Reputation: 131
Error: error configuring Terraform AWS Provider:
error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 95e52463-8cd7-038-b924-3a5d4ad6ef03, api error InvalidClientTokenId: The security token included in the request is invalid. with provider["registry.terraform.io/hashicorp/aws"], on provider.tf line 1, in provider "aws": 1: provider "aws" {
I have only two files.
resource "aws_instance" "web" {
ami = "ami-068257025f72f470d"
instance_type = "t2.micro"
tags = {
Name = "instance_using_terraform"
}
}
provider "aws" {
region = "ap-east-1"
access_key = "xxxx"
secret_key = "xxxx/xxx+xxx"
}
Upvotes: 11
Views: 60483
Reputation: 96
In mycase this issue is because your system date/time is wrong.
Set Time for my centos8 OS through following command
timedatectl status
timedatectl set-time HH:MM:SS
it will throw error saying "Failed to set time: NTP unit is active“. if you already have set NTP service on your machine"
Then use below command to configure NTP
sudo timedatectl set-local-rtc true
sudo timedatectl set-ntp false
sudo timedatectl set-time "yyyy-MM-dd hh:mm:ss"
timedatectl list-timezones
sudo timedatectl set-timezone Europe/Zagreb
sudo timedatectl set-ntp yes
Upvotes: 5
Reputation: 11
I think is because of the zone you have put in your terraform script. I know that you can see the availability region in the EC2 console in AWS.
Upvotes: 0
Reputation: 1
Please create new user with full admin access and then click on application use outside ec2 instance. This may work in your case.
Upvotes: 0
Reputation: 1
Check your access key is active or not. If it is active and reconfigure using aws configure and change the region from default to ap-east-1
May this work!!
Upvotes: 0
Reputation: 465
In my case we were using multiple provider blocks in multiple AWS regions with the same profile as this:
provider "aws" {
alias = "prod01"
region = "us-east-1"
profile = "prod"
}
provider "aws" {
alias = "prod02"
region = "eu-central-1"
profile = "prod"
}
The fix was to have two AWS profile mapped to each provider not just one.
For example you would have to configure two AWS profiles for each region using aws configure --profile <profile_name>
twice, or saml2aws login --region us-east-1 --profile prod-us-east-1
and again saml2aws login --region eu-central-1 --profile prod-eu-central-1
then modify your terraform code to use the correct profile:
provider "aws" {
alias = "prod01"
region = "us-east-1"
profile = "prod-us-east-1"
}
provider "aws" {
alias = "prod02"
region = "eu-central-1"
profile = "prod-eu-central-1"
}
Upvotes: 0
Reputation: 2992
In my case it was because I had disabled the regions in the account I was trying to generate a plan. To see the list of enabled/disabled regions, you can go here: https://us-east-1.console.aws.amazon.com/billing/home?region=us-east-1#/account?AWS-Regions
Upvotes: 0
Reputation: 1
In my case, I was demonstrating with the Credentials and files I downloaded from GitHub. I didn't change the credentials to my own. (Both the Access Key and the Secret Key). I changed it and it worked! I was on it for several weeks trying to figure what could have happened.
Upvotes: 0
Reputation: 322
For anyone who might hit this error
Error: configuring Terraform AWS Provider: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 400 ... api error IncompleteSignature: .... not a valid key=value pair
Check that your credentials file doesn't contain any trailing spaces, eg at the end of lines. AWS is quite happy to strip these and works fine, Terraform doesn't! Took me way to long to track that one down.
Upvotes: 0
Reputation: 31
For me, I had to update my provider version. Went through all the suggestions here, but none worked. My required_providers version was 4.67.0, but updating it to 5.0 on my .tf file required I update the locked dependency selections to match a changed configuration by running "terraform init -upgrade" command. And that did it for me.
Upvotes: 3
Reputation: 1
In my case, the error was because I didn't have a default configuration declaration. When I created it, it all worked.
Upvotes: -2
Reputation: 491
Make sure to use the default region specified for your AWS IAM account
provider "aws" {
region = "eu-north-1" # < --- here
access_key = "**************"
secret_key = "**************"
}
Upvotes: 3
Reputation: 1130
In case anyone comes across this issue, I found that the workspace I was working in had environment variables set in Terraform Cloud for the AWS credentials. These were taking precedence over my local credentials and needed to be refreshed.
Upvotes: 0
Reputation: 107
May be Your passed AWS configure region is different from your terraform provider region e.g: us-east-1 in AWS configure, us-east-1a in terraform provider region.
Please change those regions to the same.
Upvotes: 9
Reputation: 99
In my test environment I was using the root users access and secret access key which did not work. After creating a dedicated user the error did not occur anymore.
In detail I did the following steps:
Created a user called terraform here Created a new group Administrators with attached permissions Administrator Access by following the wizard Copied access key and secret access key to ~/. aws /credentials aws access key =xxx aws secret access key=xxx Created ~/.aws/config [default] region=us-west-2
Upvotes: 3
Reputation: 131
Made mistake in the region where I declared entered the wrong namecode of region and access key - secret key '+' and '/' generating the error due to some symbols, you just need to try the new key till the access key contains only alphabetical string. (Symbols are lmao).
Upvotes: 1
Reputation: 8162
Check .aws folder(CONFIG FILE). Try this
aws sts get-caller-identity
{
"UserId": "AIDAYMYFUCQM7K2RD9DDD",
"Account": "111147549871",
"Arn": "arn:aws:iam::111147549871:user/myself"
}
Also show us your main.tf file and where and how you define access.
Upvotes: 1