"Invalid Client Token ID" error when I try to assume a new role ARN

Hi Mina,

Thanks for your quick response! I have some questions regarding these troubleshooting options.

"Check the trust relationship of the role you're trying to assume. It must trust your account or user." --- At current state, I cannot access the credentials or trust policies corresponding to the role ARN I have been provided, as the new role does not appear when I search in my team's AWS Admin account. Am I looking in the wrong place? My assumption is that once I assume the role for the first time, the role will become accessible from our account, and I will gain the ability to edit the trust permissions of the role. Is there a workaround I'm not aware of?

"Verify the accuracy of the AWS credentials in your profile. Ensure they are active and correctly entered." --- My profile name and security keys are entirely unique and unrelated to my AWS account and/or the role ARN. Are there requirements for these credentials that I may not be meeting (i.e., should they match those of our AWS Admin account, or the role ARN)? Given that I cannot currently access any information about the role, I do not know how to find the correct credential information.

I greatly appreciate your help!

Thanks,

Naomi

These are the instructions that I'm following:

Once a preference is setup, we provide you with a Role ARN and a S3 path. To access data in the S3 bucket you will need to assume the role provided. Only the AWS account Id mentioned in the exports settings has permission to assume role.

Accessing reports: (using AWS CLI - recommended to test if the setup is correct) Step 1: Assume the role provided in the exports settings.

1. aws configure --profile <Choose a profile name>

   <Enter the secret key and access key of the AWS Account user which you are going to use for next steps>

2. aws sts assume-role --role-arn <Role arn on your export page> --role-session-name AWSCLI-Session --profile <Your profile name>

   <This step return new set of credential which are to be entered in the following commands>

3. export AWS_ACCESS_KEY_ID=<Access output from above command>

4. export AWS_SECRET_ACCESS_KEY=<Secret access output from above command>

5. export AWS_SESSION_TOKEN=<Session token output from above command>

6. aws sts get-caller-identity (should return <Role arn on your export page>) If you face issues while assuming role and get an error message which includes “does not have permissions to assume role”, then attach or update the policy with below statement. This statement grants permission to assume the role mentioned under resources.

{ "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::491615475978:role/Export-Approvals-Web-345818695909-Role" ], "Effect": "Allow" }

That sounds great, except that I receive an error every time I try to assume the role using aws sts assume-role: An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid. I need to troubleshoot this step first -- how do I successfully assume the role using this command? I really appreciate your ongoing support here!