By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

An error occurred (UnrecognizedClientException) when calling the ListClusters operation: The security token included in the request is invalid

0

https://aws.amazon.com/cn/premiumsupport/knowledge-center/iam-assume-role-cli/

Refer to this tutorial, run aws sts get-caller-identity to see that the identity has been switched correctly, but encounter the following error when running

aws eks list-clusters --region ap-east-1

An error occurred (UnrecognizedClientException) when calling the ListClusters operation: The security token included in the request is invalid

There is no problem in specifying other areas. I have confirmed that both account A and account B have enabled the ap-east-1 region. The trust relationship for the IAM role is as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountA:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

I can run the same command normally in cloudshell, why is this?

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
ives
asked a year ago28742 views
2 Answers
0

When encountering the UnrecognizedClientException error in the ap-east-1 region with AWS EKS and assuming it works in other regions and CloudShell, consider these potential issues:

Temporary Credentials: There might be a delay in the propagation of temporary credentials obtained through sts assume-role.

IAM Role Permissions: Ensure the assumed role has permissions for eks:ListClusters and no explicit deny policies are affecting ap-east-1.

Region-Specific Restrictions: Check for any account or organizational policies that might restrict actions in the ap-east-1 region.

CLI Configuration: Verify that your local AWS CLI is up to date and the environment variables are correctly set after assuming the role.

Token Validity: Make sure the session token hasn't expired; the default duration is 1 hour, but it can be extended up to 12 hours.

profile picture
EXPERT
Giovanni Lauria
answered a month ago
  • Rihards
    20 days ago

    Thanks, it seems that I might be seeing a very similar issue - ListClusters (using Paws, but the same outcome) works in all regions on multiple accounts, except one specific region. Searching for that region in IAM policies did not turn up anything.

    Would you happen to have any hints on where could the relevant configuration for these two items be?

    "IAM Role Permissions: Ensure the assumed role has permissions for eks:ListClusters and no explicit deny policies are affecting... Region-Specific Restrictions: Check for any account or organizational policies that might restrict actions..."

  • Rihards
    20 days ago

    Wondering whether it could be related to the note in https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html - "session tokens from the global AWS STS endpoint are valid only in AWS Regions that you enable, or that are enabled by default". The problematic region is not enabled by default.

-1

Hi,

Security token is invalid - It appears credentials are not correct. Assuming you're trying cross account access.

Follow this article to ensure the IAM role and policies are defined correctly - https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/

And then use this page to access as - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html

AWS
AWS-CSingh
answered a year ago
  • ives
    a year ago

    The same operation and cli command, only in ap-east-1 region error

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content