Login/Register
How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?
Asked Answered
amazon-web-servicesamazon-iamaws-cli
K

37

224

I cd into the directory where all the pem/key files are and run the following:

aws iam upload-server-certificate 
    --server-certificate-name certificate_name 
    --certificate-body file://webservercertificate.pem  
    --private-key file://server.key   
    --certificate-chain file://certificate_chain_file.pem

I get the following error:

A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.

I have 1 'user' in 'users'. That user has been assigned the following permissions:

IAMFullAccess IAMReadOnlyAccess IAMUserSSHKeys

I've downloaded the credentials for this user and put them into my user variables

AWS_ACCESS_KEY ****
AWS_SECRET_KEY ****

I have 1 role on my elastic beanstalk aws-elasticbeanstalk-ec2-role

Kinson answered 3/1, 2016 at 22:23 Comment(10)
Possible duplicate of Uploading SSL certificates TO IAMErdmann
Can you do other aws iam actions successfully? It sounds like you are using invalid credentials to access the service.Carrel
I do not think your error has anything to do with certs. Your credentials are invalid or do not have privileges.Can you run aws iam list-users and see if you get an output or same error?Distinctly
Are you running this command from ec2 instance which has roles? If yes make sure the role policy has IAM permissions to upload the certificate. From the error the token is invalid, the token is generated when you are using IAM roles or using AWS STS servicePrintmaking
Hi HelloV, nope, when I run your command I get 'A client error (InvalidClientTokenId) occurred when calling the ListUsers operat ion: The security token included in the request is invalid.'Kinson
Hi Vineeth, My ec2 has 1 role ' aws-elasticbeanstalk-ec2-role' and I've assigned that role the following permissions -AMFullAccess - IAMReadOnlyAccess- IAMUserSSHKeys. No success I'm afraidKinson
#29256678Kinson
Possible duplicate of AWS : The config profile (MyName) could not be foundKelt
The fix for me was to just make sure I was setting the AWS_DEFAULT_REGION (in addition to AWS_ACCESS_KEY, and AWS_SECRET_KEY), which it doesn't look like you were doingArteritis
For those of you using nextflow, don't forget to change out your profiles.awsbatch.accessKey and profiles.awsbatch.secretKey if you created new key(s) in exchange for old one(s).Pledget
H
130

I had the same error, even after re-running aws configure, and inputting a new AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

What fixed it for me was to delete my ~/.aws/credentials file and re-run aws configure.

It seems that my ~/.aws/credentials file had an additional value: aws_session_token which was causing the error. After deleting and re-creating the ~/.aws/configure using the command aws configure, there is now only values for aws_access_key_id and aws_secret_access_key.

Hypersensitize answered 29/10, 2020 at 13:45 Comment(3)
To add to the above, the token expires. That's why re-creating it worked :)Gmur
Removing the aws_session_token did the trick, thanks! I'm not sure why the token stay there if it's invalid. Anyways, thank you so much!Rectilinear
Kept getting this error, but turns out I had an outdated (and deleted) key ID and access key set as environment variables, taking precedence over the ~/.aws/credentials credsOnder
S
99

If you're using the CLI with MFA, you have to set the session token in addition to setting the access and secret keys. Please refer to this article: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Soapberry answered 3/11, 2017 at 14:56 Comment(6)
What would you recommend if running get-session-token results in the same error (InvalidClientTokenId)?Watanabe
@PrasanthLouis and @png, Do I have to update my \.aws\credential with the generated keys? According to the web link, it looks like updating by command line input...Galsworthy
get-session-token was failing for me because I still had the environment variables AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN set. These should be unset first or AWS will try to use them implicitly and fail because they're invalid.Avram
had to do the set AWS_ACCESS_KEY_ID= set AWS_SECRET_ACCESS_KEY= set AWS_SESSION_TOKEN= then aws configure again. now it is working again. Thank youGreatniece
Just had a colleague lose 4 hours on this by accidentally creating the user in "IAM Identity Center" instead of "IAM Management Console" (which, aside from having similar names, look very similar as well). Make sure you use the latter for CLI access!Bondwoman
From docs.aws.amazon.com/cli/latest/reference/sts/… : \ --token-code (string) > The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, the user must provide a code when requesting a set of temporary security credentials. A user who fails to provide the code receives an "access denied" response when requesting resources that require MFA authentication.Ratchford
G
67

