When I pull a clean Alphine Linux Docker image, install aws-cli on it and try to authenticate myself with aws ecr get-authorization-token --region eu-central-1 I keep getting the following error:

An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

I've already checked the timezone which seem to be okay, and the command works properly on my local machine.

These are the commands I run to set up aws-cli: apk add --update python python-dev py-pip pip install awscli --upgrade export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXXXXXX export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Is there something obvious I'm missing?

It was an access issue after all! Turns out that if you create a new IAM user with full admin access it can't by default access the ECR registry you created using a different account. Using the IAM credentials from that other account resolved the issue.

You don't have permission to access those resources until you get permission to aws-cli, for that you can use the below steps.

Log into your AWS account, click on your account name, select my security credentials, click on access keys and download the credentials

Open your PowerShell as administrator and follow the commands.

$ aws configure
$ AWS Access Key ID [****************E5TA]=xxxxxxxxxx
$ AWS Secret Access Key [****************7gNT]=xxxxxxxxxxxxxx

It was an access issue after all! Turns out that if you create a new IAM user with full admin access it can't by default access the ECR registry you created using a different account. Using the IAM credentials from that other account resolved the issue.

In my case, my ~/.aws/credentials file had an old aws_session_token that was not updated by the aws configure CLI command. Once I opened the file with vi ~/.aws/credentials and deleted the aws_session_token entry, I no longer encountered the UnrecognizedClientException. I'm guessing that the AWS CLI first gives priority to the aws_session_token over the aws access key id and aws secret access key when running AWS CLI commands, if aws_session_token is present in the ~/.aws/credentials file.

What worked for me is: on the first part of pipe add the param --profile < your-profile-name > and after that in every ECR command you need to provide that parameter.

Create a new account with AmazonEC2ContainerRegistryFullAccess permission. Add this account to the .credentials file like this:

[ecr-user]
aws_access_key_id = XXX
aws_secret_access_key = XXX

Then next use following command:

aws ecr get-login-password --profile ecr-user

My issue was caused by the fact that I had inactivated my access key in the AWS IAM Management Console earlier as part of an exercise I was doing. Once I reactivated it, the problem was resolved.

(Make sure you're in the right AWS region, too.)

I had same error message however I was using session based AWS access . The solution is to add all the keys given by AWS including session token.

aws_access_key_id="your-key-id"
aws_secret_access_key="your-secret-access-key"
aws_session_token="your-session-token"

add it into ~/.aws/credentials for profile you are using .

An update, --profile must be added, I solve this.

Try running echo $varname to see if the environment variables are set correctly:

echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEY
echo $AWS_DEFAULT_REGION

If they are incorrectly set, run unset varname:

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION

This stumped me for a while. Various flavours of exception. To finally get a fix, I wiped my aws home directory, and re-entered my Access Key ID and Secret Access Key from scratch.

rm -rf ~/.aws
aws configure

I'm on Ubuntu 22.04, aws cli 2.11.21

Resolved issue after following below:

1. Go to AWS IAM Management Console
2. Generate credential in section "Access keys (access key ID and secret access key)"
3. Run command aws configure and set same downloaded credentials in Cdrive-User-directory.aws\credentials

After a couple of hours , this is my conclusion :

If you want to use AWS_PROFILE makes sure that the rest of AWS env vars are unset (NOT empty only ... MUST be UNSET).

profile=$AWS_PROFILE
unset $(printenv |grep AWS_ | cut -f1 -d"=");
export AWS_PROFILE=${profile};

Then :

  # with aws cli >= 1.x
  $(aws ecr get-login --no-include-email --region ${aws_region})

  # with aws cli >= 2.x
  registry=${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com
  aws ecr get-login-password --region ${aws_region} | docker login --username AWS --password-stdin ${registry}

It wasn't working for me. Out of sheer desperation, I copied the lines starting with export and posted them in the terminal and pressed enter.

Thereafter I wrote aws configure and filled in the details from https://MYCOMPANY.awsapps.com/start#/ >> Account >> Clicked "Command line or programmatic access".

Default region name: eu-north-1
Default output format: text

And then the login succeeded. Don't ask my why.

open the file ~/.aws/credentials (or c:\Users\{user}\.aws\credentials on Windows)

It might look something like the following:

[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
aws_session_token = XXXXX

Update the aws_access_key_id and aws_secret_access_key with new values and remove the aws_session_token. You can also update aws_access_key_id and aws_secret_access_key via the aws configure command, but this doesn't remove the session token.

In my case, the region I wanted to use was not enabled. Addressed by enabling it at Account > AWS Regions -> enable (and wait patiently for some minutes).

I was facing this error when trying to insert data into my DynamoDB table.

I took two steps:

1. Ran aws configure and set the access key, secret key and region.
2. Inserted access key, secret key, session token and region as arguments while creating boto3 resource in my code.

Doing this solved the problem.