I have a working implementation of the AWS PHP SDK. Operations like $client->getUser() are working, but $client->adminCreateUser() and others are not working.
When I call $client->adminCreateUser([...]), it results in:
Error executing "AdminCreateUser" on "https://cognito-idp.ap-southeast-2.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.ap-southeast-2.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}
MissingAuthenticationTokenException (client): Missing Authentication Token - {"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}
Line 191 in /var/www/project/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php
Similar services evoked from CLI (e.g cognito-idp admin-create-user) with the exact same credentials are working.
What is causing this?
Example Details
My environment:
Ubuntu 18.04
Apache 2.4.29
PHP 7.3
aws/aws-sdk-php 3.92.3
.aws/credentials
[default]
aws_access_key_id=XXXX
aws_secret_access_key=XXXX
I am using my developer credentials
Example code:
$client = new CognitoIdentityProviderClient([
'version' => 'latest',
'region' => 'ap-southeast-2',
'credentials' => false, // Set to false to allow roles provisioned to our EC2 instances
]);
$result = $client->adminCreateUser([
'DesiredDeliveryMediums' => ['Email'],
'MessageAction' => 'RESEND',
'TemporaryPassword' => 'TemporaryPassword1234',
'UserAttributes' => [
['Name' => 'email', 'Value' => 'mailbox#domain.tld'],
],
'UserPoolId' => 'ap-southeast-2_XXXX',
'Username' => 'mailbox#domain.tld',
]);
You need to remove 'credentials' => false from your CognitoIdentityProviderClient configuration.
The adminCreateUser() operation requires a signed request (unlike operations like signUp(), which is why signUp() would work with an unsigned request but adminCreateUser() and other operations that require developer credentials won't)
From the AWS Docs
https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#admincreateuser says
AdminCreateUser requires developer credentials.
https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_configuration.html#credentials says
Pass false to use null credentials and not sign requests.
A request needs to be signed to provide developer credentials.
Related
I am doing project in Laravel. For storing images I am using aws-s3. My project working very well on godaddy server but not on digital ocean server. I am getting error as,
Aws\Sqs\Exception\SqsException: Error executing "ReceiveMessage" on "https://sqs.us-east-1.amazonaws.com/your-account-id/your-queue-name"; AWS HTTP error: Client error: `POST https://sqs.us-east-1.amazonaws.com/your-account-id/your-queue-name` resulted in a `403 Forbidden` response:
<?xml version="1.0"?><ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"><Error><Type>Sender</Type><Code>I (truncated...)
InvalidClientTokenId (client): The security token included in the request is invalid. - <?xml version="1.0"?><Err......
Here Is a code that I used for s3 setup in my project,
filesystem.php
's3' => [
'driver' => 's3',
'key' => '************',
'secret' => '***********',
'region' => 'ap-south-1',
'bucket' => 'xyz',
'options' => [
'ServerSideEncryption' => 'AES256',
]
]
.env
QUEUE_DRIVER=redis
I am getting this error irrespective of hitting any api. I don't know where I am going wrong. Thanks in advance.
Issue is documented under aws blog,
https://aws.amazon.com/premiumsupport/knowledge-center/security-token-expired/
Please check your credentials and appropriate roles / Policies attaches to roles to access S3.
I'm having a very peculiar issue with trying to connect to AWS SQS. When running this PHP code:
$client = SqsClient::factory(array(
'credentials' => [
'key' => 'somekey',
'secret' => 'somesecret'
],
'region' => 'eu-west-1',
'version' => 'latest'
));
$result = $client->receiveMessage(array(
'QueueUrl' => $queueUrl,
));
I'm getting this error:
PHP Fatal error: Uncaught exception 'Aws\Sqs\Exception\SqsException' with message 'Error executing "ReceiveMess
age" on "https://sqs.eu-west-1.amazonaws.com/189729872213/my-very-special-queue"; AWS HTTP error: Client error: 403 Inva
lidClientTokenId (client): This account is suspended - <?xml version="1.0"?><ErrorResponse xmlns="http://queue.a
mazonaws.com/doc/2012-11-05/"><Error><Type>Sender</Type><Code>InvalidClientTokenId</Code><Message>This account i
s suspended</Message><Detail/></Error><RequestId>aaf63243-6840-5b49-893a-7d66919c07da</RequestId></ErrorResponse
>'
But when I'm using boto (the Python equivalent of AWS PHP SDK) with the same credentials on the same machine it works fine! And the account is opened as expected, and I can access all the queues that are associated with it.
How can I make the PHP code work? What should I be checking?