Try to go to the security credentials on your account page: Click on your name in the top right corner -> My security credentials

Then generate access keys over there and use those access keys in your credentials file (aws configure)

Gott answered 13/12, 2016 at 21:45 Comment(3)
I am using circleCI to run task in AWS ECS. I got this error and this seems to work. but, why aren't access key id and secret access key of a user with programatic access and just enough permissions enough to deploy to AWS ECS.Retrospection
I do not see My security credentials when clicking on my username on the top right corner. All I see are Account, Organization, Service Quotas, Billing Dashboard, Switch Role, Signout.Threecolor
Upon checking my access key (through security credentials as per this answer) I saw it was somehow deactivated. After activating it back the error was resolved for me.Lusatian
E
58

If you have been given a Session Token also, then you need to manually set it after configure:

aws configure set aws_session_token "<<your session token>>"
Ermelindaermengarde answered 3/4, 2020 at 18:36 Comment(6)
how do i get that token?Sammons
@Ermelindaermengarde just mentioning "<<your session token>>" does not make any sense, you have to explain the process to get the session token as asked by NachokhanPhotoplay
@Sammons you can go to your .aws directory (in mac it's ~/.aws) and do a ls -ltrh , you can see a file called "credentials" in that file you will get the aws_session_token. Example aws_access_key_id = XXXXXXXXXXXXX aws_secret_access_key = XXXXXXXXXXXXX aws_session_token = XXXXXXXXXXXXX aws_security_token = XXXXXXXXXXXXX x_principal_arn = arn:aws:sts::XXXXXXXXXXXXX:assumed-role/XXXXXXXXXXXXX/gourabp@XXXXXXXXXXXXXPhotoplay
more documentation here : docs.aws.amazon.com/sdkref/latest/guide/file-location.htmlPhotoplay
Thanks , it helped. I had to manually specify the session tokenFess
This is the real answer. If you look at your C:/users/user/.aws/credentials file, you'll notice that after running this command, aws_session_token will have been added to the default profile. The default profile is what is configured when running aws configureGalleywest
F
29

In my case, there were two different 'AWS_SECRET_ACCESS_KEY' and 'AWS_ACCESS_KEY_ID' values set one through the Windows environment variable and one through the command line.

So, update these two and the default_region using a command line

> aws configure

Press enter and follow the steps to fill the correct AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY and AWS_DEFAULT_REGION

> aws sts get-caller-identity

should return the new set credentials

Finkle answered 20/12, 2019 at 14:34 Comment(1)
Thank you removing the environment variables worked for me.Cathryncathy
S
25

If switching from temporary IAM role credentials to IAM user credentials, ensure AWS_SESSION_TOKEN, which is only used for temporary credentials, is no longer set:

unset AWS_SESSION_TOKEN # unset environment variable
Superb answered 12/8, 2020 at 0:16 Comment(3)
That did it for me. But also I had to manually update my ~/.aws/credentials file. For some reason it wasent updating with new credentials values.Kirin
That line of thinking did it for me too - the token that had somehow snuck into ~/.aws/credentials wasn't needed. Only after removing the file, logging in again worked. Presumably just clearing the token from the file would've done it too.Jacquetta
Works for me. I had export AWS_ACCESS_KEY_ID=test and export AWS_SECRET_ACCESS_KEY=test in my zshrc file, which caused an issueDeidredeific
C
18

I had to specify the AWS profile to use --profile default explicitly to get rid of this error while running AWS CLI commands. I could not understand though that why it did not pick up this profile automatically as there was only [dafault] profile present in my aws config and credentials file.

I hope this helps.

