MissingAuthenticationTokenException ("Missing Authentication Token") from CognitoIdentityProviderClient::adminCreateUser()

Question

I have a working implementation of the AWS PHP SDK. Operations like $client->getUser() are working, but $client->adminCreateUser() and others are not working.

When I call $client->adminCreateUser([...]), it results in:

Error executing "AdminCreateUser" on "https://cognito-idp.ap-southeast-2.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.ap-southeast-2.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}
 MissingAuthenticationTokenException (client): Missing Authentication Token - {"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}

Line 191 in /var/www/project/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php

Similar services evoked from CLI (e.g cognito-idp admin-create-user) with the exact same credentials are working.

What is causing this?

---

Example Details

My environment:

• Ubuntu 18.04
• Apache 2.4.29
• PHP 7.3
• aws/aws-sdk-php 3.92.3

.aws/credentials

[default]
aws_access_key_id=XXXX
aws_secret_access_key=XXXX

I am using my developer credentials

Example code:

$client = new CognitoIdentityProviderClient([
    'version' => 'latest',
    'region' => 'ap-southeast-2',
    'credentials' => false, // Set to false to allow roles provisioned to our EC2 instances
]);

$result = $client->adminCreateUser([
    'DesiredDeliveryMediums' => ['Email'],
    'MessageAction' => 'RESEND',
    'TemporaryPassword' => 'TemporaryPassword1234',
    'UserAttributes' => [
        ['Name' => 'email', 'Value' => '[email protected]'],
    ],
    'UserPoolId' => 'ap-southeast-2_XXXX',
    'Username' => '[email protected]',
]);

Answer 1

You need to remove 'credentials' => false from your CognitoIdentityProviderClient configuration.

The adminCreateUser() operation requires a signed request (unlike operations like signUp(), which is why signUp() would work with an unsigned request but adminCreateUser() and other operations that require developer credentials won't)

From the AWS Docs

https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#admincreateuser says

AdminCreateUser requires developer credentials.

https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_configuration.html#credentials says

Pass false to use null credentials and not sign requests.

A request needs to be signed to provide developer credentials.