8.3 Guzzle/3.9.3 curl/7.20.0 PHP/5.3.6 thrown in /var/www/html/aws/Aws/Common/Exception/NamespaceExceptionFactory.php on line 91

This is my sample code:

<?php
session_start();

//Include AWS client libs
require (dirname(__DIR__).'/aws/aws-autoloader.php');
use Aws\CognitoIdentity\CognitoIdentityClient;
use Aws\Sts\StsClient;

/* Global Vars */
$aws_region = 'us-east-1';
$aws_key = '<AWS_KEY>';
$aws_secret = '<AWS_SECRET>';
$aws_account_id = '<AWS_ACCOUNT_ID>';
$identity_pool_id = 'us-east-1:xxxx-xxxx-xxxx-xxxx';

//Initialize a Cognito Identity Client using the Factory
$client = CognitoIdentityClient::factory(array('region' => $aws_region, 'key' => $aws_key, 'secret' => $aws_secret));

/* Acquire new Identity */
$identity = $client->getOpenIdTokenForDeveloperIdentity(array('IdentityPoolId' => $identity_pool_id, 'Logins' => array('login.custom.traffic' => 'jkljkasdjk')));

//Obtain Identity from response data structure
$id = $identity->get('IdentityId');
echo "IdentityId: ".$id;
?>

I suspect the error occurs while trying to get the developer Identity. What am I missing?

1

1 Answers

5
votes

Reason behind this error is there might be no policy attached to the IAM user 'tester'. You can attach an already existing policy 'AmazonCognitoDeveloperAuthenticatedIdentities' from IAM console which gives this user access to Cognito APIs including 'getOpenIdTokenForDeveloperIdentity' as well.