Cheers, Kunal

Coffee answered 17/6, 2020 at 11:29 Comment(1)
I have multiple profile in ~/.aws/config file. The error go away when I run aws iam list-server-certificates --profile another-profileAntione
K
13

Try to export the correct profile i.e. $ export AWS_PROFILE="default" If you only have a default profile make sure the keys are correct and rerun aws configure

Kathie answered 18/7, 2019 at 2:9 Comment(0)
S
9

Similar to Pat's response, check your environment variables. Particularly AWS_SESSION_TOKEN AND AWS_SECURITY_TOKEN

Try unsetting them: unset VAR_NAME

To see what variables are set try env | grep AWS and expect something like:

AWS_REGION=ap-southeast-2
AWS_PAGER=
AWS_SECRET_ACCESS_KEY=...
AWS_ACCESS_KEY_ID=...
AWS_SESSION_TOKEN=...
AWS_SECURITY_TOKEN=...
Saturant answered 15/4, 2021 at 5:14 Comment(1)
To return only environment variables that start with "AWS", you can use the caret symbol, e.g. env | grep ^AWS. Most (if not all) "AWS" environment variables start with AWS, so this can help filter out other rubbish that clutters your console.Michelson
M
6

This happened to me when using java sdk. The problem was for me was i wasnt using the session token from assumed role.

Working code example ( in kotlin )

        val identityUserPoolProviderClient = AWSCognitoIdentityProviderClientBuilder
            .standard()
            .withCredentials(AWSStaticCredentialsProvider(BasicSessionCredentials("accessKeyId", ""secretAccessKey, "sessionToken")))
            .build()
Microscopic answered 20/2, 2019 at 10:9 Comment(0)
L
5
  1. Click on your username in the top nav, My Security Credentials
  2. Click on Access Key Tab, Create New, copy the key and secret.
  3. From the terminal run $ aws configure and use the new key and secret.

  4. Run the command again:

    serverless invoke local --function create --path mocks/create-event.json
Lurlenelurline answered 30/11, 2018 at 22:39 Comment(1)
After enabling MFA, creating new access key and using it with aws configure was the solution. Then I could get "aws sts get-caller-identity" containing MFA arn and "aws sts get-session-token --serial-number XXX --token-code YYY" was successfulAndrous
U
5

This can also happen when you disabled MFA. There will be an old long term entry in the AWS credentials.

Edit the file manually with editor of choice, here using vi (please backup before):

vi ~/.aws/credentials

Then remove the [default-long-term] section. As result in a minimal setup there should be one section [default] left with the actual credentials.

[default-long-term]
aws_access_key_id = ...
aws_secret_access_key = ...
aws_mfa_device = ...
Underpass answered 26/11, 2020 at 1:3 Comment(0)
N
4

For anyone who is getting this error when using AWS SDK on the Cloud9 editor, the problem could be due to the AWS-managed temporary credentials which might restrict what the identity (the AWS-managed temporary credentials which AWS sets for you) can do.

If you run cat ~/.aws/credentials you will see a profile already created for you, and this also lists the session token. Note: this is managed by AWS and cannot be modified/deleted.

A get-around is turning off the AWS-managed temporary credentials. Here is some info on how these temporary credentials are managed and how you can turn them off: https://docs.aws.amazon.com/cloud9/latest/user-guide/security-iam.html#auth-and-access-control-temporary-managed-credentials. Once you discontinue using the AWS-managed credentials, and re-run the above command (cat ~/.aws/credentials), you will notice that the file is empty. Now, you must set a profile manually and use this profile for AWS SDK/CLI.

To configure a profile, you'll need to run: aws configure <name-of-the-profile>. If you do not pass a name for the profile, it will default to default (and subsequently override this default profile). With the profile set, use this profile with AWS SDK/CLI/API.

