- Newest
- Most votes
- Most comments
Hello,
Thank you for querying in this forum.
From the descriptions, it seems like although you’ve attached an IAM role with full access and valid credentials to your EC2 instance, you are facing the below error when trying to fetch these credentials from IAM role.
Error: The security token included in the request is invalid.
This error is typically related to the AWS credentials and often happens when the access key/secret key is incorrect. However, as it works when you hard code/provide credentials manually, we can conclude that the IAM credentials are not malformed.
In most cases, customer setup credentials in a file called credentials found in ~/.aws/ directory that is used when checking credentials and preferred over IAM role attached to EC2 instance. There is a great chance that you have a stale credentials (either user credentials deleted or inactive) in your ~/.aws/credentials file that needs to be remove or change the word "default" to something else in the file.
At times, there is also an aws_session_token in the [default] profile of the credentials file that was probably left over in the credentials file from a previous use, and $ aws configure
overwrote the access key and secret key, but did not delete the old session token [1].
In other words, it is fetching credentials different from the ones you expect it to use, such as from a credentials file instead of an instance profile. This is because credentials file has a higher precedence than the instance profile so they would be used first [2].
I suggest you to check the following :
-
Make sure that AWS CLI is properly installed and configured over the instance [3]. Check $ aws configure command and input the necessary information if not already done,
-
If already done, check if any credentials were configured using the "aws configure" command on the instance earlier. For checking credential configuration, use the command $ aws configure list.
-
Please look at ~/.aws/credentials and ~/.aws/config as well
-
Backup the credentials file to a new name and then delete the credentials file. Then run “$ aws configure list" again and see if the CLI is now correctly using the instance profile.
However, if you still continue to face this issue, we would be required to perform resource level troubleshooting to investigate further. Hence please create a support case with AWS Premium Support and we will be glad to assist you.
Thank you for your interest in re:Post community. Have a great day!
References
Relevant content
- asked 2 years ago
- How do I resolve the IAM credentials error "The security token included in the request isn’t valid"?AWS OFFICIALUpdated 19 days ago
I followed your steps and I removed all files from ~/.aws. now if I run the command "aws configure list" then it shows me credentials fetched from iam_role but the profile <not set> and they also don't have a session token ,due to which still that error countered.
profile <not set> None None access_key ****************JtyI iam-role
secret_key ****************ItyG iam-role
region us-east-1 imds