`An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.` w/`aws s3 ls`

Question

I successfully authenticate with 2 factor but when using aws s3 ls I keep getting

An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.

And I do have admin rights.

Answer 1

for some reason my aws_access_key_id and aws_secret_access_key got generated for us-east-1(you can view this on the credentials page of your aws console) and I was trying to access another region. I got the correct creds and placed them in the credentials file with a new profile and it worked.

Answer 2

If you are using AWS Single Sign-on you can pass --profile <profile_name> and it should solve the issue

This will work if you authentified using an AWS Single Sign-on (sso) command aws sso login --profile <profile_name>

Answer 3

None of the other solutions worked for me.

I previously was working with another AWS account (same Organization). I forgot that I had entered the AWS-SESSION-TOKEN, AWS-ACCESS-KEY and AWS-SECRET-ACCESS_KEY as environment variables, following whatever AWS rabbit hole instructions I had at the time.

I removed those environment variables from my ~/.zshrc file.

Then I followed the instructions in @ox's solution from here to setup multiple AWS CLI accounts:

How to use multiple AWS accounts from the command line?

Now I have multiple account profiles setup in my ~/.aws/credentials file:

[default]
aws_access_key_id = xxxxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Backups]
aws_access_key_id = yyyyyyyyyyyyyyyyy
aws_secret_access_key = yyyyyyyyyyyyyyyyyyyyyyyyyyyyy

And I can run aws cli commands, using the --profile command line parameter if needed:

# the default profile - list s3 buckets
% aws s3 ls                      
2023-11-16 12:14:26 f-file-share
2023-12-14 14:07:45 oracle-export-share

# the Backups profile - list s3 buckets
% aws --profile Backups s3 ls
2023-09-12 10:34:00 files-nas-backup
2023-09-27 11:08:47 files1-nas-backup

Answer 4

~/.aws/credentials sometimes has 2 entries for "default". Remove the one you dont need, sometime it might be just blank

Answer 5

In the .aws credentials file remove session token and it will work

Answer 6

Run aws configure

1. You may leave access key and access key id blank if you have an IAM role attached

2. Set value for 'region'

Now you will be able to successfully run 'aws s3 ls'

Else run 'aws s3 ls --region '

Answer 7

Please delete .aws/credentials file from your users account and reconfigure your aws cli. If you already associated with another account then there are high chances of this type of error.

Answer 8

This error also occurs when aws cli reads the aws_session_token and aws_security_token declared in the ~/.aws file, which might be associated to a previously used account. Removing both and leaving just the key and the credentials associated to the account where the bucket is will force aws to establish the connection.

Answer 9

Issue was that I wasn't passing the --region in. e.g. aws s3 --region us-gov-west-1 ls. I suppose this could be set with an ENV variable too. That error message is a candidate for improvement.