Nephew answered 31/1, 2022 at 17:54 Comment(0)
P
3

You are somehow using wrong AWS Credentials (AccessKey and SecretKey) of AWS Account. So make sure they are correct else you need to create new and use them - in that case may be @Prakash answer is good for you

Piccard answered 9/6, 2017 at 5:21 Comment(1)
I was using expired credentials. When I looked in the credentials of the IAM console, I could not find any active Access Key ID and Secret Access Key, as they had expired. So I generated new credentials and saved them in my .aws/credentials file and the error is gone.Thora
D
3

I had the same error but was caused by a different issue.

The credentials were changed on AWS but I was still using a cached MFA session token for the config profile.

There is a cache file for each profile under ~/.aws/cli/cache/ containing the session token.

Remove the cache file, reissue the command and enter a new MFA token and its good to go.

Doubling answered 9/4, 2018 at 23:55 Comment(2)
That folder does not exist for me, running Ubuntu 18.04 and aws-cli/1.15.11 Python/3.5.2 Linux/4.15.0-20-generic botocore/1.10.11Lapin
On Mac OSX using awscli from Homebrew it doesn't exist either.Reef
D
3

I had the access key and secret key mixed up :)

Darleen answered 22/3, 2021 at 3:6 Comment(0)
S
2

I thought you could avoid it by just passing the --no-sign-request param, like so: 

aws --region us-west-2 --no-sign-request --endpoint-url=http://192.168.99.100:4572 \
 s3 mb s3://mytestbucket
Sherrellsherrer answered 16/4, 2018 at 21:34 Comment(2)
Adding the --no-sign-request option just returned a "missing Authentication Token" message. So it appears, at least in my case, that the token is needed and just turning it off won't do.Procephalic
thanks ! you are the only one mentioning this --endpoint flag, which helped a lot with my local configuration with a docker container :P cheers !!Neral
F
2

If that can help anyone, I had the same problem and eventually I found that it's because my AWS profile region was eu-south-1. By setting it to us-west-2 it worked.

Doesn't make any sense to me, but it seems it's something to check if you're having this problem.

Frail answered 18/4, 2022 at 15:19 Comment(0)
I
2

After updating the AWS_ACCESS_KEY & AWS_SECRET_ACCESS_KEY environment variables do not forget to restart the session in your terminal in order for it to use the updated values.

Iridotomy answered 23/10, 2023 at 5:42 Comment(0)
I
1

In my situation, the problem was due to running powershell as an admin, so it was looking for the aws credentials in the root of my admin user. There's probably a better way to resolve this, but what worked quickly for me was recreating my .aws folder in the root of my admin user.

Idaliaidalina answered 13/4, 2020 at 13:31 Comment(0)
K
1

In my case we use both AWS CN and COM, even though I have valid keys and config/credential files and even specify the exports and --profile in the command I get this error.

To fix: ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.

I add --region to the command as well.

Katharinakatharine answered 29/11, 2021 at 19:12 Comment(0)
V
1

opened my ~/.aws/credentials file and saw that the secret key was interchanged with my Access ID strangely, switching it solved the problem

Vein answered 28/5, 2022 at 13:50 Comment(1)
This was not my problem, but it led me to the right answer. My access key is inactive. Thanks!Rowenarowland
S
1

A little late to the game here, but this may be helpful for someone. Using Windows. I had switched from one account to another. Before working in the first account, I ran

SET AWS_ACCESS_KEY_ID=ABCDE....
SET AWS_SECRET_ACCESS_KEY=12345...
SET AWS_SESSION_TOKEN=a1b2c3...

When I switched to the second account, I ran the following. This second account did not require a session token:

SET AWS_ACCESS_KEY_ID=FGHIJ....
SET AWS_SECRET_ACCESS_KEY=67890...

When I then tried to connect I recived the error:

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid

I cleared the session toke variable by running set AWS_SESSION_TOKEN= and then I was able to authenticate. Note that there is no space before the equals sign.

Skinflint answered 16/6, 2022 at 14:13 Comment(1)
unset AWS_SESSION_TOKEN should do it tooGillie
X
1

In my case I had triple checked the .aws/credentials file, environment variables, command line arguments, project config etc. but some old credentials were still being found somewhere.

In the end it was an old auth token header configured in Postman which I was using to call the API.

