Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?

3 minute read
1

I assumed an AWS Identity and Access Management (IAM) role and my API call returned an error similar to the following: "An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials."

Short description

The AWS Security Token Service (AWS STS) supports an updated version of session tokens, version 2. New AWS Regions aren't activated by default and accept only the updated version of session tokens. This error occurs if version 1 session tokens make a request to service endpoints in an AWS Region that isn't activated by default. For more information, see Managing AWS STS in an AWS Region.

Resolution

Session tokens obtained from a Regional AWS STS endpoint are of version 2 and valid in all AWS Regions. It's a best practice to use Regional AWS STS endpoints.

Use one of the following methods to resolve this issue.

Obtain tokens from a Regional endpoint

The following example command uses AWS SDK for Python (Boto3):

# Replace existing code to create STS client with the following:  
sts_client = boto3.client('sts', region_name='your-region', endpoint_url='https://sts.your-region.amazonaws.com')

Note:

  • Replace your-region, AccountID, and RoleName as per your environment.
  • Setting the endpoint_url is required to configure the STS client for the Regional endpoint.

To use Regional endpoints, be sure that you include Region and endpoint URL options in the existing bash command.

Example command:

aws sts assume-role --role-arn arn:aws:iam::AccountID:role/RoleName --role-session-name RoleName --region your-region --endpoint-url https://sts.your-region.amazonaws.com

Important: For Regions that are activated by default, you must activate the Regional STS endpoint in the account where the temporary credentials are generated. It doesn't matter whether a user is signed into the same account or a different account when they make the request. For Regions that are manually activated, activate the Region in both the account that makes the request and the account where the credentials are generated. If you don't do this, then you might receive the InvalidClientTokenId error. For more information, see Activating and deactivating AWS STS in an AWS Region.

Change Region compatibility of session tokens for global endpoint

By default, the AWS STS calls to the global endpoint issues session tokens that use version 1. Version 1 tokens are valid only in AWS Regions that are activated by default. However, you can also configure the STS global endpoint to issue tokens in version 2 that can be used in all AWS Regions.

For more information, see Managing global endpoint session tokens.

Important: Version 2 tokens include more characters than version 1. This might affect the existing systems where you temporarily store tokens.

Related information

Managing AWS STS in an AWS Region

Regions and endpoints

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
3 Comments

"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

done all the above steps and yet same issue

replied 9 months ago

hi @awsofficial

I would need your assistance for a similar issue. I have performed all the necessary steps to enable global endpoints in STS but still whenever I am making an API call I get this error from lambda.

"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

Would appreciate any help possible.

replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago