对 AWS API 的请求通过凭证进行身份验证.对于几乎所有服务，此身份验证通过 签名版本 4，它使用使用凭证的访问密钥部分签名的请求负载的 HMAC.

Requests to AWS APIs are are authenticated via credentials. For almost all services, this authentication occurs via signature version 4, which uses an HMAC of the payload of the request signed with the access secret key portion of the credential.

对于作为 Amazon Cognito 身份验证流程的一部分提供的凭证，还包含一个 sessionKey，其中包含有关登录用户的上下文信息.当评估与这些凭据关联的策略时，变量可以替换为这些上下文值(例如 cognito-identity.amazonaws.com:sub 用于身份 ID)以确定凭据是否具有指定的访问权限.

For credentials that are vended as part of the Amazon Cognito authflow, a sessionKey is also included that has contextual information about the user that logged in. When the policies associated with those credentials are evaluated, variables can be replaced with these contextual values (e.g. cognito-identity.amazonaws.com:sub for the identity id) to determine if the credentials have the specified access.