When I try to make a GET or PUT request in Amazon DynamoDB, I get a "security token included in the request is invalid" error.
Short description
You might get the security token included in the request is invalid error in the following situations:
- You used a temporary credential for your AWS client and the credentials expired.
- There's an issue with the security token that you used to authenticate your request.
- Your Amazon Elastic Compute Cloud (Amazon Ec2) instance's date and time aren't correctly set and cause your AWS credentials to be rejected.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Use the Amazon Time Sync Service or another NTP source
To maintain an accurate time reference for your instance, configure the Amazon Time Sync Service or another Network Time Protocol (NTP) source.
Update your AWS credentials
To review your credentials, run the update-access-key command with the --debug setting. If you use a security token service, then run the get-caller-identity command. If your AWS credentials are incorrect, then use the AWS CLI to update your AWS access key ID and secret access key.
Configure your AWS CLI or AWS SDK with the correct credentials
To configure your credentials in the AWS CLI, run the configure command.
To configure your credentials in AWS SDKs, you can use environment variables, an AWS credentials file, or AWS Secrets Manager.
Refresh your temporary credentials
If you use temporary credentials for DynamoDB, then refresh your credentials 5 minutes before the credentials are set to expire.
Use an IAM role for your instance
If you use an EC2 instance as a client machine, then attach an instance profile to your instance. Make sure that you don't specify any other credentials in your code or on the instance. The instance profile is the last place that the default credential provider chain searches for credentials. If the credentials are located earlier in the search chain, then you can't use the AWS Identity and Access Management (IAM) role. For more information, see Configuration and credentials precedence.
Rotate your credentials
If you continue to experience issues, then rotate your credentials.
Related information
Provide temporary credentials to the SDK