InvalidClientTokenId: The security token included in the request is invalid. status code: 403

Asked 10/9, 2019 at 7:17 Answered 21/2 at 22:21

Solved amazon-web-services kubernetes terraform kubectl amazon-eks

I am using, terraform & kubectl to deploy insfra-structure and application.

Since I changed aws configure :

terraform init

terraform apply

I always got :

terraform apply

Error: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
    status code: 403, request id: 5ba38c31-d39a-11e9-a642-21e0b5cf5c0e

  on providers.tf line 1, in provider "aws":
   1: provider "aws" {

Can you advise ? Appreciate !

Barbel answered 10/9, 2019 at 7:17 Comment(1)

You should share your terraform configuration, or at least a minimal example, otherwise it's tough to tell what exactly is wrong. – Motivation 12/9, 2019 at 14:45

From here.

This is a general error that can be cause by a few reasons.

Some examples:

1) Invalid credentials passed as environment variables or in ~/.aws/credentials.

Solution: Remove old profiles / credentials and clean all your environment vars:

for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done

2) When your aws_secret_access_key contains characters like the plus-sign + or multiple forward-slash /. See more in here.
Solution: Delete credentials and generate new ones.

3) When you try to execute Terraform inside a region which must be explicitly enabled (and wasn't).
(In my case it was me-south-1 (Bahrain) - See more in here).
Solution: Enable region or move to an enabled one.

4) In cases where you work with 3rd party tools like Vault and don't supply valid AWS credentials to communicate with - See more in here.

All will lead to a failure of aws sts:GetCallerIdentity API.

Surely answered 12/12, 2019 at 23:46 Comment(7)

For my problem... Solution number 2 was the issue. Why produce + symbols if they are so troublesome?! – Abiosis 18/8, 2020 at 20:41

2) Pretty much always having + or / – Backler 25/5, 2021 at 0:7

Adding to 1), my experience has been that having an ~/.aws/credentials interferes with authenticating via aws sso. So removing the file resolved the error. – Forelli 8/6, 2021 at 14:14

What happened in my case was I was creating the credentials dynamically using vault and trying to use it immediately. I had to wait at least 5 seconds after the credentials are created before using them. – Passe 30/7, 2021 at 1:43

What do you mean by "enable region" in solution number 3? – Signification 9/8, 2022 at 22:12

Not all regions are enabled by default. – Surely 10/8, 2022 at 12:24

If all of the points above is not working, then try to create new credentials for your user in AWS console and set those credentials using aws configure. This worked for me. – Hillman 20/5, 2023 at 8:7

In my case, it turned out that I had the environment variables AWS_ACCESS_KEY_ID, AWS_DEFAULT_REGION and AWS_SECRET_ACCESS_KEY set. This circumvented my ~/.aws/credentials file. Simply unsetting these environment variables worked for me!

Broadus answered 1/7, 2021 at 11:25 Comment(0)

I got the same invalid token error after adding an S3 Terraform backend.

It was because I was missing a profile attribute on the new backend.

This was my setup when I got the invalid token error:

# ~/.aws/credentials

[default]
aws_access_key_id=OJA6...
aws_secret_access_key=r2a7...

[my_profile_name]
aws_access_key_id=RX9T...
aws_secret_access_key=oaQy...

// main.tf

terraform {
  backend "s3" {
    bucket         = "terraform-state"
    encrypt        = true
    key            = "terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-state-locks"
  }
}

And this was the fix that worked (showing a diff, I added the line with "+" at the beginning):

  // main.tf

  terraform {
    backend "s3" {
      bucket         = "terraform-state"
      // ...
+     profile        = "my_profile_name"
    }
  }

None of the guides or videos I read or watched included the profile attribute. But it's explained in the Terraform documentation, here:

https://www.terraform.io/language/settings/backends/s3

Okajima answered 22/2, 2022 at 23:14 Comment(0)

My issue was related to VS Code Debug Console: The AWS_PROFILE and AWS_REGION environment variables were not loaded. For solving that I closed vscode and reopened through CLI using the command code <project-folder>.

Vellum answered 10/1, 2022 at 19:32 Comment(0)

I used aws configure and provide my Keys as shown below

See image of the error I got

But I still got the invalid token error.

Answer

I have cleaned everything from ~/.aws/credentials and then run aws configure again and provided my keys.

It worked for me. Try it too

Jordans answered 17/8, 2022 at 10:3 Comment(0)

There can be two problems for this

AWS credentials (access key id and secret) might have to reconfigured so use aws configure to update the credentials.
In the aws portals if your creds are not used for long time they might be inactive. Please go ahead and activate them and try again.

Hub answered 16/6, 2023 at 1:12 Comment(0)

I was getting this error even though my credentials were working and valid. It turned out to be because the cloudformation stack I was uploading was creating an IAM role, and AWS requires you use MFA in order to create IAM roles. So adding MFA and getting my security token with --serial-number and --token-code fixed the problem for me.

Scrivens answered 21/2 at 22:21 Comment(0)

Recommended topics

Hot tags