How do I create a valid AWS token to make a request to ElasticSearch using a Cognito identity?

Question

I want to make a request to an AWS ElasticSearch instance. The instance has access control to allow access to one or more AWS accounts or IAM users. The role represents a Cognito Identity pool that has a Cognito User Pool as authentication source.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::***:role/Cognito_ElasticSearchAuth_Role"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-west-1:***:domain/asd-es-public/*"
    }
  ]
}

When I try to sign a request I get

data "{\"message\":\"The security token included in the request is invalid.\"}"

Here is the request

const proxyAgent = new HttpsProxyAgent('http://wwwproxy.***.com:***');

public async deleteAllIndices() {
    return new Promise((resolve, reject) => {
        https
            .request(
                aws4.sign(
                    {
                        hostname:
                            'search-asd-es-public-***.eu-west-1.es.amazonaws.com',
                        path: '/something',
                        method: 'GET',
                        agent: proxyAgent,
                    },
                    {
                        secretAccessKey: 'testuser',
                        accessKeyId: 'TestPw_1',
                    },
                ),
                (res) => {
                    res.setEncoding('utf8');
                    logger.info('statusCode:', res.statusCode);

                    res.on('data', (d) => {
                        logger.info('data', d);
                        resolve(res);
                    });
                },
            )
            .on('error', (e) => {
                logger.info(e.message);
                logger.info('error');
                reject(e);
            })
            .end();
    });
}