Calling assume_role results in an "InvalidClientTokenId" error

Question

I cannot give too many details due to confidentiality, but I will try to specify as best as I can.

I have an AWS role that is going to be used to call an API and has the correct permissions. I am using Boto3 to attempt to assume the role.

In my python code I have

sts_client = boto3.client('sts')

response = sts_client.assume_role(
    RoleArn="arn:aws:iam::ACCNAME:role/ROLENAME",
    RoleSessionName="filler",
)

With this code, I get this error: "An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

Any help would be appreciated. Thanks

Answer 1

When you construct the client in this way, e.g. sts_client = boto3.client('sts'), it uses the boto3 DEFAULT_SESSION, which pulls from your ~/.aws/credentials file (possibly among other locations; I did not investigate further).

When I ran into this, the values for aws_access_key_id, aws_secret_access_key, and aws_session_token were stale. Updating them in the default configuration file (or simply overriding them directly in the client call) resolved this issue:

sts_client = boto3.client('sts',
    aws_access_key_id='aws_access_key_id',
    aws_secret_access_key='aws_secret_access_key',
    aws_session_token='aws_session_token')

As an aside, I found that enabling stream logging was helpful and used the output to dive into the boto3 source code and find the issue: boto3.set_stream_logger('').