对AWS API的请求通过凭据进行身份验证。对于几乎所有服务，此身份验证都是通过签名版本4 ，它使用用凭据的访问秘密密钥部分签名的请求有效负载的HMAC。

Requests to AWS APIs are are authenticated via credentials. For almost all services, this authentication occurs via signature version 4, which uses an HMAC of the payload of the request signed with the access secret key portion of the credential.

作为 Amazon Cognito authflow 的一部分出售，sessionKey是还包括具有有关登录用户的上下文信息的信息。评估与那些凭据关联的策略时，可以将变量替换为这些上下文值（例如， cognito-identity.amazonaws.com:sub 身份ID），以确定凭据是否具有指定的访问权限。

For credentials that are vended as part of the Amazon Cognito authflow, a sessionKey is also included that has contextual information about the user that logged in. When the policies associated with those credentials are evaluated, variables can be replaced with these contextual values (e.g. cognito-identity.amazonaws.com:sub for the identity id) to determine if the credentials have the specified access.