When I used my AWS Identity and Access Management (IAM) credentials to authenticate, I received an error similar to the following: "An error occurred (InvalidClientTokenId) when calling the ### operation: The security token included in the request is invalid".
Short description
This authentication error occurs because your IAM credentials aren't configured correctly, are expired or deleted, are in an unexpected location, or they use an incorrect key pair. The credentials used depend on the order and precedence of the credential providers. For more information, see Configuration and credentials precedence.
Resolution
To resolve this error, find the user credential location, verify that the credentials are valid, and then update or replace the credentials.
In the following example use case, the error occurs from an Amazon Elastic Compute Cloud (Amazon EC2) instance because the credentials aren't valid.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Find the user credential location
To get the IAM credentials used by the EC2 instance, run the AWS CLI command get-caller-identity:
aws sts get-caller-identity --debug
Example output:
2024-06-04 11:28:22,588 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2024-06-04 11:28:22,588 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2024-06-04 11:28:22,588 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2024-06-04 11:28:22,588 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2024-06-04 11:28:22,588 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2024-06-04 11:28:22,588 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
In the previous example output, the credentials used by the EC2 instance are inside the: ~/.aws/credentials file.
Note: The .aws/credentials file contains credential details for your IAM entities. When you manage your credentials, make sure that you follow security best practices in IAM.
Verify that the credentials are valid
To verify that the credentials are valid for the location and API call action, follow these steps.
-
To verify which credentials are used by the EC2 instance, run the following commands:
cd ~/.aws
cat credentials
Example output:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-
To verify that the access key permissions are valid, use the AWS Management Console or the AWS CLI.
Note: If you use temporary security credentials, then access keys might be expired. Expired temporary keys can't allow any type of access requests, including API calls.
Update or replace the credentials
If the credentials are expired or deleted, then update the credentials. If the credentials aren't valid, then follow these steps to use the AWS CLI to validate and update the credentials.
Note: If you use long-term credentials, then make sure that the access key ID is valid. It's a best practice to use temporary security credentials instead of long-term credentials such as access keys. For more information, see Alternatives to long-term access keys.
If you use a named profile with the AWS CLI, then make sure that the aws_access_key_id and aws_session_token settings have the correct values. The profile settings are stored in the ./aws/credentials or ./aws/config files.
If you have credentials stored in environment variables that aren't valid, then run the following command to remove them:
unset AWS\_ACCESS\_KEY\_ID AWS\_SECRET\_ACCESS\_KEY AWS\_SESSION\_TOKEN
If you updated your profile settings, then make sure that you reset the environment variables.
After you have updated or replaced the credentials, run the AWS CLI command get-caller-identity to verify that the credentials are valid:
aws sts get-caller-identity --debug
Example output:
2024-06-04 12:46:07,167 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2024-06-04 12:46:07,167 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2024-06-04 12:46:07,168 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2024-06-04 12:46:07,168 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2024-06-04 12:46:07,168 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2024-06-04 12:46:07,168 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: custom-process
2024-06-04 12:46:07,168 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: config-file
2024-06-04 12:46:07,169 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: ec2-credentials-file
2024-06-04 12:46:07,169 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: boto-config
2024-06-04 12:46:07,169 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: container-role
2024-06-04 12:46:07,169 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role
2024-06-04 12:46:07,177 - MainThread - botocore.credentials - DEBUG - Found credentials from IAM Role: ec2_Role
In the previous output, Amazon EC2 instance profile credentials are used by the instance because there are no other credentials stored with a higher precedence.
Related information
Why is my Amazon EC2 instance using IAM user credentials instead of role credentials?
Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?
Managing AWS STS in an AWS Region