CODEWITHSUNDEEP
amazon-web-serviceskubernetesterraformkubectlamazon-eks
Thanh Nguyen Van
Thanh Nguyen Van

Reputation: 11772

InvalidClientTokenId: The security token included in the request is invalid. status code: 403

I am using, terraform & kubectl to deploy insfra-structure and application.

Since I changed aws configure :

terraform init

terraform apply

I always got : 

terraform apply

Error: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
    status code: 403, request id: 5ba38c31-d39a-11e9-a642-21e0b5cf5c0e

  on providers.tf line 1, in provider "aws":
   1: provider "aws" {

Can you advise ? Appreciate !

Upvotes: 16

Views: 58480

Answers (8)

Franke
Franke

Reputation: 1282

In my case the IAM / Security credentials / Access key I was using (as it was set in my ~/.aws/credentials file) was inactive. I should have checked that in my AWS Console first.

Upvotes: -1

Dan B
Dan B

Reputation: 29

I was getting this error even though my credentials were working and valid. It turned out to be because the cloudformation stack I was uploading was creating an IAM role, and AWS requires you use MFA in order to create IAM roles. So adding MFA and getting my security token with --serial-number and --token-code fixed the problem for me.

Upvotes: -1

Prabhas Harlapur
Prabhas Harlapur

Reputation: 1

There can be two problems for this

  1. AWS credentials (access key id and secret) might have to reconfigured so use aws configure to update the credentials.

  2. In the aws portals if your creds are not used for long time they might be inactive. Please go ahead and activate them and try again.

Upvotes: -1

user3827510
user3827510

Reputation: 149

I got the same invalid token error after adding an S3 Terraform backend.

It was because I was missing a profile attribute on the new backend.

This was my setup when I got the invalid token error:

# ~/.aws/credentials

[default]
aws_access_key_id=OJA6...
aws_secret_access_key=r2a7...

[my_profile_name]
aws_access_key_id=RX9T...
aws_secret_access_key=oaQy...

// main.tf

terraform {
  backend "s3" {
    bucket         = "terraform-state"
    encrypt        = true
    key            = "terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-state-locks"
  }
}

And this was the fix that worked (showing a diff, I added the line with "+" at the beginning):

  // main.tf

  terraform {
    backend "s3" {
      bucket         = "terraform-state"
      // ...
+     profile        = "my_profile_name"
    }
  }

None of the guides or videos I read or watched included the profile attribute. But it's explained in the Terraform documentation, here:

https://www.terraform.io/language/settings/backends/s3

Upvotes: 5

PaulRwanda
PaulRwanda

Reputation: 185

I used aws configure and provide my Keys as shown below

See image of the error I got

1

But I still got the invalid token error.

Answer

I have cleaned everything from ~/.aws/credentials and then run aws configure again and provided my keys.

It worked for me. Try it too

Upvotes: -1

Francisco Cardoso
Francisco Cardoso

Reputation: 1968

My issue was related to VS Code Debug Console: The AWS_PROFILE and AWS_REGION environment variables were not loaded. For solving that I closed vscode and reopened through CLI using the command code <project-folder>.

Upvotes: 0

Andreas Forsl&#246;w
Andreas Forsl&#246;w

Reputation: 2738

In my case, it turned out that I had the environment variables AWS_ACCESS_KEY_ID, AWS_DEFAULT_REGION and AWS_SECRET_ACCESS_KEY set. This circumvented my ~/.aws/credentials file. Simply unsetting these environment variables worked for me!

Upvotes: 6

Rotem jackoby
Rotem jackoby

Reputation: 22098

From here.

This is a general error that can be cause by a few reasons.

Some examples:

1) Invalid credentials passed as environment variables or in ~/.aws/credentials.

Solution: Remove old profiles / credentials and clean all your environment vars: 

for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done


2) When your aws_secret_access_key contains characters like the plus-sign + or multiple forward-slash /. See more in here.
Solution: Delete credentials and generate new ones.


3) When you try to execute Terraform inside a region which must be explicitly enabled (and wasn't).
(In my case it was me-south-1 (Bahrain) - See more in here).
Solution: Enable region or move to an enabled one.


4) In cases where you work with 3rd party tools like Vault and don't supply valid AWS credentials to communicate with - See more in here.


All will lead to a failure of aws sts:GetCallerIdentity API.

Upvotes: 32

Related Questions