Xray answered 21/12, 2022 at 9:32 Comment(0)
S
0

I was able to use AWS cli fully authenticated, so for me the issue was within terraform for sure. I tried all the steps above with no success. A reboot fixed it for me, there must be some a cache somewhere in terraform that was causing this issue.

Sadducee answered 28/2, 2020 at 18:52 Comment(0)
G
0

This is weird, but in my case whenever I wanted to retype the access id and the key by typing aws configure.

Adding the id access end up always with a mess in the access id entry in the file located ~/.aws/credentials(see the picture) The messed access id

I have removed this mess and left only the access id. And the error resolved.

Genesia answered 23/5, 2020 at 3:24 Comment(0)
A
0

I had similar issue when I was deploying my django application over elastic Beanstalk and what I found is when I was trying various methods somehow one eb-cli profile got created in config file in ~/.aws/ folder so once I got rid of that everything worked fine!!.

Absorptivity answered 1/8, 2020 at 20:40 Comment(0)
C
0

I had a similar issue for uploading a certificate using the cli. I needed to use a programmatic access from a newly created iam user (with its own keys). The MFA that I used to authenticate myself to the AWS console (web) in my AWS account was interfering when using the aws configure command with the new iam user credentials for programmatic access. In the new credentials file (created from the aws configure command) the session token from the MFA log was somehow persisted. Deleting manually from the credentials file the session token helped in my case.

Channelize answered 8/7, 2021 at 15:28 Comment(0)
F
0

After so much research I found out that my AWS account was suspended due to payment.

So, kindly confirm your account is not suspended.

Foul answered 27/11, 2021 at 10:31 Comment(0)
B
0

Had similar issue where i had to re-configure my aws

what fixed this for me was resetting environment variables

export AWS_ACCESS_KEY=<key>
export AWS_SECRET_ACCESS_KEY=<key>
Butanol answered 26/4, 2022 at 18:6 Comment(0)
O
0

In my case I automatically created Api keys, then used them directly using Assume role. They didn't work when using sts assume-role.

I did a sleep for around 10 seconds after the api keys was created. That solved the problem for me.

Orchardman answered 29/4, 2022 at 12:39 Comment(0)
K
0

In my situation, this error occurs due to wrong AWS credentials. Try to verify before retrying.

Kamp answered 7/5, 2022 at 14:29 Comment(1)
As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.Hattie
T
0

In my case, I was getting this error trying to send emails with AWS SES using the SDK. I had to restart the application (.NET 6 in Docker with docker-compose) for the credentials to be reloaded by the application, so they must be cached once loaded.

Tulley answered 14/8, 2022 at 10:39 Comment(0)
F
0

Localstack specific.

I am using localstack and getting this error.

I had to do:

  const myService = AWS.[myService]({endpoint: [localstack_url]});
  myService.useAsUsual...
Firstrate answered 5/2, 2023 at 10:4 Comment(0)
J
0

Delete cache files from folder and try to reconnect from visual studio

c:\users\.aws\sso\cache

enter image description here

Jacquelynejacquelynn answered 27/7, 2023 at 20:16 Comment(0)
E
0

I have faced same issue.But,if you are a beginner and you are trying to figure out why i am getting this error "An error occurred (InvalidClientTokenId) when calling the ListUsers operation: The security token included in the request is invalid." You can follow my steps: Step 1: open command line and change directory to cd .aws ->>>>> This is how it will look like After changing directory C:\Users\Username.aws Now, Open the file credentials using notepad C:\Users\Username.aws> notepad credentials In most cases there might be a default access key username,so all you need to do is edit it using you actual accesskeys and password ,trust me save it and run aws iam list-users And it will definitely work. Thank you for reading my post.

Essence answered 11/1, 2024 at 16:2 Comment(0)
C
0

If none of the above works, try this:

open this file ~/.aws/credentials add aws_session_token = TOKEN and save it

The problem is aws configure --profile does not ask for the aws_session_token value.

Clarineclarinet answered 29/3, 2024 at 18:48 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.