I am trying to configure the the amazon cloud front, I have successfully created clouldflayer url and access private s3 bucket from it via console. Now I am trying to do it by php-sdk for that I have tried following code
use Aws\CloudFront\CloudFrontClient;
$cle = new CloudFrontClient([
'version' => 'latest',
'region' => 'us-west-2',
'credentials.ini' => [
'key' => 'credentials\pk-myKey.pem',
'secret' => 'secret',
],
]);
$result = $cle->getCloudFrontOriginAccessIdentity([
'Id' => '****', // REQUIRED
]);
print_r($result);
but I am getting error
Fatal error: Uncaught exception 'Aws\CloudFront\Exception\CloudFrontException' with message 'Error executing "GetCloudFrontOriginAccessIdentity" on "https://cloudfront.amazonaws.com/2015-04-17/origin-access-identity/cloudfront/SDF345G";
AWS HTTP error: Client error: 403 SignatureDoesNotMatch (client): Credential should be scoped to a valid region, not 'us-west-2'. -
and I have tried all reason one by one but its not working
Credential should be scoped to a valid region, not 'us-west-2'.
Unlike most of AWS, CloudFront is not a regional service, it's a global one, configured and managed through us-east-1, regardless of the region where any of the related services (S3, EC2, etc.) are deployed.
'region' => 'us-east-1',
I've migrated servers and updated AWS phar, however once i've done that i'm getting the following error:
Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Missing required client configuration options: version: (string) A "version" configuration value is required. Specifying a version constraint ensures that your code will not be affected by a breaking change made to the service. For example, when using Amazon S3, you can lock your API version to "2006-03-01". Your build of the SDK has the following version(s) of "email": * "2010-12-01" You may provide "latest" to the "version" configuration value to utilize the most recent available API version that your client's API provider can find. Note: Using 'latest' in a production application is not recommended. A list of available API versions can be found on each client's API documentation page: http://docs.aws.amazon.com/aws-sdk-php/v3/api/index.html. If you are unable to load a specific API version, then you may need to update your copy of the SDK.' in phar:////includes/3rdparty/aws/aws.phar/Aws/ in phar:////includes/3rdparty/aws/aws.phar/Aws/ClientResolver.php on line 328
I've tried adding it via different method and looking into the actual documentation without any luck.
Here's my code right now:
$client = SesClient::factory(array(
'user' => 'uuuuu',
'key' => 'aaaaa',
'secret' => 'bbbb',
'region' => 'us-east-1',
));
$client->version("2010-12-01");
//Now that you have the client ready, you can build the message
$msg = array();
//more code after this...
Any help would be appreciated!
Apparenty, the 'version' field is mandatory now, so you must pass it to the factory.
Source: http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/migration.html
// Instantiate the client with your AWS credentials
$client = SqsClient::factory(array(
'credentials' => $credentials,
'region' => 'us-east-1',
'version' => '2012-11-05'
));
I'm in the process of migrating from Amazon S3 to Google Storage and I can't seem to get my credentials to work. Here's some sample code that I put together to test my credentials:
$client = new S3Client([
'credentials' => [
'key' => 'GOOGxxxxxxxxxxxxxxx',
'secret' => 'ZfcOTxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
],
'region' => 'US',
'version' => 'latest',
'endpoint' => 'https://storage.googleapis.com',
]);
try {
$result = $client->putObject(array(
'Bucket' => 'devtest',
'Key' => 'test',
'Body' => 'Hello world'
));
echo $result['ObjectURL'];
} catch (\Aws\S3\Exception\S3Exception $e) {
// The AWS error code (e.g., )
echo $e->getAwsErrorCode() . "\n";
// The bucket couldn't be created
echo $e->getMessage() . "\n";
}
Here's what I get back:
InvalidSecurity Error executing "PutObject" on "https://storage.googleapis.com/devtest/test"; AWS HTTP error: Client error response [url] https://storage.googleapis.com/devtest/test [status code] 403 [reason phrase] Forbidden InvalidSecurity (client): The provided security credentials are not valid. - InvalidSecurityThe provided security credentials are not valid.
Incorrect Authorization header
I've tried googling 100 different combinations of this issue and can't find anything. I have Interoperability enabled, at least I think I do since I don't think I can get the key/secret without it being enabled first. And I have the Google Storage API enabled.
Any help would be greatly appreciated.
Edit: here's the Authentication Header in case that helps:
AWS4-HMAC-SHA256
Credential=GOOGGUxxxxxxxxxxx/20150611/US/s3/aws4_request,
SignedHeaders=host;x-amz-content-sha256;x-amz-date,
Signature=9c7de4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I noticed it stays "aws4_request" even when I specify 'signature' => 'v2'. Not sure if that matters.
I took a look at the S3Client code and it doesn't use the 'signature' config key as far as I can tell. The only thing I found was 'signature_version' which when set to v2, I get this error:
Unable to resolve a signature for v2/s3/US. Valid signature versions include v4 and anonymous.
I'm using Laravel 5.1 with composer package aws/aws-sdk-php version 3.0.3
Any ideas?
S3 only supports v4 signatures, and this requirement is enforced by the PHP SDK. It seems that Google Cloud Storage only supports v2 signing, so you wouldn't be able to use the same library to talk to both. Google does provide their own PHP SDK, which might make talking to Cloud Storage a bit easier.