Error: error configuring Terraform AWS Provider:

error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 95e52463-8cd7-038-b924-3a5d4ad6ef03, api error InvalidClientTokenId: The security token included in the request is invalid. with provider["registry.terraform.io/hashicorp/aws"], on provider.tf line 1, in provider "aws": 1: provider "aws" {

I have only two files.

1. instance.tf

resource "aws_instance" "web" {
  ami           = "ami-068257025f72f470d"
  instance_type = "t2.micro"
    
  tags = {
    Name = "instance_using_terraform"
  }
}

2. provider.tf

provider "aws" {
  region = "ap-east-1"
  access_key = "xxxx"
  secret_key = "xxxx/xxx+xxx"
}

May be Your passed AWS configure region is different from your terraform provider region e.g: us-east-1 in AWS configure, us-east-1a in terraform provider region.

Please change those regions to the same.

In mycase this issue is because your system date/time is wrong.

Set Time for my centos8 OS through following command

timedatectl status timedatectl set-time HH:MM:SS

it will throw error saying "Failed to set time: NTP unit is active“. if you already have set NTP service on your machine"

Then use below command to configure NTP

sudo timedatectl set-local-rtc true

sudo timedatectl set-ntp false

sudo timedatectl set-time "yyyy-MM-dd hh:mm:ss"

timedatectl list-timezones

sudo timedatectl set-timezone Europe/Zagreb

sudo timedatectl set-ntp yes

In my test environment I was using the root users access and secret access key which did not work. After creating a dedicated user the error did not occur anymore.

In detail I did the following steps:

Created a user called terraform here Created a new group Administrators with attached permissions Administrator Access by following the wizard Copied access key and secret access key to ~/. aws /credentials aws access key =xxx aws secret access key=xxx Created ~/.aws/config [default] region=us-west-2

Make sure to use the default region specified for your AWS IAM account

provider "aws" {
  region     = "eu-north-1" # < --- here 
  access_key = "**************"
  secret_key = "**************"
}

Check .aws folder(CONFIG FILE). Try this

aws sts get-caller-identity

{
    "UserId": "AIDAYMYFUCQM7K2RD9DDD",
    "Account": "111147549871",
    "Arn": "arn:aws:iam::111147549871:user/myself"
}

Also show us your main.tf file and where and how you define access.

Made mistake in the region where I declared entered the wrong namecode of region and access key - secret key '+' and '/' generating the error due to some symbols, you just need to try the new key till the access key contains only alphabetical string. (Symbols are lmao).

For me, I had to update my provider version. Went through all the suggestions here, but none worked. My required_providers version was 4.67.0, but updating it to 5.0 on my .tf file required I update the locked dependency selections to match a changed configuration by running "terraform init -upgrade" command. And that did it for me.

In case anyone comes across this issue, I found that the workspace I was working in had environment variables set in Terraform Cloud for the AWS credentials. These were taking precedence over my local credentials and needed to be refreshed.

For anyone who might hit this error

Error: configuring Terraform AWS Provider: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 400 ... api error IncompleteSignature: ....  not a valid key=value pair  

Check that your credentials file doesn't contain any trailing spaces, eg at the end of lines. AWS is quite happy to strip these and works fine, Terraform doesn't! Took me way to long to track that one down.

In my case, I was demonstrating with the Credentials and files I downloaded from GitHub. I didn't change the credentials to my own. (Both the Access Key and the Secret Key). I changed it and it worked! I was on it for several weeks trying to figure what could have happened.

In my case it was because I had disabled the regions in the account I was trying to generate a plan. To see the list of enabled/disabled regions, you can go here: https://us-east-1.console.aws.amazon.com/billing/home?region=us-east-1#/account?AWS-Regions

In my case we were using multiple provider blocks in multiple AWS regions with the same profile as this:

provider "aws" {
  alias   = "prod01"
  region  = "us-east-1"
  profile = "prod"
}

provider "aws" {
  alias   = "prod02"
  region  = "eu-central-1"
  profile = "prod"
}

The fix was to have two AWS profile mapped to each provider not just one.

For example you would have to configure two AWS profiles for each region using aws configure --profile <profile_name> twice, or saml2aws login --region us-east-1 --profile prod-us-east-1 and again saml2aws login --region eu-central-1 --profile prod-eu-central-1

then modify your terraform code to use the correct profile:

provider "aws" {
  alias   = "prod01"
  region  = "us-east-1"
  profile = "prod-us-east-1"
}

provider "aws" {
  alias   = "prod02"
  region  = "eu-central-1"
  profile = "prod-eu-central-1"
}

Check your access key is active or not. If it is active and reconfigure using aws configure and change the region from default to ap-east-1

May this work!!

Please create new user with full admin access and then click on application use outside ec2 instance. This may work in your case.

I think is because of the zone you have put in your terraform script. I know that you can see the availability region in the EC2 console in AWS.

In my case, the error was because I didn't have a default configuration declaration. When I created it, it all worked.