Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?
3 minute read
I assumed an AWS Identity and Access Management (IAM) role and my API call returned an error similar to the following:
"An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials."
The AWS Security Token Service (AWS STS) supports an updated version of session tokens, version 2. New AWS Regions (for example, Bahrain) are not enabled by default and only accept the updated version of session tokens. This error can occur if version 1 session tokens are used to make a request to service endpoints in an AWS Region that are not enabled by default. For more information, see Managing AWS STS in an AWS Region.
Session tokens obtained from Regional AWS STS endpoint are of version 2 and valid in all AWS Regions. As a best practice, it is recommended to use Regional STS endpoints. Using an endpoint that is geographically closer to your application reduces latency and provides better response times.
Use one of the following methods to resolve this issue.
Change Region compatibility of session tokens for global endpoint
By default, the AWS STS calls to the global endpoint issues session tokens which are of version 1. Version 1 tokens are only valid in AWS Regions that are enabled by default. However, you can also configure the STS global endpoint to issue tokens in version 2 that can be used in all AWS Regions.