Reputation: 1889
@aws-sdk/client-s3: Setting S3Client config in code: "AWS Access Key Id not exists"
Goal: Set AWS IAM credentials to S3Client config directly in code.
Initial Reference: How to set credentials in AWS SDK v3 JavaScript?
Using @aws-sdk/client-s3, can perform S3Client requests using AWS credential keys from environment:
AWS_ACCESS_KEY_ID=ASIA*****HM7
AWS_SECRET_ACCESS_KEY=aXH*****R+4
Note: AWS_ACCESS_KEY_ID is an ASIA Temporary (AWS STS)
Providing only "region" to S3Client config to request a listing of buckets:
const s3Config: {
region: 'us-west-2'
};
const s3Client = new S3Client(s3Config);
Successful response:
ListBucketsCommandOutput:
"Buckets": [
{
"Name": "my-bucket"
}
]
However, pulling the same AWS credential keys from local environment and assigning as "credentials" to S3Client config, it errors "AWS Access Key Id you provided does not exist"
Code importing AWS keys for S3Client create:
const s3Config: {
region: 'us-west-2',
credentials: {
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
},
};
const s3Client = new S3Client(s3Config);
Code Error Response:
{
"success": false,
"error": "The AWS Access Key Id you provided does not exist in our records."
}
How can this be corrected?
Thank you
Upvotes: 0
Views: 688
Answers (1)
Reputation: 78860
IAM User credentials have 2 parts:
- AWS_ACCESS_KEY_ID (format:
AKIA...) - AWS_SECRET_ACCESS_KEY
STS credentials have 3 parts:
- AWS_ACCESS_KEY_ID (format:
ASIA...) - AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN
You indicated an STS access key but you did not also include AWS_SESSION_TOKEN, so I suspect that IAM thinks that you are providing IAM User credentials and so it attempts to lookup ASIA... in its database. It fails to find the access key because ASIA... is not actually an IAM User access key and authentication fails with:
AWS Access Key Id you provided does not exist
To fix, indicate the session token when creating your client. Or switch to IAM User credentials, but be aware that IAM User credentials are not a best security practice because they are long-lived whereas STS credentials are short-lived.
Details of the AWS key formats such as AKIA..., ASIA... can be found here.
Upvotes: 2
Related Questions
- The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'eu-central-1'
- @aws-sdk/client-s3 --> No 'Access-Control-Allow-Origin' header is present on the requested resource
- AWS SDK Missing credentials in config
- botocore.exceptions.ProfileNotFound: The config profile (default) could not be found
- AWS - The AWS Access Key Id you provided does not exist in our records error
- aws sdk for nodejs - getting credentials from ChainableTemporaryCredentials object
- AWS SDK can not read environment variables
- AWS S3 Upload to Frankfurt region using PHP SDK - Access denied error
- How to deploy AWS beanstalk instances in the U.S. region on AWS beanstalk instances in the Chinese region
- Fog::Compute::AWS::Error: AuthFailure => AWS was not able to validate the provided access credentials